CN113709084A - Data transmission method, data transmission equipment and readable storage medium - Google Patents
Data transmission method, data transmission equipment and readable storage medium Download PDFInfo
- Publication number
- CN113709084A CN113709084A CN202010435052.7A CN202010435052A CN113709084A CN 113709084 A CN113709084 A CN 113709084A CN 202010435052 A CN202010435052 A CN 202010435052A CN 113709084 A CN113709084 A CN 113709084A
- Authority
- CN
- China
- Prior art keywords
- encrypted
- segment
- encrypted segment
- data unit
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0464—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload using hop-by-hop encryption, i.e. wherein an intermediate entity decrypts the information and re-encrypts it before forwarding it
Abstract
A first device generates a data stream and transmits the data stream. Wherein the data stream includes N encrypted segments, one encrypted segment including: a segment of consecutive data units starting with a head data unit and ending with a tail data unit. The N encrypted segments include at least one first encrypted segment and M1 second encrypted segments corresponding to the first encrypted segment, and the data stream carries an identifier of a first key used for encrypting the first encrypted segment and does not carry an identifier of a second key used for encrypting the second encrypted segment. The N encrypted segments include at least one third encrypted segment and M2 fourth encrypted segments corresponding to the third encrypted segment, and the data stream carries an identifier of a third initial vector used for encrypting the third encrypted segment and does not carry an identifier of a fourth initial vector used for encrypting the fourth encrypted segment. In this way, the number of encryption parameters that need to be synchronized can be reduced, and thus bandwidth expansion can be reduced.
Description
Technical Field
The present application relates to the field of communications, and in particular, to a data transmission method, device and readable storage medium.
Background
Special line businesses such as government, enterprise, finance and the like need to be safely carried. Security is a crucial consideration for customer selection of private services. Encryption is an important means for ensuring data security, and can effectively prevent private information from being stolen by an attacker. Encryption can be classified into two-layer encryption MACsec, three-layer encryption IPsec, and the like, according to different levels of the Open System Interconnection Reference Model (OSI) for encryption. The Encryption algorithm generally uses the Standard Advanced Encryption Standard-call/Counter Mode (AES-GCM) algorithm.
The basic principle of encryption is described below by taking a two-layer encryption as an example, fig. 1 exemplarily shows a data structure diagram of a two-layer encryption, and as shown in fig. 1, an encryption side encrypts each data frame separately by using a Key (Key) and an initial Vector (Initialization Vector, IV). The encryption side can encrypt Plain Data (Plain Data) of one Data frame in the graph using a local preconfigured Key (Key), an initial vector. After encryption, the Plain Data (Plain Data) will become Encrypted Data (Encrypted Data). To prevent data from being tampered with by an attacker during transmission, the encryption side usually generates a Check Value, such as an Integrity Check Value (ICV). The encryption side carries the identifier of the key used for encryption, the identifier of the IV and the check value in the data frame, and sends the data frame to the decryption side, as shown in fig. 1, the key identifier and the initial vector identifier may be carried between the source MAC of one data frame and the encrypted data, and the check value may be carried after the encrypted data.
And after receiving the data frame, the decryption side decrypts the data frame according to the key corresponding to the identifier of the key and the IV corresponding to the identifier of the IV. The Encrypted Data (Encrypted Data) will become Plain Data (Plain Data) after decryption. To determine whether the data was tampered with during transmission, the decryption side calculates an ICV. This decryption can be considered valid only if the ICV is identical to the ICV carried in the data frame, otherwise it is invalid.
As can be seen from the above processing procedure, in order to perform decryption, the encryption side needs to carry the identifier of the key, the identifier of the IV, and the encryption parameters such as ICV in the data frame, which brings about a large bandwidth expansion.
Disclosure of Invention
The application provides a data transmission method, a device and a readable storage medium, which are used for reducing bandwidth expansion by reducing data synchronization quantity of identification of a key and identification of an initial vector.
In a first aspect, the present invention provides a data transmission method, in which a first device generates a data stream; the data stream is transmitted. Wherein, the data stream includes N encrypted segments, N is a positive integer greater than 1, and an encrypted segment includes: a segment of consecutive data units starting with a head data unit and ending with a tail data unit. The N encrypted segments comprise at least one first encrypted segment and M1 second encrypted segments corresponding to the first encrypted segment, wherein the data stream carries an identifier of a first key for encrypting the first encrypted segment; for each of the M1 second encrypted segments, the data stream does not carry an identification of a second key that encrypted the second encrypted segment. The N encrypted segments comprise at least one third encrypted segment and M2 fourth encrypted segments corresponding to the third encrypted segment, wherein the data stream carries an identifier of a third initial vector for encrypting the third encrypted segment; for each of the M2 fourth encrypted segments, the data stream does not carry an identification of a fourth initial vector that encrypted the fourth encrypted segment. The M1 is zero or a positive integer, the M2 is zero or a positive integer, and at least one of the M1 and the M2 is a positive integer. Thus, it can be seen that, for some encrypted segments, the data stream does not carry the key identifier and/or the identifier of the initial vector of the encrypted segment, and compared with a scheme in which each encrypted segment needs to transmit the key identifier and the identifier of the initial vector of the encrypted segment, the amount of data that needs to be synchronized can be reduced, thereby reducing the problem of bandwidth expansion.
In a second aspect, the present invention provides a data transmission method, in which a first device generates a first data stream; a first data stream is transmitted. Wherein the first data stream includes N encrypted segments, N being a positive integer, one encrypted segment including: a segment of consecutive data units starting with a head data unit and ending with a tail data unit. Aiming at one encrypted segment in the N encrypted segments, the first data stream also bears the encryption parameters of the encrypted segment; wherein the encryption parameter comprises one of: checking a value; a key identification and a check value; an initial vector identification and a check value; a key identification, an initial vector identification, and a check value. When the encryption parameters of the encryption section do not comprise the key identification, a first rule is satisfied between the identification of the key for encrypting the encryption section and the first key identification; and when the encryption parameters of the encrypted segment do not comprise the initial vector identification, a second rule is satisfied between the identification of the initial vector for encrypting the encrypted segment and the first initial vector identification. That is, for an encrypted segment, the data stream may carry only one or more of the key identification, the initial vector identification, and the check value, so that the amount of synchronization of the encryption parameters can be reduced.
In a third aspect, the present invention provides a data transmission method, in which a first device generates a first data stream, and transmits the first data stream. Wherein the first data stream includes N encrypted segments, N being a positive integer, one encrypted segment including: a segment of consecutive data units starting with a head data unit and ending with a tail data unit. The first data stream comprises one or more first key identifications, one first key identification is used for indicating keys of (1+ M1) encrypted segments; the identification of the key for any two of the (1+ M1) encrypted segments satisfies a first rule. The first data stream comprises one or more third initial vector identifications, and one third initial vector identification is used for indicating initial vectors of (1+ M2) encrypted segments; the identification of the initial vector of any two of the (1+ M2) encrypted segments satisfies the second rule. Wherein M2 is zero or a positive integer, and M1 is zero or a positive integer. In a possible embodiment, M1 and M2 may both take a value of zero in the present application, and when at least one of M1 and M2 is a positive integer, that is, at least one of M1 and M2 takes a non-zero value, the amount of data that needs to be synchronized can be reduced compared to a scheme in which a key identification and an initial vector identification of each encrypted segment are transmitted.
In any of the above first to third aspects, a possible implementation comprises the data unit for carrying the identification of the first key satisfying one of the following conditions: before the head data unit of the first encrypted segment and after the tail data unit of the previous encrypted segment of the first encrypted segment; after the tail data unit of the first encrypted segment and before the head data unit of the next encrypted segment of the first encrypted segment. The data unit for carrying the identification of the third initial vector satisfies one of the following conditions: before the head data unit of the third encrypted segment and after the tail data unit of the previous encrypted segment of the third encrypted segment; after the tail data unit of the third encrypted segment and before the head data unit of the next encrypted segment of the third encrypted segment. In this way, the flexibility of the scheme can be improved.
In any one of the first to third aspects above, a possible implementation manner includes that the data stream further carries a check value of each encrypted segment of the N encrypted segments. Thus, the security of data transmission can be further improved.
In any of the first to third aspects above, a possible implementation includes, when the data stream also carries an identification of a first initial vector encrypting the first encrypted segment, then: the identification of the first key, the identification of the first initial vector, and the check value of the first encrypted segment satisfy one of the following conditions: carried on a continuous segment of data units; the data unit types of the continuous data units comprise a head data unit, a data unit of the data type and a tail data unit; the data unit type of the continuous data unit comprises an operation maintenance management data unit; the data unit type of the continuous data unit comprises a data unit of the data type and an operation maintenance management data unit. In this way, the flexibility of the scheme can be improved.
In any of the first to third aspects above, a possible implementation includes that, for each of M1 second encrypted segments corresponding to a first encrypted segment, the first key identification and the second key identification that encrypt the second encrypted segment satisfy a first rule; for each of M2 fourth encrypted segments corresponding to the third encrypted segment, the fourth initial vector identifier and the third initial vector identifier that encrypt the fourth encrypted segment satisfy the second rule. Therefore, when the data stream does not bear the key identification of one encryption segment, the receiving end can determine the key identification of the encryption segment according to the first rule. When the data stream does not carry the initial vector identifier of one encrypted segment, the receiving end can determine the identifier of the initial vector of the encrypted segment according to the second rule.
In any of the first to third aspects above, one possible implementation comprises the first rule comprising: for each of the M1 second encrypted segments, the second key identification used to encrypt the second encrypted segment is the same as the first key identification; the second rule includes: for each of the M2 fourth encrypted segments, an identification of a fourth initial vector encrypting the fourth encrypted segment: and determining according to the identification of the third initial vector for encrypting the third encrypted segment, the number of the encrypted segments spaced between the fourth encrypted segment and the third encrypted segment and a third rule. In any of the first to third aspects above, a possible embodiment comprises, for any two of the M2 fourth encrypted segments, the identity of the two fourth initial vectors encrypting the two fourth encrypted segments being different; and: the identity of the third initial vector is different from the identity of one of the fourth initial vectors. In this embodiment, the key is updated once every (1+ M1) encrypted segments, and the initial vector is updated once every encrypted segment, on one hand, it can be satisfied that the initial vectors and/or keys of the two encrypted segments are different, so that the security of data transmission can be ensured, and on the other hand, the updating of the initial vector is easier than the updating of the key, so that this embodiment is also easier to implement.
In any one of the first to third aspects above, a possible implementation includes that the (1+ M1) encrypted pieces of the N encrypted pieces include: k third encrypted segments, and M2 fourth encrypted segments corresponding to each third encrypted segment in the K third encrypted segments, wherein K is a positive integer, and M2 is a positive integer not greater than M1; wherein the (1+ M1) encrypted segments include a first encrypted segment and M1 second encrypted segments corresponding to the first encrypted segment. In this division manner, a synchronization period of one key may include a synchronization period of a plurality of initial vectors, which may reduce the number of keys to be synchronized on one hand, and on the other hand, for (1+ M1) encryption segments, may synchronize one or more initial vectors, so that a receiving end may receive more encryption parameters, and thereby may further improve the probability of successful data decryption.
In any of the first to third aspects above, a possible implementation includes that any two encrypted segments of the N encrypted segments satisfy the following: the two encrypted segments are encrypted using different keys and/or the two encrypted segments are encrypted using different initial vectors. Thus, the security of data transmission can be further improved.
In any of the first to third aspects above, a possible implementation comprises that one encrypted segment satisfies one or more of the following: comprises at least two head data units; comprises at least two tail data units; including at least one operation maintenance management data unit. Therefore, compared with a scheme that one encryption segment only comprises one head data unit, the granularity of the encryption object is increased, so that the number of identifiers of keys required to be synchronized by a sending end and a receiving end and the number of identifiers of initial vectors can be correspondingly reduced, further the overhead can be reduced, and the data bearing efficiency is improved.
In a fourth aspect, the present invention provides a data transmission method, in which a second device receives a data stream; wherein, the data stream includes N encrypted segments, N is a positive integer greater than 1, and an encrypted segment includes: a segment of consecutive data units starting with a head data unit and ending with a tail data unit; aiming at one encryption segment in the N encryption segments, the second equipment determines the identifier of a key for encrypting the encryption segment and the identifier of an initial vector; and decrypting the encrypted segment according to the identifier of the key for encrypting the encrypted segment and the identifier of the initial vector, so as to obtain decrypted data corresponding to the encrypted segment.
In a possible implementation manner of the fourth aspect, the N encrypted segments include at least one first encrypted segment, and M1 second encrypted segments corresponding to the first encrypted segment, where an identity of a first key and an identity of a second key satisfy a first rule, where the identity of the first key is an identity of a key used to encrypt the first encrypted segment; the second key identification is an identification of a key that encrypts one of the M1 second encrypted segments; the data stream carries an identifier of a first key for encrypting the first encrypted segment; for each of the M1 second encrypted segments, the data stream does not carry an identification of a second key that encrypted the second encrypted segment; the N encrypted segments include at least one third encrypted segment and M2 fourth encrypted segments corresponding to the third encrypted segment, where an identifier of a third initial vector and an identifier of a fourth initial vector satisfy a second rule, where the identifier of the third initial vector is an identifier of an initial vector used to encrypt the third encrypted segment; the identification of the fourth initial vector is the identification of the initial vector encrypting one of the M2 fourth encrypted segments; the data stream carries an identifier of a third initial vector for encrypting the third encrypted segment; for each of the M2 fourth encrypted segments, the data stream does not carry an identification of a fourth initial vector that encrypted the fourth encrypted segment; the M1 is zero or a positive integer, the M2 is zero or a positive integer, and at least one of the M1 and the M2 is a positive integer.
In a fifth aspect, the present invention provides a data transmission method, in which a second device receives a data stream; wherein, the data stream includes N encrypted segments, N is a positive integer greater than 1, and an encrypted segment includes: a segment of consecutive data units starting with a head data unit and ending with a tail data unit; for one encrypted segment of the N encrypted segments, performing: under the condition that the identification of the key for encrypting the encrypted segment is not carried in the data stream, the identification of the key for encrypting the encrypted segment is determined according to the identification of the first key carried in the data stream; under the condition that the identifier of the initial vector for encrypting the encrypted segment is not carried in the data stream, determining the identifier of the initial vector for encrypting the encrypted segment according to the identifier of a third initial vector carried in the data stream; and the receiving end decrypts the encrypted segment by adopting the key and the initial vector for encrypting the encrypted segment to obtain decrypted data. Thus, it can be seen that, for some encrypted segments, the data stream does not carry the key identifier and/or the identifier of the initial vector of the encrypted segment, and compared with a scheme in which each encrypted segment needs to transmit the key identifier and the identifier of the initial vector of the encrypted segment, the amount of data that needs to be synchronized can be reduced, thereby reducing the problem of bandwidth expansion.
In a sixth aspect, the present invention provides a data transmission method, in which a second device receives a data stream; wherein, the data stream includes N encrypted segments, N is a positive integer greater than 1, and an encrypted segment includes: a segment of consecutive data units starting with a head data unit and ending with a tail data unit; aiming at one encryption segment in the N encryption segments, the second equipment determines the identifier of a key for encrypting the encryption segment and the identifier of an initial vector; and decrypting the encrypted segment according to the identifier of the key for encrypting the encrypted segment and the identifier of the initial vector, so as to obtain decrypted data corresponding to the encrypted segment.
In one possible implementation manner of the above sixth aspect, wherein the first data stream includes N encrypted segments, N being a positive integer, one encrypted segment includes: a segment of consecutive data units starting with a head data unit and ending with a tail data unit. The first data stream comprises one or more first key identifications, one first key identification is used for indicating keys of (1+ M1) encrypted segments; the identification of the key for any two of the (1+ M1) encrypted segments satisfies a first rule. The first data stream comprises one or more third initial vector identifications, and one third initial vector identification is used for indicating initial vectors of (1+ M2) encrypted segments; the identification of the initial vector of any two of the (1+ M2) encrypted segments satisfies the second rule. Wherein M2 is zero or a positive integer, and M1 is zero or a positive integer.
In a possible implementation manner of any one of the above fourth to sixth aspects, for one of the N encrypted segments, the determining, by the second device, an identification of a key used to encrypt the encrypted segment includes: when the encryption segment is a first encryption segment, determining the identifier of a first key of the first encryption segment carried in the data stream as the identifier of the key for encrypting the encryption segment; when the encryption segment is a second encryption segment, determining a first encryption segment corresponding to the second encryption segment, and determining an identifier of a key for encrypting the encryption segment according to an identifier of a first key of the first encryption segment corresponding to the second encryption segment carried in the data stream and a first rule.
In a possible implementation manner of any one of the above fourth to sixth aspects, for one encrypted segment of the N encrypted segments, the determining, by the second device, an identification of an initial vector that encrypts the encrypted segment includes: when the encrypted segment is a third encrypted segment, determining the identifier of a third initial vector of the third encrypted segment carried in the data stream as the identifier of the initial vector for encrypting the encrypted segment; and when the encrypted segment is a fourth encrypted segment, determining a third encrypted segment corresponding to the fourth encrypted segment, and determining the identifier of the initial vector for encrypting the encrypted segment according to the identifier of the third initial vector of the third encrypted segment corresponding to the fourth encrypted segment carried in the data stream and a second rule.
In a possible implementation manner of any one of the above fourth to sixth aspects, for one encrypted segment of the N encrypted segments, when an identifier of a key for encrypting the encrypted segment is carried in the data stream, the encrypted segment is a first encrypted segment; and when the data stream does not carry the identifier of the key for encrypting the encrypted segment, the encrypted segment is the second encrypted segment. In a possible implementation manner of any one of the above fourth to sixth aspects, for one encrypted segment of the N encrypted segments, when the data stream carries an identifier of an initial vector for encrypting the encrypted segment, the encrypted segment is a third encrypted segment; and when the data stream does not carry the identifier of the initial vector for encrypting the encrypted segment, the encrypted segment is a fourth encrypted segment.
In a possible implementation manner of any one of the above fourth to sixth aspects, when the data stream does not carry an identifier of a key for encrypting the encrypted segment, the encrypted segment is a second encrypted segment, and a first encrypted segment that is newly received in the encrypted segment received by the receiving end is taken as a first encrypted segment corresponding to the second encrypted segment. In a possible implementation manner of any one of the above fourth to sixth aspects, when the data stream does not carry an identifier of an initial vector for encrypting the encrypted segment, the encrypted segment is a fourth encrypted segment, and a third encrypted segment that is newly received in the encrypted segments received by the receiving end is taken as a third encrypted segment corresponding to the fourth encrypted segment;
in a seventh aspect, the present invention provides a data transmission method, in which a second device receives a data stream; wherein, the data stream includes N encrypted segments, N is a positive integer greater than 1, and an encrypted segment includes: a segment of consecutive data units starting with a head data unit and ending with a tail data unit; for one encrypted segment of the N encrypted segments, performing: under the condition that the data stream bears the identifier of the key for encrypting the encrypted segment, determining the identifier of the key of the encrypted segment borne in the data stream as the identifier of the key for encrypting the encrypted segment; under the condition that the data stream does not bear the identification of the key for encrypting the encrypted segment, determining the identification of the key for encrypting the encrypted segment according to the key identified by the identification of the key borne in the data stream which is received recently and a preset first rule; under the condition that the data stream carries the identifier of the initial vector for encrypting the encrypted segment, determining the identifier of the initial vector of the encrypted segment carried in the data stream as the identifier of the initial vector for encrypting the encrypted segment; under the condition that the data stream does not bear the identification of the initial vector for encrypting the encrypted segment, determining the identification of the initial vector for encrypting the encrypted segment according to the initial vector identified by the identification of the initial vector borne in the data stream which is received recently and a preset second rule; and decrypting the encrypted segment according to the determined identifier of the key for encrypting the encrypted segment and the identifier of the initial vector to obtain decrypted data.
In a possible implementation of any of the above fourth to seventh aspects, an implementation includes that the identification of the first key includes: and identifying a key for encrypting the first encryption segment corresponding to the encryption segment. The identification of the third initial vector includes: and identifying the initial vector for encrypting the third encrypted segment corresponding to the encrypted segment.
In a possible implementation form of any of the above fourth to seventh aspects, the identifying of the first key comprises: the receiving end receives the identification of a key loaded in the data stream recently; the identification of the third initial vector includes: the receiver receives the identification of an initial vector carried in the data stream most recently. Thus, the ease of the scheme at the time of decryption by the decryption side can be improved.
In a possible implementation of any of the fourth through seventh aspects above, a possible implementation includes that the first rule includes: for each of the M1 second encrypted segments, the second key identification that encrypted the second encrypted segment is the same as the first key identification. The second rule includes: for each of the M2 fourth encrypted segments, an identification of a fourth initial vector encrypting the fourth encrypted segment: and determining according to the identification of the third initial vector for encrypting the third encrypted segment, the number of the encrypted segments spaced between the fourth encrypted segment and the third encrypted segment and a third rule. In the fourth aspect, a possible implementation includes that, for any two fourth encrypted segments of the M2 fourth encrypted segments, the identities of the two fourth initial vectors that are encrypted for the two fourth encrypted segments are different. In this embodiment, the key is updated once every (1+ M1) encrypted segments, and the initial vector is updated once every encrypted segment, on one hand, it can be satisfied that the initial vectors and/or keys of the two encrypted segments are different, so that the security of data transmission can be ensured, and on the other hand, the updating of the initial vector is easier than the updating of the key, so that this embodiment is also easier to implement.
In one possible implementation of any one of the above fourth to seventh aspects, the (1+ M1) encrypted pieces of the N encrypted pieces include: k third encrypted segments, and M2 fourth encrypted segments corresponding to each third encrypted segment in the K third encrypted segments, wherein K is a positive integer, and M2 is a positive integer not greater than M1; wherein the (1+ M1) encrypted segments include a first encrypted segment and M1 second encrypted segments corresponding to the first encrypted segment. In this division manner, a synchronization period of one key may include a synchronization period of a plurality of initial vectors, which may reduce the number of keys to be synchronized on one hand, and on the other hand, for (1+ M1) encryption segments, may synchronize one or more initial vectors, so that a receiving end may receive more encryption parameters, and thereby may further improve the probability of successful data decryption.
In a possible implementation form of any of the above fourth to seventh aspects, the data unit for carrying the identity of the first key satisfies one of the following conditions: before the head data unit of the first encrypted segment and after the tail data unit of the previous encrypted segment of the first encrypted segment; after the tail data unit of the first encrypted segment and before the head data unit of the next encrypted segment of the first encrypted segment. The data unit for carrying the identification of the third initial vector satisfies one of the following conditions: before the head data unit of the third encrypted segment and after the tail data unit of the previous encrypted segment of the third encrypted segment; after the tail data unit of the third encrypted segment and before the head data unit of the next encrypted segment of the third encrypted segment. In this way, the flexibility of the scheme can be improved.
In a possible implementation manner of any one of the above fourth to seventh aspects, the data stream further carries a check value of each of the N encrypted segments. Thus, the security of data transmission can be further improved.
In a possible implementation manner of any one of the above fourth to seventh aspects, when the data stream also carries an identification of a first initial vector encrypting the first encrypted segment, then: the identification of the first key, the identification of the first initial vector, and the check value of the first encrypted segment satisfy one of the following conditions: carried on a continuous segment of data units; the data unit types of the continuous data units comprise a head data unit, a data unit of the data type and a tail data unit; the data unit type of the continuous data unit comprises an operation maintenance management data unit; the data unit type of the continuous data unit comprises a data unit of the data type and an operation maintenance management data unit. In this way, the flexibility of the scheme can be improved.
In a possible implementation of any one of the above fourth to seventh aspects, any two encrypted segments of the N encrypted segments satisfy the following: the two encrypted segments are encrypted using different keys and/or the two encrypted segments are encrypted using different initial vectors. Thus, the security of data transmission can be further improved.
In a possible implementation of any of the above fourth to seventh aspects, one encrypted segment satisfies one or more of the following: comprises at least two head data units; comprises at least two tail data units; including at least one operation maintenance management data unit. Therefore, compared with a scheme that one encryption segment only comprises one head data unit, the granularity of the encryption object is increased, so that the number of identifiers of keys required to be synchronized by a sending end and a receiving end and the number of identifiers of initial vectors can be correspondingly reduced, further the overhead can be reduced, and the data bearing efficiency is improved.
In an eighth aspect, a communication device is provided, which includes a transceiver unit and a processing unit to execute any implementation manner of any communication method of the first aspect to the second aspect. The transceiving unit is used to perform functions related to transmission and reception. Optionally, the transceiver unit includes a receiving unit and a transmitting unit. In one design, the communication device is a communication chip, and the transceiver unit may be an input-output circuit or a port of the communication chip.
In another design, the transceiver unit may be a transmitter and a receiver, or the transceiver unit may be a transmitter and a receiver.
Optionally, the communication device further includes various modules operable to perform any of the embodiments of any of the communication methods of the first aspect to the seventh aspect.
In a ninth aspect, a communication device is provided, the communication device being either a first device or a second device. Including a processor and memory. Optionally, the communication device further comprises a transceiver, wherein the memory is used for storing a computer program or instructions, and the processor is used for calling and running the computer program or instructions from the memory, and when the processor executes the computer program or instructions in the memory, the communication device is enabled to execute any implementation mode of any communication method of the first aspect to the fourth aspect.
Optionally, the number of the processors is one or more, and the number of the memories is one or more.
Alternatively, the memory may be integrated with the processor, or may be provided separately from the processor.
Optionally, the transceiver may include a transmitter (transmitter) and a receiver (receiver).
In a tenth aspect, a communication device is provided that includes a processor. The processor is coupled to the memory and is operable to perform the method of any one of the first to fourth aspects and any one of the possible implementations of the first to fourth aspects. Optionally, the communication device further comprises a memory. Optionally, the communication device further comprises a communication interface, the processor being coupled to the communication interface.
In one implementation, the communication device is a network device. When the communication device is a network device, the communication interface may be a transceiver, or an input/output interface. Alternatively, the transceiver may be a transmit-receive circuit. Alternatively, the input/output interface may be an input/output circuit.
In yet another implementation, the communication device is a chip or a system of chips. When the communication device is a chip or a system of chips, the communication interface may be an input/output interface, an interface circuit, an output circuit, an input circuit, a pin or related circuit, etc. on the chip or system of chips. A processor may also be embodied as a processing circuit or a logic circuit.
In an eleventh aspect, a system is provided, which comprises the above first device and second device.
In a twelfth aspect, there is provided a computer program product comprising: a computer program (also referred to as code, or instructions), which when executed, causes a computer to perform the method of any of the possible implementations of the first aspect described above, or causes a computer to perform the method of any of the implementations of the first to fourth aspects described above.
In a thirteenth aspect, a computer-readable storage medium is provided, which stores a computer program (which may also be referred to as code or instructions) that, when executed on a computer, causes the computer to perform the method of any of the possible implementations of the first aspect described above, or causes the computer to perform the method of any of the implementations of the first to fourth aspects described above.
In a fourteenth aspect, a processing apparatus is provided, comprising: input circuit, output circuit and processing circuit. The processing circuit is configured to receive a signal via the input circuit and transmit a signal via the output circuit, such that the method of any one of the first to fourth aspects and any one of the possible implementations of the first to fourth aspects is implemented.
In a specific implementation process, the processing device may be a chip, the input circuit may be an input pin, the output circuit may be an output pin, and the processing circuit may be a transistor, a gate circuit, a flip-flop, various logic circuits, and the like. The input signal received by the input circuit may be received and input by, for example and without limitation, a receiver, the signal output by the output circuit may be output to and transmitted by a transmitter, for example and without limitation, and the input circuit and the output circuit may be the same circuit that functions as the input circuit and the output circuit, respectively, at different times. The specific implementation of the processor and various circuits are not limited in this application.
Drawings
FIG. 1 is a diagram of a two-layer encrypted data structure;
FIG. 2 is a system architecture diagram according to an embodiment of the present application;
fig. 3a is a schematic diagram of the structure of a code block of a 64B/66B coding format defined in the standard;
fig. 3b is a structural form of an idle code block;
fig. 3c is a schematic diagram of a correspondence relationship between a data frame and a code block in an ethernet according to an embodiment of the present application;
fig. 3d shows an exemplary structure of a Flit (Flit) according to an embodiment of the present application;
fig. 3e shows another exemplary structure of flits (flits) according to the embodiment of the present application;
fig. 3f is a structural form of a message according to an example of the present application;
fig. 3g is a structural form of an encrypted segment according to an embodiment of the present application;
fig. 3h is a structural form of another encrypted segment provided in this embodiment of the present application;
fig. 3i is a structural form of another encryption segment provided in the embodiment of the present application;
fig. 3j is a structural form of an encrypted segment according to an embodiment of the present application;
fig. 3k is a structural form of another encrypted segment provided in the embodiment of the present application;
fig. 3l is a structural form of another encryption segment provided in the embodiment of the present application;
fig. 4 is a schematic flowchart of a data transmission method according to an embodiment of the present application;
fig. 5a is a schematic structural diagram of a possible data flow provided in an embodiment of the present application;
fig. 5b is a schematic structural diagram of a possible data flow provided in the embodiment of the present application;
fig. 5c is a schematic structural diagram of a possible data flow provided in the embodiment of the present application;
fig. 5d is a schematic flowchart of a data transmission method according to an embodiment of the present application;
fig. 5e is a schematic flowchart of a data transmission method according to an embodiment of the present application;
fig. 6a is a schematic structural diagram of a carrying manner of an encryption parameter according to an embodiment of the present application;
fig. 6b is a schematic structural diagram of another bearer of an encryption parameter according to an embodiment of the present disclosure;
fig. 6c is a schematic structural diagram of another bearer of an encryption parameter according to an embodiment of the present application;
fig. 6d is a schematic structural diagram of another bearer of an encryption parameter according to an embodiment of the present disclosure;
fig. 6e is a schematic structural diagram of another bearer of an encryption parameter according to an embodiment of the present application;
fig. 6f is a schematic structural diagram of another encryption parameter carrying manner provided in the embodiment of the present application;
fig. 6g is a schematic structural diagram of another bearer of an encryption parameter according to an embodiment of the present disclosure;
fig. 7a is a schematic diagram of a carrying position of an encryption parameter in a data stream according to an embodiment of the present application;
fig. 7b is a schematic structural diagram of an O code block according to an embodiment of the present application;
fig. 7c is a schematic diagram of a carrying position of an encryption parameter in a data stream according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of a communication device according to an embodiment of the present application;
fig. 9 is a schematic structural diagram of another communication device provided in an embodiment of the present application;
fig. 10 is a schematic structural diagram of another communication device according to an embodiment of the present application.
Detailed Description
It should be understood that the technical solutions of the embodiments of the present application may be applied to various communication systems, for example: the communication system based on the Ethernet technology such as the field of mobile bearing forward transmission or return transmission, metropolitan area multi-service bearing, data center interconnection, industrial communication and the like, and the communication system among different components or modules in industrial or communication equipment.
Fig. 2 illustrates a schematic diagram of a system architecture provided by an embodiment of the present application, as shown in fig. 2, the system architecture includes a first device 101 and a second device 102, and communication between the first device 101 and the second device 102 is possible. Any one of the first device 101 and the second device 102 may be a network device, or a chip provided inside the network device. The device may be a network device that supports high-speed ethernet interfaces (e.g., 200G, 400G). Such devices include, but are not limited to: a core router, an Internet Protocol Radio Access Network (IPRAN) based on a Network Protocol, and a Packet Transport Network (PTN) box or frame switch device.
As shown in fig. 2, the device may include one transmitting module and one receiving module for any one of the first device 101 and the second device 102. One data transmission direction is: the first device 101 may send the encrypted data to the second device 102 through the sending module, and correspondingly, the second device 102 may decrypt the received encrypted data through the receiving module to recover the original data before encryption. The other data transmission direction is as follows: the second device 102 may send the encrypted data to the first device 101 through the sending module, and correspondingly, the first device 101 may decrypt the received encrypted data through the receiving module to recover the original data before encryption. In the embodiment of the present application, an example of "a first device sends encrypted data to a second device, and the second device performs decryption" is described, and for the encryption processing and the decryption processing involved in the data transmission direction of "the second device sends encrypted data to the first device", the following contents may be referred to, and are not described again. In an example of "the first device sends the encrypted data to the second device, and the second device performs decryption", the first device may also be referred to as a sending end, an encryption end, a source end (source end), a sending device, a sending side, a sending end side, and the like, and the second device may also be referred to as a receiving end, a decryption end, a destination end (destination end), a receiving device, a receiving side, a receiving end side, and the like, which is not limited in this embodiment of the present application.
Some terms and expressions referred to in the embodiments of the present application are explained below.
(1) A data unit is introduced.
In the embodiments of the present application, a data unit refers to one bit or a plurality of consecutive bits, and information carried on a data unit may refer to information carried on bits included in the data unit. For example, one data unit may be one code block. As another example, a data unit may also be a Flit, where the Flit may be translated into flits in some scenarios. It should be noted that, for more clearly describing the scheme of the embodiment of the present application, some parts in the embodiment of the present application are described by taking one data unit as one code block as an example, and these embodiments are also applicable to a scenario in which one data unit is one Flit.
The data unit in the embodiment of the present application may include two types, which are a data unit of a data type and a data unit of a control type. The bits in the data units of the data type may be used to carry the actual data payload and the bits in the data units of the control type may be used to carry the control information.
Under the control type of data unit, various types of data units can be divided, for example: a head data unit, a tail data unit, a free data unit, an operation maintenance management data unit, an error data unit, a low power consumption data unit, and the like.
(2) The data unit is taken as an example for code block.
When the data unit is a code block, for example, one data unit may be one code block. A code block in this embodiment refers to one bit or a plurality of consecutive bits, and information carried on one code block may refer to information carried on bits included in the code block. The data unit of the data type in the embodiment of the present application may be a data code block, and the data code block may also be written as a D code block. The control-type data unit may be a control code block, which may be written as a C code block.
Wherein the header data unit of the control type data unit may be a header code block. The tail data unit may be a tail code block. The idle data unit may be an idle code block. The operation maintenance management data unit may be an operation maintenance management code block. The error data unit may be an error code block. The low power data unit may be a low power code block.
Fig. 3a illustrates a schematic diagram of the structure of a code block of a 64B/66B coding format defined in the Standard, as shown in fig. 3a, as defined by the IEEE Std 802.3-2018.IEEE Standard for ethernet session SIX Standard. As shown in fig. 3a, the synchronization header region of the code block includes the 0 th bit and the 1 st bit of the code block, and there are two cases, 01 and 10, respectively, of the synchronization header region of the code block. A code block with a sync header of 01 is called a data code block, and the data code block can be written as a D code block; the sync header is 10 called a control code block. The field D0 of the control code block occupies 8 bits and may be referred to as a type field of the control code block (the type field may be written as a type field).
The control code block may include: a head code block (in this embodiment, the head code block may be written as an S code block), a tail code block (in this embodiment, the tail code block may be written as a T code block), an Ordered set code block (in this embodiment, the Ordered set code block may also be written as an O code block), an IDLE code block (in this embodiment, the IDLE code block may also be written as an IDLE code block, or written as an I/code block), an error code block (in the error code block may also be written as an error code block), a low-power-consumption code block, and the like. The header code block in the embodiment of the present application may be a code block with a synchronization header of 10 types and 0x78 in fig. 3 a. The tail code block in the embodiment of the present application may be written as a T code block, including code blocks with a sync header of 10 and type fields of 0x87, 0x99, 0xAA, 0xB4, 0xCC, 0xD2, 0xE1, and 0xFF in fig. 3 a. In the embodiment of the present application, the O code block is a code block with a synchronization header of 10 type and 0x4B in fig. 3 a. In the embodiment of the present application, control code blocks other than the S code block and the T code block among the control code blocks may be written as C code blocks.
Fig. 3b illustrates the structural form of an idle code block. As shown in fig. 3b, the sync header regions of the idle code blocks are all 10, and the contents of the other regions are as shown, and are all padded to 0x 00. The code block structure shown in fig. 3a is taken as an example of the code block involved in the embodiment of the present application for illustration, but the embodiment of the present application is also applicable to the code block structure defined by other standards, such as 8B/10B, 256B/257B, and the like.
(3) Introduction of correspondence of data frames to code blocks in an ethernet network.
Fig. 3c exemplarily shows a schematic diagram of a corresponding relationship between a data frame and a code block in an ethernet, and as shown in fig. 3c, two ethernet packets (packets) are shown, which are an ethernet packet (packet)301 and an ethernet packet (packet)302 respectively. A preamble (preamble), a Start of Frame Delimiter (SFD), and a data Frame (Frame)311 may be included in the ethernet packet (packet) 301. A destination Medium Access Control (destination MAC), a source MAC (source MAC), and Data (Data) may be included in the Data frame (frame) 311. A data Frame (Frame) is typically followed by a 1-byte End of Frame Delimiter (EFD) to identify the End of a data Frame.
An ethernet packet (packet)301 after PCS encoding, for example 64B/66B encoding, may include the following parts:
an S code block, denoted by S in fig. 3c, may be composed of a preamble (preamble) of 7 bytes and an SFD of 1 byte of ethernet packet (packet) 301;
one or more consecutive D code blocks, wherein each D code block corresponds to a 64-bit data portion of an ethernet packet, for example, the 1 st D code block may be composed of 2 bytes in a source MAC and a destination MAC of 6 bytes;
a T-code block which may be used to indicate the end of the ethernet packet, and when the size of the ethernet packet (packet)301 is not an integer multiple of 8 bytes, one T-code block may contain partial data of the data (data) area in the data frame (frame) 311; when the size of one ethernet packet is an integer multiple of 8 bytes, the T-code block may not contain data (data) in the data frame (frame) 311.
The area between ethernet packets may be referred to as an ethernet packet gap (inter-packet)303 as shown in fig. 3 c. The inter-packet 303 may generally have a certain number of IDLE characters, 8 IDLE characters being coded 64B/66B to be IDLE code blocks, which are identified as I code blocks in fig. 3 c. In one aspect, the idle code blocks can be flexibly deleted and deleted for adjusting the Ethernet + -100 ppm frequency offset. On the other hand, these idle code blocks may also be replaced by other types of code blocks, for example, O code blocks, that is, characters carried by the packet gaps (inter-packets) 303 may be idle code blocks after 64B/66B encoding, or may also be O code blocks. Code blocks for carrying key identifiers, initial vector identifiers and check values, which are referred to in the embodiments of the present application, may be transmitted by replacing idle code blocks corresponding to ethernet packet gaps (inter-packets).
(4) The data unit is exemplified as Flit.
When the data unit is a Flit, for example, one data unit may be one Flit. The Flit in the embodiment of the present application refers to one bit or a plurality of consecutive bits, and the information carried on one Flit may refer to information carried on bits included in the Flit. It can also be said that the data is encoded based on Flit, and one or more bits in the encoded data may be referred to as a Flit. The data unit of the data type in the embodiment of the present application may be data Flit, and the data Flit may also be written as a data Flit. The data unit of the control type may be a control Flit.
Wherein, the Header data unit in the data unit of the control type may be a Header Flit, and the Header Flit may be written as a Header Flit. The Tail data unit may be a Tail Flit, which may be written as a Tail Flit. The operation maintenance management data unit may be an operation maintenance management Flit.
In one possible embodiment, the size of one Flit may take 16 bytes, 32 bytes, etc. Fig. 3d and 3e exemplarily show structural diagrams of two types of flits, as shown in fig. 3d and 3e, bits included in one Flit may be divided into a plurality of regions, as shown in fig. 3d, and one Flit may be divided into a first region, a second region, and a third region. As shown in fig. 3e, one Flit can be divided into a first region and a third region.
As shown in fig. 3d and fig. 3e, the bit carried by the first region may be used to indicate whether the Flit is a Flit of a data type or a Flit of a control type. For example, the first area may be 3 bits, and when the value carried on the first area is binary number 001, the Flit is a Flit of a data type; when the value carried on the first area is binary 100, the Flit is a Flit of a control type. In one possible example, the first area may be written as an S area.
As shown in fig. 3d, when the information carried on the first region of a Flit indicates that the Flit is a Flit of a control type, the information carried on the second region of the Flit can further distinguish which control type of Flit the Flit is specifically. The second region may also be referred to as a type field, or as a subtype field, or as a type field. For example, the second area occupies 5 bits, and when the value carried on the second area is binary 0b00001, the Flit is a Header Flit (which can be written as a Header Flit); when the value carried on the second area is binary 0b00010, the Flit is a Tail Flit (which can be written as Tail Flit). The second region may also carry other values for indicating a subtype of Flit of the control type.
As shown in fig. 3d and 3e, some other information may be carried in the third area. For example, when the Flit is a Flit of a data type, the third area of the Flit may carry data information. When the Flit is of a control type, the third area may carry some control information.
Fig. 3f exemplarily shows a structure diagram of a message, as shown in fig. 3f, in a Flit-based coding scheme, a message may generally include a Header Flit (which may also be written as a Header Flit), a plurality of Body flits (which may also be written as Body flits), and a Tail Flit (which may be written as a Tail Flit).
When the data stream in the embodiment of the present application includes a Flit for carrying a key identifier, a Flit for carrying an identifier of an initial vector, and a Flit for carrying a check value, in a possible implementation manner, the Flit may be carried in a structural form of the Flit shown in fig. 3 d.
For example, in the Flit for carrying the identifier of the key, the first area carries a value of binary 100, the second area carries a value of binary 0b00100, and the third area can carry the identifier of the key. In the Flit for carrying the identifier of the initial vector, the value carried by the first region is binary 100, the value carried by the second region is binary 0b01000, and the third region can carry the identifier of the initial vector. In the Flit for carrying the check value, the first area carries a value of binary 100, the second area carries a value of binary 0b10000, and the third area can carry the check value.
(5) Introduction of encrypted segments.
In the embodiment of the present application, a concept of an encrypted segment is defined, and the encrypted segment refers to a segment of continuous data units in a data stream. In one possible embodiment, an encrypted segment includes: a segment of contiguous data units starting with a head data unit and ending with a tail data unit, the encrypted segment may include one or more data units between the head data unit and the tail data unit.
In the embodiment of the present application, an encrypted segment may include only a header data unit, data units of several data types, and a tail data unit. In another possible embodiment, an encrypted segment may also include a plurality of head data units, a plurality of tail data units, and data units of several data types, and optionally may also include an idle data unit and an operation maintenance management data unit.
(6) The definition of the encrypted segment in the embodiments of the present application is introduced in connection with the concept of a code block.
When a data unit is a code block, an encrypted segment includes: a segment of contiguous code blocks beginning with a header block and ending with a trailer block, the encrypted segment may include one or more data code blocks between the header block and the trailer block.
Fig. 3g, 3h and 3i illustrate several possible structure forms of the encrypted segments, as shown in fig. 3g, the encrypted segment 321 and the encrypted segment 322 are included in the code block stream, and it can be seen that both the encrypted segments shown in fig. 3g are illustrated by only including one S code block, one T code block and several D code blocks.
As shown in fig. 3h, the code block stream includes an encrypted segment 331 and an encrypted segment 332, and it can be seen that both the encrypted segments shown in fig. 3h are illustrated by including a plurality of S code blocks, a plurality of T code blocks, and a plurality of D code blocks.
As shown in fig. 3i, the code block stream includes an encrypted segment 341 and an encrypted segment 342, and it can be seen that the encrypted segment 341 shown in fig. 3i includes a plurality of S code blocks, a plurality of T code blocks, and a plurality of D code blocks, while the encrypted segment 342 includes only one S code block, one T code block, and a plurality of D code blocks. It can be seen that, in the embodiment of the present application, the number of header code blocks included in two encrypted segments of one code block stream may be different, or the number of tail code blocks included in the two encrypted segments may be different. The user can define the number of the head code blocks included in one encrypted segment according to the requirement of the user.
In this embodiment of the present application, for each encrypted segment, the encrypted segment may be encrypted by using a key and an initial vector, and then the sending end and the receiving end may synchronize the identifier of the key and the identifier of the initial vector, so that the receiving end decrypts the encrypted segment. In the process, if one encryption segment comprises a plurality of S code blocks, compared with a scheme that one encryption segment only comprises one S code block, the granularity of an encrypted object is increased, so that the number of identifiers of keys required to be synchronized by a sending end and a receiving end and the number of identifiers of initial vectors can be correspondingly reduced, further the overhead can be reduced, and the data bearing efficiency is improved.
(7) The definition of the encrypted segment in the embodiment of the present application is described in conjunction with the concept of Flit.
When a data unit is a Flit, an encrypted segment includes: a segment of consecutive flits starting with a header Flit and ending with a tail Flit, which encrypted segment may comprise flits of one or more data types between the header Flit and the tail Flit.
Fig. 3j, 3k and 3l illustrate several possible configurations of encrypted segments, where, as shown in fig. 3j, the stream of code blocks includes an encrypted segment 351 and an encrypted segment 352, and it can be seen that both encrypted segments shown in fig. 3j are illustrated by including only one head flit, one tail flit and several body flits. While the tail Flit of the encrypted segment 351 in fig. 3j is adjacent to the head Flit of the encrypted segment 352, in another possible embodiment, the tail Flit of the encrypted segment 351 and the head Flit of the encrypted segment 352 may also be inserted with other flits, such as flits of some control types, flits of some data types, and so on.
As shown in fig. 3k, the code block stream includes an encrypted segment 361 and an encrypted segment 365, and it can be seen that both encrypted segments shown in fig. 3k are illustrated by including a plurality of head flits, a plurality of tail flits and a plurality of body flits.
As shown in fig. 3l, the code block stream includes an encrypted segment 371 and an encrypted segment 372, and it can be seen that the encrypted segment 371 shown in fig. 3l includes a plurality of head flits, a plurality of tail flits and a plurality of body flits, and the encrypted segment 372 includes only one head flit, one tail flit and a plurality of body flits. It can be seen that, in the embodiment of the present application, the number of header code blocks included in two encrypted segments of one code block stream may be different, or the number of tail flits included in the two encrypted segments may be different. The user can define the number of the head code blocks included in one encrypted segment according to the requirement of the user.
In this embodiment of the present application, for each encrypted segment, the encrypted segment may be encrypted by using a key and an initial vector, and then the sending end and the receiving end may synchronize the identifier of the key and the identifier of the initial vector, so that the receiving end decrypts the encrypted segment. In the process, if one encryption segment comprises a plurality of head flits, compared with a scheme that one encryption segment only comprises one head flit, the granularity of an encrypted object is increased, so that the number of identifiers of keys required to be synchronized by a sending end and a receiving end and the number of identifiers of initial vectors can be correspondingly reduced, further the overhead can be reduced, and the data bearing efficiency is improved.
(8) A first encrypted segment, a second encrypted segment, a third encrypted segment, and a fourth encrypted segment.
In the embodiment of the application, for an encrypted segment in a data stream, the encrypted segment is encrypted by using a key and an initial vector. For an encrypted segment, the embodiments of the present application provide several possible identities for the encrypted segment, and may determine whether the encrypted segment belongs to a first encrypted segment or a second encrypted segment according to whether a data stream carries a key identifier for encrypting the encrypted segment, or determine whether the encrypted segment belongs to a third encrypted segment or a fourth encrypted segment according to whether the data stream carries an initial vector identifier for encrypting the encrypted segment.
Specifically, if the data stream carries an identifier of a key for encrypting the encrypted segment, the encrypted segment may be referred to as a first encrypted segment; if the data stream does not carry an identification of the key used to encrypt the encrypted segment, the encrypted segment may be referred to as a second encrypted segment. If the data stream carries the identifier of the initial vector for encrypting the encrypted segment, the encrypted segment may be referred to as a third encrypted segment; if the data stream does not carry the identification of the initial vector used to encrypt the encrypted segment, the encrypted segment may be referred to as a fourth encrypted segment.
For an encrypted segment, in particular, there may be several cases:
in the first case, the data stream may carry an identifier of a key for encrypting the encrypted segment and an identifier of an initial vector for encrypting the encrypted segment, where the encrypted segment is both the first encrypted segment in the content and the third encrypted segment in the content;
in the second case, the data stream may not carry an identifier of a key used to encrypt the encrypted segment, nor an identifier of an initial vector used to encrypt the encrypted segment, where the encrypted segment is both the second encrypted segment in the content and the fourth encrypted segment in the content;
in a third case, the data stream may carry an identifier of a key used to encrypt the encrypted segment, but does not carry an identifier of an initial vector used to encrypt the encrypted segment, where the encrypted segment is the first encrypted segment in the content and the fourth encrypted segment in the content;
in a fourth case, the data stream does not carry the identifier of the key used to encrypt the encrypted segment, but carries the identifier of the initial vector used to encrypt the encrypted segment, in which case the encrypted segment is both the second encrypted segment and the third encrypted segment of the content.
For the convenience of subsequent reference, the key that encrypts the first encrypted piece is referred to as a first key, and the initial vector that encrypts the first encrypted piece is referred to as a first initial vector. The key that encrypts the second encrypted segment is referred to as a second key, and the initial vector that encrypts the second encrypted segment is referred to as a second initial vector. A key for encrypting the third encrypted piece is referred to as a third key, and an initial vector for encrypting the third encrypted piece is referred to as a third initial vector. A key for encrypting the fourth encrypted piece is referred to as a fourth key, and the initial vector for encrypting the fourth encrypted piece is referred to as a fourth initial vector.
(9) A first encrypted segment group and a second encrypted segment group.
For convenience of subsequent citation, the encrypted segments in the data stream may be grouped. In this embodiment of the present application, an encrypted segment in a data stream may be divided into one or more first encrypted segment groups, where each first encrypted segment group may include one first encrypted segment and a plurality of second encrypted segments, and the first encrypted segment and the plurality of second encrypted segments may be consecutive encrypted segments, where consecutive encryption segments in this embodiment of the present application mean: two encrypted segments are adjacent and there is no other encrypted segment between the adjacent two encrypted segments. In a possible embodiment, other data units not belonging to the encrypted segment may be included between two adjacent encrypted segments (e.g., some free data units, operation maintenance management data units, etc. may be included between two encrypted segments). In another possible embodiment, no other data unit may be included between two adjacent encrypted segments (e.g., the tail data unit of one of the two adjacent encrypted segments is adjacent to the head data unit of the other encrypted segment).
In this embodiment of the present application, for two groups of first encryption segment groups in one data stream, the numbers of second encryption segments included in the two groups of first encryption segment groups may be different or the same, and this embodiment of the present application is not limited. Subsequently, for convenience of description, a first encryption segment group includes: a first encrypted segment and M1 second encrypted segments are illustrated as examples. The meaning of M1 second encrypted segments corresponding to the first encrypted segment mentioned in the implementation of the present application can be understood as follows: the M1 second encrypted segments belong to the same first encrypted segment group as the first encrypted segment.
In this embodiment, the encrypted segments in the data stream may be further divided into one or more second encrypted segment groups, where each second encrypted segment group may include a third encrypted segment and a plurality of fourth encrypted segments, and the third encrypted segment and the plurality of fourth encrypted segments may be consecutive encrypted segments.
In this embodiment of the present application, for two second encryption segment groups in one data stream, the numbers of the fourth encryption segments included in the two second encryption segment groups may be different or the same, and this embodiment of the present application is not limited. Subsequently, for convenience of description, a second encryption segment set includes: a third encrypted piece and M2 fourth encrypted pieces are illustrated as an example. The meaning of M2 fourth encrypted segments corresponding to the third encrypted segment mentioned in the implementation of the present application can be understood as follows: the M2 fourth encrypted segments belong to the same second encrypted segment group as the third encrypted segment.
Based on the above, fig. 4 exemplarily shows a flowchart of a data transmission method, which may be applied to the system architecture diagram shown in fig. 2, and the example of sending a data stream to the second device 102 by the first device 101 in fig. 2 is described. When the second device 102 transmits the data stream to the first device 101, the encryption process and the decryption process are similar to each other, and are not described again. As shown in fig. 4, the method includes:
step 201, a first device generates a data stream;
in step 201, the data stream generated by the first device includes N encrypted segments, where N is a positive integer greater than 1.
The N encrypted segments comprise at least one first encrypted segment and M1 second encrypted segments corresponding to the first encrypted segment, wherein M1 is zero or a positive integer. The N encrypted segments comprise at least one third encrypted segment and M2 fourth encrypted segments corresponding to the third encrypted segment, wherein M2 is zero or a positive integer. The data stream carries an identifier of a first key for encrypting the first encryption segment; for each of the M1 second encrypted segments, the data stream does not carry an identification of a second key that encrypted the second encrypted segment. The data stream carries the identifier of a third initial vector for encrypting the third encrypted segment; for each of the M2 fourth encrypted segments, the data stream does not carry an identification of a fourth initial vector that encrypted the fourth encrypted segment. It can also be understood that N encrypted segments may be divided into at least one first encrypted segment group according to whether the first data stream carries the identifier of the key of one encrypted segment; on the other hand, the N encrypted segments may be divided into at least one second encrypted segment group according to whether the first data stream carries the identification of the initial vector of one encrypted segment.
On the other hand, in the embodiment of the present application, both M1 and M2 may take a value of zero, and when at least one of M1 and M2 is a positive integer, that is, at least one of M1 and M2 takes a non-zero value, compared with a scheme in which each encrypted segment needs to transmit a key identifier and an initial vector identifier of the encrypted segment, the amount of data that needs to be synchronized can be reduced.
For the features of the data stream generated by the first device, yet another way of describing includes: the data stream includes one or more first encrypted segment sets, where a first encrypted segment set includes an identification of a first key. The identification of one first key can indicate the identification of the key for each encrypted segment of all encrypted segments included in a set of first encrypted segments. Thus, in subsequent step 204, the second device can determine the identity of the key of the second encrypted segment in the set of first encrypted segments based on the identity of the first key in the set of first encrypted segments.
Further, in this embodiment of the present application, for a first encrypted segment group, a key identifier of a second encrypted segment included in the first encrypted segment group and a key identifier of a first encrypted segment included in the first encrypted segment group may satisfy a first rule, so that the decryption side may determine, according to the identifier of the first key used to encrypt the first encrypted segment in the first encrypted segment group, an identifier of a key used to encrypt another second encrypted segment in the first encrypted segment group.
For the features of the data stream generated by the first device, yet another way of describing includes: in this embodiment, the data stream includes one or more second encrypted segment groups, where a second encrypted segment group includes an identifier of a third initial vector. An identification of a third initial vector can indicate an identification of the initial vector of each encrypted segment of all encrypted segments included in the set of second encrypted segments. Thus, in step 204, the second device may determine the identity of the initial vector of the fourth encrypted segment in the set of second encrypted segments based on the identity of the third initial vector in the set of second encrypted segments.
Further, in this embodiment of the present application, for a second encrypted segment group, a second rule may be satisfied between an identifier of an initial vector of a fourth encrypted segment included in the second encrypted segment group and an identifier of an initial vector of a third encrypted segment included in the second encrypted segment group, so that the decryption side may determine, according to the identifier of the third initial vector that encrypts the third encrypted segment in the second encrypted segment group, the identifier of the initial vector that encrypts another fourth encrypted segment in the second encrypted segment group.
For the features of the data stream generated by the first device, yet another way of describing includes: in the embodiment of the application, for one encrypted segment of the N encrypted segments, the data stream also carries the encryption parameters of the encrypted segment; the encryption parameter includes a check value, and may include one or more of an identifier of the key and an identifier of the initial vector in addition to the check value. That is, for an encrypted segment, the data stream may only carry the check value of the encrypted segment, and not the identity of the key that encrypted the encrypted segment and the identity of the initial vector. It is also possible that the data stream carries only the check value and the identification of the key used to encrypt the encrypted segment, and does not carry the identification of the initial vector used to encrypt the encrypted segment. It is also possible that the data stream carries only the check value of the encrypted segment and the identification of the initial vector that encrypted the encrypted segment, but not the identification of the key that encrypted the encrypted segment. It is also possible that the data stream carries the check value of the encrypted segment, and the identification of the key and the identification of the initial vector that encrypted the encrypted segment.
Further, in this embodiment of the application, when the encryption parameter of the encrypted segment does not include the key identifier, a first rule is satisfied between the identifier of the key used for encrypting the encrypted segment and the first key identifier, so that the receiving end can determine the identifier of the key used for encrypting the encrypted segment according to the identifier of the first key. When the encryption parameter of the encryption segment does not include the initial vector identifier, a second rule is satisfied between the identifier of the initial vector for encrypting the encryption segment and the third initial vector identifier, so that the receiving end can determine the identifier of the key for encrypting the encryption segment according to the identifier of the third initial vector.
Step 202, a first device sends a data stream.
Correspondingly, the second device receives the data stream.
Step 203, for one encrypted segment of the N encrypted segments, the second device determines whether the data stream carries an identifier of a key used for encrypting the encrypted segment, if not, step 204 is executed, and if so, step 207 is executed.
Step 204, the second device determines the identifier of the key for encrypting the encrypted segment according to the identifier of the first key carried in the data stream.
The identification of the first key mentioned in step 204 comprises: and identifying a key for encrypting the first encryption segment corresponding to the encryption segment. The first encrypted segment corresponding to the encrypted segment is the first encrypted segment belonging to the same first encrypted segment group as the encrypted segment.
In step 205, for one encrypted segment of the N encrypted segments, the second device determines whether the data stream carries an identifier of an initial vector used for encrypting the encrypted segment, if not, step 207 is executed, and if so, step 208 is executed.
Step 203 and step 205 have no absolute precedence, for example, step 205 may be executed first, and then step 203 is executed, which is not limited in this embodiment of the application.
In step 206, the second device determines the identifier of the initial vector used for encrypting the encrypted segment according to the identifier of the third initial vector carried in the data stream.
The identification of the third initial vector referred to in step 206 comprises: and identifying the initial vector for encrypting the third encrypted segment corresponding to the encrypted segment. And the third encrypted segment corresponding to the encrypted segment is the third encrypted segment which belongs to the same second encrypted segment group as the encrypted segment.
And step 207, the second device decrypts the encrypted segment by using the key identified by the identifier of the key for encrypting the encrypted segment determined by the second device and the initial vector identified by the identifier of the initial vector determined by the second device, so as to obtain decrypted data.
In step 207, the key used by the second device for decryption is the key identified by the identifier of the key determined in step 203 or step 204, and the initial vector used by the second device for decryption is the initial vector identified by the identifier of the initial vector determined in step 205 or step 206.
In the embodiment of the application, for an encrypted segment, an encryption side encrypts the encrypted segment by using a key and an initial vector. For the decryption side, the decryption side determines "a key and an initial vector for encrypting the encrypted segment" by a certain method (for example, the method described in step 203 or step 204, and the method described in step 205 or step 206), and then decrypts the encrypted segment according to the key and the initial vector determined by the decryption side.
Therefore, it should be noted that, in the embodiment of the present application, an example is given by taking the second device as a device on the decryption side as an example, and therefore when the second device related to the embodiment of the present application decrypts one encrypted segment, both the key and the initial vector used by the second device refer to the key and the initial vector determined by the second device itself; the identifier of the key for encrypting an encrypted segment determined by the second device may be the same as or different from the identifier of the key for encrypting the encrypted segment determined by the first device; and the "identifier of the initial vector for encrypting an encrypted segment" determined by the second device may be the same as or different from the "identifier of the initial vector for encrypting the encrypted segment" at the first device side.
In order to further improve the security, a check value may be generated for each encrypted segment, the data stream carries the check value of each encrypted segment, after the first device sends the data stream to the second device, the second device may check the check value of each encrypted segment, if the check passes, the decryption of the encrypted segment in step 207 is considered to be valid, and if the check does not pass, the decryption in step 207 is considered to be invalid, and possibly the data in the encrypted segment is tampered.
In the embodiment of the present application, there are various ways to group N encrypted segments in a data stream, and in a possible grouping situation, (1+ M1) encrypted segments included in a group of first encrypted segment groups are divided into K groups of second encrypted segment groups. The requirements for this grouping are satisfied: (1+ M1) ═ K (1+ M2), where K is a positive integer, and represents multiplication. This grouping formula can also be described as: for (1+ M1) encrypted segments of the data stream, the (1+ M1) encrypted segments include a first encrypted segment and M1 second encrypted segments corresponding to the first encrypted segment, and the (1+ M1) encrypted segments can be understood as a set of first encrypted segment groups. The set of first encrypted segment sets includes: k third encrypted segments, and M2 fourth encrypted segments corresponding to each of the K third encrypted segments, wherein K is a positive integer and M2 is a positive integer not greater than M1. A third encrypted piece and M2 fourth encrypted pieces corresponding to the third encrypted piece may be understood as a set of second encrypted pieces.
Based on such a grouping manner, fig. 5a exemplarily shows a schematic structural diagram of a possible data stream provided in the embodiment of the present application, and as shown in fig. 5a, encrypted segments in the data stream sent by a first device are divided into two first encrypted segment groups, which are respectively: a first encrypted segment group 501 and a first encrypted segment group 502. Therein, the encrypted pieces 1 through (1+ M1) are divided into a first encrypted piece group 501. It should be noted that the encrypted segment defined in the embodiment of the present application does not include a data unit carrying the encryption parameter (e.g., an identification of a key, an identification of an initial vector, or a check value) of the encrypted segment.
The encrypted segments in the first encrypted segment group 501 may also be divided into two second encrypted segment groups, which are: a second encrypted segment group 511 and a second encrypted segment group 512. In FIG. 5a, an example is given where (1+ M1) is equal to 2 times (1+ M2). Wherein the second encrypted piece group 511 includes encrypted pieces 1 through (1+ M2), and the second encrypted piece group 512 includes encrypted pieces (2+ M2) through (1+ M1).
As shown in fig. 5a, the data stream carries a key identification 401 and an initial vector identification 411 of encrypted segment 1, and a key identification 402 and an initial vector identification 413 of encrypted segment (2+ M1). Thus, encrypted segment 1 belongs to both a first encrypted segment and a third encrypted segment. Similarly, encrypted segment (2+ M1) belongs to both a first encrypted segment and a third encrypted segment.
On the other hand, since no identification of the key of each of the encrypted pieces 2 to (1+ M1) is carried in the data stream, each of the encrypted pieces 2 to (1+ M1) belongs to the second encrypted piece. And, since the data stream carries only the initial vector identifier 412 of the encrypted segment (2+ M2) from the encrypted segment 2 to the encrypted segment (1+ M1), the encrypted segment (2+ M2) also belongs to the third encrypted segment. And for the other encrypted segments except the encrypted segment (2+ M2) in the encrypted segments 2 to (1+ M1), the data stream does not carry the identification of the initial vector of the encrypted segments, so that the encrypted segments belong to the fourth encrypted segment.
In one possible embodiment, to improve the security of the data, two encrypted segments of the N encrypted segments satisfy: the two encrypted segments are encrypted using different keys and/or the two encrypted segments are encrypted using different initial vectors. In the embodiment of the present application, the object can be achieved by setting the first rule and the second rule in the foregoing.
As seen in fig. 5a, the encrypted segments in a first encrypted segment group can be divided into a plurality of second encrypted segment groups. Based on this grouping form, in one possible implementation: the first rule includes: the identification of the key for all encrypted segments included in a first encrypted segment group is the same. In one possible embodiment, the first rule may include: for each of the M1 second encrypted segments, the identification of the second key used to encrypt the second encrypted segment is the same as the identification of the first key of the first encrypted segment corresponding to the M1 second encrypted segments. Thus, it can be seen that the key identification is transformed once for every (1+ M1) encrypted segments of the N encrypted segments, thereby reducing the number of key identifications to be synchronized.
In this possible embodiment, the second rule comprises: the identification of the initial vectors of any two encrypted segments in all the encrypted segments included in a first encrypted segment group is different. In one possible embodiment, the second rule may include: for a third encrypted segment and M2 fourth encrypted segments included in one second encrypted segment group, the identifiers of two fourth initial vectors for encrypting any two fourth encrypted segments are different; and: the identification of the third initial vector encrypting the third encrypted segment is different from the identification of one fourth initial vector encrypting any one of the fourth encrypted segments.
Because the encrypted segments in a first encrypted segment group can be divided into a plurality of second encrypted segment groups, and in a group of second encrypted segment groups, the identifier of the initial vector is transformed once every 1 encrypted segment, the first rule and the second rule can achieve the following effects: two encrypted segments in a first encrypted segment set may satisfy: the identification of the key is the same, but the identification of the initial vector is different, so that the security of data transmission can be ensured.
In the embodiment of the present application, one possible implementation manner of the second rule includes: for each of the M2 fourth encrypted segments included in one second encrypted segment group, an identification of a fourth initial vector encrypting the fourth encrypted segment: the second encryption segment group is determined according to the identification of a second initial vector for encrypting a second encryption segment in the second encryption segment group, the number of encryption segments spaced between the second encryption segment and the second initial vector, and a second rule. Several specific ways of determining the identity of the initial vector of the fourth encrypted segment are provided below:
example one, for one second encryption segment group, the identity of the fourth initial vector encrypting one fourth encryption segment is equal to the identity of the third initial vector in the second encryption segment group + (X + 1). Wherein X is used to indicate the number of encrypted segments spaced between the fourth encrypted segment and the third encrypted segment.
Example two, for a second encrypted segment group, the identity of a fourth initial vector encrypting a fourth encrypted segment is equal to the identity + a (X +1) of a third initial vector in the second encrypted segment group. Where X is used to indicate the number of encrypted segments spaced between the fourth encrypted segment and the third encrypted segment, where a may be a preset constant, such as 2. Denotes multiplication.
Further, in this embodiment of the present application, it may be defined that, for two groups of first encrypted segment groups of the data stream, identifiers of first keys included in the two groups of first encrypted segment groups are different, so that security of data transmission may be further improved. In another possible embodiment, it may be further specified that, for two second encrypted segment groups in the data stream, the two second encrypted segment groups include all encrypted segments, and the identification of the initial vectors of any two encrypted segments is different. Thus, the security of data transmission can be further improved.
As can be seen from fig. 5a, each first encrypted segment group only carries the identifier of the key used for encrypting one encrypted segment, which can reduce the transmission amount of the identifier of the key. And each second encryption segment group only carries the identifier of the initial vector for encrypting one encryption segment, so that the transmission quantity of the identifier of the initial vector can be reduced. Furthermore, the overhead can be reduced, and the bearing efficiency can be improved.
In an embodiment of the present application, for a first encrypted segment group, the first encrypted segment may be a first encrypted segment in the first encrypted segment group. In other words, for a first encrypted segment group, the first encrypted segment may be: the first encrypted segment of the encrypted segments of the first encrypted segment set that was transmitted by the first device. In this embodiment, for a second encrypted segment group, the third encrypted segment may be the first encrypted segment in the second encrypted segment group. In other words, for a second encrypted segment set, the third encrypted segment may be: the first encrypted segment of the encrypted segments of the second encrypted segment set that was transmitted by the first device. In this way, the time delay for the second device to decrypt can be reduced.
In one possible embodiment, it may be defined that each of the first encrypted piece groups includes (1+ M1) encrypted pieces, each of the second encrypted piece groups includes (1+ M2) encrypted pieces, and (1+ M1) ═ K × (1+ M2), and the first encrypted piece in each of the first encrypted piece groups belongs to both the first encrypted piece and the third encrypted piece. In this way, it can be said that, in one data stream, the identification of the key that encrypts the encrypted segment is periodically transmitted with (1+ M1) encrypted segments as a period, and the identification of the initial vector that encrypts the encrypted segment is periodically transmitted with (1+ M2) encrypted segments as a period. It can also be described as: the synchronization period of the key is (1+ M1) encrypted segments, and the synchronization period of the initial vector is (1+ M2) encrypted segments. The values of (1+ M1) and (1+ M2) in the embodiments of the present application may be user-configurable or pre-configurable in the system. Therefore, the transmission quantity of the identification of the initial vector and the identification of the key can be reduced, the overhead can be reduced, and the bearing efficiency can be improved.
To further improve the security, a check value may be generated for each encrypted segment, and the data stream carries the check value of each encrypted segment, such as the check value 421 of encrypted segment 1, the check value 423 of encrypted segment 2, the check value 424 of encrypted segment (1+ M2), the check value 425 of encrypted segment (2+ M2), the check value 426 of encrypted segment (1+ M1), and so on, as shown in fig. 5 a. After the first device sends the data stream to the second device, the second device may check a check value of each encrypted segment, and if the check passes, the decryption of the encrypted segment in step 207 is considered to be valid, and if the check does not pass, the decryption in step 207 is considered to be invalid, and the data in the encrypted segment may have been tampered.
Based on the schematic diagram shown in fig. 5a, two specific examples are illustrated below by fig. 5b and 5 c. In fig. 5b, it is illustrated that a transmission cycle of the identifier of the key is 4 encrypted segments (M1 is 3), a transmission cycle of the identifier of the initial vector is 2 encrypted segments (M2 is 1), and a transmission cycle of the check value is 1 encrypted segment, as shown in fig. 5b, the encrypted segment 1 and the encrypted segment 5 are first encrypted segments, the encrypted segment 2, the encrypted segment 3, and the encrypted segment 4 are second encrypted segments, the encrypted segment 1 and the encrypted segment 3 are third encrypted segments, and the encrypted segment 2 and the encrypted segment 4 are fourth encrypted segments. Fig. 5b illustrates only one first encrypted segment group 501, and one data stream may include a plurality of first encrypted segment groups, which is not described again. As can be seen from fig. 5b, in this example, the identification of the key is transmitted once every 4 encrypted segments and the identification of the initial vector is transmitted once every 2 encrypted segments, so that the amount of data to be synchronized can be reduced.
In fig. 5c, it is illustrated that the transmission cycle of the identifier of the key is 4 encrypted segments (M1 is 3), the transmission cycle of the identifier of the initial vector is 1 encrypted segment (M2 is 0), and the transmission cycle of the identifier of the check value is 1 encrypted segment, as shown in fig. 5c, the encrypted segments 1 and 5 are first encrypted segments, the encrypted segments 2, 3, and 4 are second encrypted segments, and the encrypted segments 1, 2, 3, and 4 are all third encrypted segments, and there is no fourth encrypted segment in this example, in this case, it can be seen that each second encrypted segment group includes only one encrypted segment, as shown in fig. 5c, the second encrypted segment group 511 includes encrypted segment 1, the second encrypted segment group 512 includes encrypted segment 2, the second encrypted segment group 513 includes encrypted segment 3, and the second encrypted segment group 514 includes encrypted segment 4. Fig. 5c illustrates only one first encrypted segment group 501, and one data stream may include a plurality of first encrypted segment groups, which is not described again. As can be seen from fig. 5c, in this example, the identification of the key is transmitted once every 4 encrypted segments, and the identification of the initial vector is transmitted once every 1 encrypted segment, so that the amount of data to be synchronized can be reduced.
While one example of possible first and second rules is described above in connection with fig. 5 a-5 c, there are many possible implementations of the first and second rules in the implementation of the present invention. For example, the encrypted pieces included in one first encrypted piece group may be divided into one or more second encrypted piece groups, or the encrypted pieces included in one second encrypted piece group may be divided into one or more first encrypted piece groups. In these dividing manners, for a group of first encrypted segment groups, the "identifications of keys of any two encrypted segments in the first encrypted segment group are different, and the identifications of initial vectors of all encrypted segments in the first encrypted segment group are the same", in this case, the first rule may include: for a first encrypted segment group, the identity of the second key used to encrypt a second encrypted segment is equal to the identity of the first key in the first encrypted segment group + (X + 1). Wherein X is used to indicate the number of encrypted segments spaced between the second encrypted segment and the first encrypted segment. The second rule may include: for a second encrypted segment set, the identity of the fourth initial vector of a fourth encrypted segment in the second encrypted segment set is the same as the identity of the third initial vector of a third encrypted segment in the second encrypted segment set. It can be seen that these examples can also achieve the objective of "the identification of the initial vectors and/or the identification of the keys of the two encrypted segments in one first encrypted segment group are different", or achieve the objective of "the identification of the initial vectors and/or the identification of the keys of the two encrypted segments in one second encrypted segment group are different".
Based on the above, fig. 5d and fig. 5e exemplarily show a flow diagram of a data transmission method, and a data transmission method provided by the embodiment of the present application is described below with reference to fig. 5d and fig. 5e by taking a target encrypted segment as an example. As shown in fig. 5d and 5e, the method includes:
step 601, the first device obtains a target encrypted segment.
In step 602, the first device determines whether the target encrypted segment belongs to the first encrypted segment or the second encrypted segment.
If the first encrypted segment belongs to the first encrypted segment, go to step 603; if the second encrypted segment belongs to, step 604 is executed.
If the first encrypted segment is the first encrypted segment in a first encrypted segment group, step 602 may also be described as: judging whether the target encryption segment belongs to a first encryption segment transmitted by a first encryption segment group, if so, determining that the target encryption segment belongs to the first encryption segment, and executing the step 603; if not, the target encrypted segment is determined to belong to a second encrypted segment, and step 604 is performed.
In a possible embodiment, a key transmission period (1+ M1) may be preset, and a key transmission period (1+ M1) refers to the key transmission period: each transmission of (1+ M1) encrypted segments is referred to as a key transmission period. If the first encrypted segment is the first encrypted segment in a first encrypted segment group, step 602 may also be described as: whether the target encryption segment belongs to a first encryption segment transmitted in a key transmission period (if the keys of the encryption segments transmitted in the key transmission period are the same, one key transmission period can also be called a life cycle of one key) is judged, if yes, the target encryption segment is determined to belong to the first encryption segment, and if not, the target encryption segment is determined to belong to a second encryption segment.
Step 603, the first device determines the identifier of the key of the target encryption segment, and carries the identifier of the key of the target encryption segment in the data stream.
In step 603, when it is determined that the target encrypted segment belongs to the first encrypted segment, one of several pre-configured keys may be selected as the key corresponding to the target encrypted segment, and a specific selection method may be randomly selected or selected according to a certain rule configured by a user. For example, the first device side and the second device side both maintain a same key table, the key table includes an identifier of a key shared between the first device and the second device, and the identifier of the key has an ordering relationship in the key table. The first device may select the keys from the key table in sequence according to the ordering of the identifiers of the keys in the key table, for example, the first device may select the key with index of 0 in the table for the first time, and the identifiers of the corresponding keys are 0 (the identifiers of the keys of the encrypted segments in the first encrypted segment group are all 0), when it is necessary to select one key again, the second device may select the key with index of 1 in the table for the second time, and the identifiers of the corresponding keys are 1 (the identifiers of the keys of the encrypted segments in the second first encrypted segment group are all 1), and so on.
Step 604, the first device determines the identifier of the key of the target encrypted segment according to the first key and the first rule in the first encrypted segment group to which the target encrypted segment belongs, and determines that the identifier of the key of the target encrypted segment is no longer carried in the data stream.
Step 605, the first device determines whether the target encrypted segment belongs to the third encrypted segment or the fourth encrypted segment;
if the third encrypted segment belongs to the third encrypted segment, go to step 606; if the segment belongs to the fourth encrypted segment, step 607 is executed.
If the third encrypted segment is the first encrypted segment in the second encrypted segment group, step 605 may also be described as: judging whether the target encryption segment belongs to a first encryption segment transmitted by a second encryption segment group, if so, determining that the target encryption segment belongs to a third encryption segment, and executing a step 606; if not, the target encrypted segment is determined to belong to a fourth encrypted segment, and step 607 is executed.
In one possible embodiment, one initial vector transmission period (1+ M2) may be preset, and one initial vector transmission period (1+ M2) refers to: each transmission of (1+ M2) encrypted segments is referred to as an initial vector transmission period. If the third encrypted segment is the first encrypted segment in the second encrypted segment group, step 605 may also be described as: and judging whether the target encryption segment belongs to a first encryption segment transmitted in an initial vector transmission period, if so, determining that the target encryption segment belongs to a third encryption segment, and if not, determining that the target encryption segment belongs to a fourth encryption segment.
In step 606, the first device determines the identifier of the initial vector of the target encrypted segment, and carries the identifier of the initial vector of the target encrypted segment in the data stream.
When it is determined that the target encrypted segment belongs to the third encrypted segment, in step 606, in one possible embodiment, an identifier of an initial vector may be randomly selected as the identifier of the third encrypted segment, as long as the identifier of the third encrypted segment may satisfy the following condition: for the first encrypted segment group to which the third encrypted segment belongs, the identifier of the initial vector used by the third encrypted segment is not used, and the identifiers of the initial vectors of M2 fourth encrypted segments corresponding to the third encrypted segment obtained according to the identifier of the initial vector of the third encrypted segment are not used. Therefore, the requirement that the two initial vectors corresponding to any two encryption segments in the same first encryption segment group are different can be met, and the safety of data transmission can be improved. Taking the example of fig. 5b as an example, in this example, the identifier of the fourth initial vector used to encrypt one fourth encrypted segment is equal to the identifier of the third initial vector in the second encrypted segment group + (X + 1). Wherein X is used to indicate the number of encrypted segments spaced between the fourth encrypted segment and the third encrypted segment. For example, the initial vector of encrypted segment 1 is identified as 1 and the initial vector of encrypted segment 2 is identified as 2. The identifier of the initial vector of the encrypted segment 3 may be 3, or may be 5, 6, 7, or the like.
In another possible embodiment, the first device side and the second device side both maintain a same initial vector table, where the initial vector table includes identifiers of initial vectors shared between the first device and the second device, and the identifiers of the initial vectors have a sorting relationship in the initial vector table. The first device may select the initial vectors from the initial vector table in order according to the sorting of the identifiers of the initial vectors in the initial vector table, for example, the first device selects the initial vector with index of 0 in the table for the first time, and the identifier of the corresponding initial vector is 0, when it is needed to select one initial vector again, the initial vector with index of 1 in the table for the second time, and the identifier of the corresponding initial vector is 1, and so on. In this embodiment, for example, as shown in fig. 5b, the initial vector of encrypted segment 1 is denoted by 1, and the initial vector of encrypted segment 2 is denoted by 2. And the identification value of the initial vector of the encryption segment 3 is 3, and the identification value of the initial vector of the encryption segment 4 is 4. It can be seen that, in this example, the identifiers of the initial vectors are sequentially selected for each encrypted segment according to the ordering of the identifiers of the initial vectors in the initial vector table. In this case, the second rule required to be agreed between the first device and the second device includes: the identifier of the fourth initial vector used to encrypt one fourth encrypted segment is equal to the identifier of the third initial vector in the second encrypted segment group + (X + 1). Wherein X is used to indicate the number of encrypted segments spaced between the fourth encrypted segment and the third encrypted segment. In this way, the second device may determine the identity of the initial vector of each fourth encrypted segment according to the second rule and the identity of the initial vector of the third encrypted segment.
In another possible embodiment, the first device and the second device may jointly maintain a preset function, and for each third encryption segment, the first device may input a parameter value to the preset function, where the function value returned by the preset function is the initial vector of the third encryption segment. The preset function may be designed to satisfy that "for any two encryption segments in the same first encryption segment group, two initial vectors corresponding to the two encryption segments are different".
Step 607, the first device determines the identifier of the initial vector of the target encryption segment according to the third initial vector and the second rule in the second encryption segment group to which the target encryption segment belongs, and determines that the data stream does not carry the identifier of the initial vector of the target encryption segment any more.
In step 608, the first device encrypts the target encrypted segment using the key and the initial vector of the target encrypted segment. The first device generates a check value for the target encrypted segment and carries the check value in a data stream.
In step 608, in a possible implementation manner, the first device may calculate the check value of the target encrypted segment mentioned in step 608 according to the encrypted target encrypted segment, the key identified by the identification of the key used for encrypting the target encrypted segment, and the initial vector identified by the identification of the initial vector used for encrypting the target encrypted segment.
It should be noted that, in step 608, there is no absolute sequence between the two steps of encrypting the target encrypted segment and calculating the check value, and the two steps may be executed synchronously or alternately (for example, part of contents in the step of encrypting the target encrypted segment and the step of calculating the check value may be crossed). Or the target encrypted segment may be encrypted first and then the check value may be calculated. This is not particularly limited in the embodiments of the present application.
In step 609, the first device sends the encrypted target encrypted segment to the second device.
Correspondingly, the second device receives the target encrypted segment. The step may also be described as that the second device receives a data stream, acquires a segment of data between two check values, where the segment of data between the two check values includes an encrypted segment, and then introduces the scheme provided in the embodiment of the present application for clarity, or introduces the acquired encrypted segment as the target encrypted segment.
Step 610, the second device determines whether the data stream carries the key identifier of the target encrypted segment;
if yes, go to step 614; if not, go to step 611.
In a possible embodiment, the step 610 may also be described as: the second device determines whether the target encrypted segment belongs to the first encrypted segment or the second encrypted segment. If the first encrypted segment belongs to the first encrypted segment, go to step 614; if the second encrypted segment belongs to, step 611 is executed.
If the first encrypted segment is the first encrypted segment in a first encrypted segment group, step 610 can also be described as: judging whether the target encryption segment belongs to a first encryption segment transmitted by a first encryption segment group, if so, determining that the target encryption segment belongs to the first encryption segment, and executing step 614; if not, it is determined that the target encrypted segment belongs to a second encrypted segment, and step 611 is performed.
Step 611, the second device determines the identifier of the key of the target encrypted segment according to the first key and the first rule in the first encrypted segment group to which the target encrypted segment belongs.
If the first encrypted segment is the first encrypted segment in a first encrypted segment group, step 611 may also be described as: the target encrypted segment is determined to belong to a first encrypted segment in a first encrypted segment group (or referred to as a key transmission cycle or a life cycle), and an identification of a key of the target encrypted segment is determined according to an identification of a first key of the first encrypted segment and a first rule.
In a possible embodiment, the second device may use the identification of a key that was received most recently and carried on the data stream corresponding to the target encrypted segment as: identification of the key of the target encrypted segment.
Step 612, the second device determines whether the data stream carries an identifier of an initial vector of the target encrypted segment;
if yes, go to step 614; if not, go to step 613.
In a possible embodiment, step 612 may also be described as: the second device determines whether the target encrypted segment belongs to the third encrypted segment or the fourth encrypted segment. If the third encrypted segment belongs to the third encrypted segment, go to step 614; if the second segment belongs to the fourth encrypted segment, go to step 613.
If the third encrypted segment is the first encrypted segment in the second encrypted segment group, step 612 can also be described as: judging whether the target encryption segment belongs to a first encryption segment transmitted by a second encryption segment group, if so, determining that the target encryption segment belongs to a third encryption segment, and executing a step 614; if not, the target encrypted segment is determined to belong to a fourth encrypted segment, and step 613 is executed.
Step 613, the second device determines the identifier of the initial vector of the target encrypted segment according to the third initial vector and the second rule in the second encrypted segment group to which the target encrypted segment belongs.
If the third encrypted segment is the first encrypted segment in the second encrypted segment group, step 613 may also be described as: if the target encrypted segment is determined to belong to the first encrypted segment in the second encrypted segment group (or referred to as an initial vector transmission period), the identification of the initial vector of the target encrypted segment is determined according to the identification of the third initial vector of the third encrypted segment and a second rule, for example, a value obtained by directly adding (X +1) to the identification of the third initial vector of the third encrypted segment may be determined as the identification of the initial vector of the target encrypted segment, where X is used to indicate the number of encrypted segments spaced between the target encrypted segment and the third encrypted segment.
In a possible embodiment, the second device may use the identification of an initial vector that was received most recently and carried on the data stream corresponding to the target encrypted segment as: a third initial vector used to identify the initial vector of the target encrypted segment is determined.
And 614, the second device decrypts the target encryption segment by using the key identified by the identifier of the key of the target encryption segment determined by the second device and the initial vector identified by the identifier of the initial vector to obtain decrypted data.
In step 614, the key used by the second device for decryption is the key identified by the identifier of the key determined in step 610 or step 611, and the initial vector used by the second device for decryption is the initial vector identified by the identifier of the initial vector determined in step 612 or step 613.
Step 615, the second device calculates a check value to be checked according to the encrypted target encrypted segment, the key identified by the identifier of the key of the target encrypted segment determined by the second device, and the initial vector identified by the identifier of the initial vector of the target encrypted segment determined by the second device, and determines whether the check value to be checked calculated by the second device is consistent with the check value of the target encrypted segment carried in the data stream.
If yes, the verification is determined to be passed, and step 616 is executed; if not, the verification is determined to be failed, and step 617 is performed.
It should be noted that, in the embodiment of the present application, the step 614 and the step 615 are not in an absolute sequence, and the step 614 may be executed first and then the step 615 may be executed, or the step 615 may be executed first and then the step 614 is executed. Or step 614 and step 615 are executed synchronously or in an intersecting manner (for example, part of contents in the two steps of step 614 and step 615 may intersect), which is not particularly limited in the embodiments of the present application.
Step 616, determining that the decryption of the target encrypted segment is valid;
at step 617, it is determined that the decryption of the target encrypted segment is not valid.
Based on the above, in the embodiment of the present application, the data stream also carries the encryption parameters of the encrypted segment; wherein the encryption parameter may comprise a check value. In addition to the check value, one or more of the identification of the key and the identification of the initial vector may be included, or the identification of the key and the identification of the initial vector may not be included.
In a data stream, a data unit carrying an encryption parameter (e.g., a check value, a key identifier, or an initial vector identifier) may be one data unit, or may be multiple data units, and the multiple data units may be continuous or discontinuous. In one possible embodiment, the encryption parameters are carried between two adjacent encrypted segments of the data stream. In one possible embodiment, the data unit for carrying the identification of the first key: before the head data unit of the first encrypted segment and after the tail data unit of the previous encrypted segment of the first encrypted segment; or after the tail data unit of the first encrypted segment and before the head data unit of the next encrypted segment of the first encrypted segment. In one possible embodiment, the data unit for carrying the identification of the third initial vector: before the head data unit of the third encrypted segment and after the tail data unit of the previous encrypted segment of the third encrypted segment; or after the tail data unit of the third encrypted segment and before the head data unit of the next encrypted segment of the third encrypted segment. The encryption parameters of an encryption segment are carried in the data stream, and specifically, there are various ways of carrying the encryption parameters of the encryption segment, and the following describes, for an encryption segment, the position of the encryption parameters of the encryption segment carried in the data stream.
Example one, when only the check value is included in the encryption parameters of the encrypted segment. The data unit carrying the check value may precede the header data unit of the encrypted segment; or may be located after the tail data unit of the encrypted segment.
It should be noted that, in the embodiments of the present application, a data unit before another data unit means: the data unit is sent first in the data transmission direction compared to the further data unit. In the embodiments of the present application, the fact that one data unit is located after another data unit means that: the data unit is then transmitted in the data transmission direction compared to the further data unit. For example, as shown in fig. 5a, it can be said that the header data unit of encrypted segment 1 is located before the header data unit of encrypted segment 2, and the header data unit of encrypted segment 2 is located after the header data unit of encrypted segment 1.
Example two, when the encryption parameters of the encrypted segment include the check value and the key identifier, the key identifier and the check value may be located on a segment of consecutive data units. Alternatively, one or several data units may be separated between the data unit carrying the key identification and the data unit carrying the check value. The data unit carrying the check value may precede the header data unit of the encrypted segment; or may be located after the tail data unit of the encrypted segment. The data unit carrying the key identification may precede the header data unit of the encrypted segment; or may be located after the tail data unit of the encrypted segment.
Fig. 6a is a schematic diagram illustrating an exemplary structure of a carrying mode of an encryption parameter, and as shown in fig. 6a, a code block carrying a key identifier and a code block carrying a check value are located on a continuous code block after a last end code block of an encryption segment. Fig. 6b is a schematic diagram illustrating another example of a structure of a carrying manner of an encryption parameter, and as shown in fig. 6b, a code block carrying a key identifier is located on a code block before a first head code block of an encrypted segment, and a code block carrying a check value is located on a code block after a last tail code block of the encrypted segment.
Example three, when the encryption parameters of the encrypted segment include a check value and an initial vector identifier, the initial vector identifier and the check value may be located on a segment of consecutive data units. Alternatively, the data unit carrying the initial vector identification and the data unit carrying the check value may be separated by one or several data units. The data unit carrying the check value may precede the header data unit of the encrypted segment; or may be located after the tail data unit of the encrypted segment. The data unit carrying the initial vector may precede the header data unit of the encrypted segment; or may be located after the tail data unit of the encrypted segment.
Fig. 6c is a schematic diagram illustrating a structure of a carrying manner of an encryption parameter, and as shown in fig. 6c, a code block carrying an initial vector identifier and a code block carrying a check value are located on a continuous code block after a last end code block of an encrypted segment. Fig. 6d exemplarily shows another structure diagram of a carrying manner of the encryption parameter, as shown in fig. 6d, a code block carrying an initial vector identifier is located on a code block before a first head code block of the encrypted segment, and a code block carrying a check value is located on a code block after a last tail code block of the encrypted segment.
Example four, when the encryption parameters of the encrypted segment include a check value, a key identifier and an initial vector identifier, where any two or three of the key identifier, the initial vector identifier and the check value may be located on a segment of consecutive data units; or, one or several data units are separated between any two of the data unit carrying the initial vector identification, the data unit carrying the check value and the data unit carrying the key identification. The data unit carrying the check value may precede the header data unit of the encrypted segment; or may be located after the tail data unit of the encrypted segment. The data unit carrying the key identification may precede the header data unit of the encrypted segment; or may be located after the tail data unit of the encrypted segment. The data unit carrying the initial vector may precede the header data unit of the encrypted segment; or may be located after the tail data unit of the encrypted segment.
Fig. 6e exemplarily shows a schematic diagram of a structure of a carrying mode of an encryption parameter, and as shown in fig. 6e, a code block carrying a key identifier, a code block carrying an initial vector identifier, and a code block carrying a check value are located on a continuous code block after a last end code block of an encryption segment. Fig. 6f illustrates another example of a structure diagram of a carrying manner of the encryption parameter, as shown in fig. 6f, a code block carrying an initial vector identifier and a code block carrying a key identifier are located on a continuous code block before a first head code block of the encrypted segment, and a code block carrying a check value is located on a code block after a last tail code block of the encrypted segment. Fig. 6g exemplarily shows another structure diagram of a carrying manner of the encryption parameter, and as shown in fig. 6g, a code block carrying the key identifier is located before a first head code block of the encrypted segment, and a code block carrying the initial vector identifier and a code block carrying the check value are located on a continuous code block after a last tail code block of the encrypted segment.
The data unit is taken as an example to illustrate in fig. 6a to 6e as a code block, when the data unit is Flit, the S code block in fig. 6a and 6b may be replaced by a head Flit, the T code block may be replaced by a tail code block, the D code block may be replaced by a data type Flit, and the O code block may be replaced by an operation maintenance management Flit, which is similar to the architecture in fig. 6a and 6b and is not repeated.
In a possible embodiment, the data unit type of the data unit carrying one encryption parameter (e.g. a check value, a key identification or an initial vector identification) may be various, and may be one or more of a header data unit, a data unit of the data type, a tail data unit and an operation maintenance management data unit, for example.
Fig. 7a is a schematic diagram illustrating the carrying position of an encryption parameter in a code block stream, and as shown in fig. 7a, the key identifier 401, the initial vector identifier 411 and the check value 421 of the encrypted segment 1 are located between the encrypted segment 1 and the encrypted segment 2.
As shown in fig. 7a, in one possible embodiment, the key identifier 401, the initial vector identifier 411, and the check value 421 are carried on a segment of consecutive code blocks, and the code block types of the segment of consecutive code blocks include a header code block, a data code block, and a trailer code block.
As shown in fig. 7a, in a second possible embodiment, the key identifier 401, the initial vector identifier 411 and the check value 421 are carried on a continuous code block, and the code block type of the continuous code block includes one or several data code blocks and O code blocks. In this embodiment, the O code block may be located at the end of one or several data code blocks.
As shown in fig. 7a, in a third possible embodiment, the key identifier 401, the initial vector identifier 411, and the check value 421 are carried on a segment of continuous code blocks, and the code block types of the segment of continuous code blocks include O code blocks. In one possible embodiment, the O code blocks carrying the key identification 401, the initial vector identification 411 and the check value 421 may be the same type of O code blocks. In another possible embodiment, the O code blocks carrying the key identifier 401, the initial vector identifier 411 and the check value 421 may be different types of O code blocks. Fig. 7b illustrates a structural diagram of an O code block, and as shown in fig. 7b, 10-17 bits of the O code block (bits 0x4B of the code block) include a subtype field that may fill in different values for distinguishing different types of O code blocks. For example, the value of the subtype field of the O-code block carrying the key identifier 401 is 01, the value of the subtype field of the O-code block carrying the initial vector identifier 411 is 10, and the value of the subtype field of the O-code block carrying the check value 421 is 11, so that the second device may determine whether the current O-code block carries the key identifier, the initial vector identifier, or the check value according to the value of the subtype field after receiving the O-code block. Further, as shown in FIG. 7b, specific encryption parameters may be carried in 18-25 bits, 26-33 bits, 42-49 bits, and 50-57 bits of an O code block. When one encryption parameter requires multiple code blocks to carry, for example, a key identifier requires two O code blocks to carry, the two code blocks carrying the key identifier can be distinguished and associated by the sequence numbers of the 58-65 bit regions of the two O code blocks. Further, optionally, the 58-65 bit regions of the two O code blocks may also carry a CRC, so that the device receiving the O code block checks the O code block.
Fig. 7c is a schematic diagram illustrating the carrying positions of encryption parameters in a data stream, and as shown in fig. 7c, the key identifier 401, the initial vector identifier 411, and the check value 421 of the encrypted segment 1 are located between the encrypted segment 1 and the encrypted segment 2.
As shown in fig. 7c, in one possible embodiment, the key identifier 401, the initial vector identifier 411, and the check value 421 are carried on a continuous piece of Flit, and the Flit types of the continuous piece of Flit include a header Flit, a Flit of a data type, and a tail Flit.
As shown in fig. 7c, in a second possible embodiment, the key identifier 401, the initial vector identifier 411, and the check value 421 are carried on a continuous piece of Flit, and the Flit types of the continuous piece of Flit include one or several data types of flits and operation maintenance management flits. In this embodiment, the operation maintenance management Flit may be located at the tail of a Flit of one or several data types.
As shown in fig. 7c, in a third possible embodiment, the key identifier 401, the initial vector identifier 411, and the check value 421 are carried on a continuous piece of Flit, and the Flit types of the continuous piece of Flit include operation maintenance management Flit. In one possible embodiment, the operation maintenance management Flit carrying the key identification 401, the initial vector identification 411 and the check value 421 may be the same type of operation maintenance management Flit. In another possible embodiment, the operation maintenance management Flit carrying the key identifier 401, the initial vector identifier 411 and the check value 421 may be different types of operation maintenance management flits. In the embodiment of the present application, the operation maintenance management Flit may include one or more types of operation maintenance management flits, which is equivalent to that the operation maintenance management flits are classified again. For example, an area may be added to the operation maintenance management Flit, for example, several bits may be selected from the third area in fig. 3d to carry some information, and when one Flit is the operation maintenance management Flit, it may be determined, according to information carried by a specific bit in the third area, which type of operation maintenance management Flit the operation maintenance management Flit belongs to.
The terms "system" and "network" in the embodiments of the present application may be used interchangeably. "at least one" means one or more, "a plurality" means two or more. "and/or" describes the association relationship of the associated objects, meaning that there may be three relationships, e.g., a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone, wherein A and B can be singular or plural. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. "at least one of the following" or similar expressions refer to any combination of these items, including any combination of the singular or plural items. For example, at least one (one) of a, b, or c, may represent: a, b, c, a-b, a-c, b-c, or a-b-c, wherein a, b, c may be single or multiple.
And, unless specifically stated otherwise, the embodiments of the present application refer to the ordinal numbers "first", "second", etc., for distinguishing between a plurality of objects, and do not limit the order, sequence, priority, or importance of the plurality of objects. For example, the first key and the second key are only used for distinguishing different keys, and do not indicate the difference in priority, importance, or the like between the two keys.
According to the foregoing method, fig. 8 is a schematic structural diagram of a communication apparatus provided in this embodiment of the present application, and as shown in fig. 8, the communication apparatus may be a network device, or may be a chip or a circuit, such as a chip or a circuit that may be disposed in a network device. The communication device may be the first device or the second device in the above description.
Further, the communication device 1301 may further include a bus system, wherein the processor 1302, the memory 1304, and the transceiver 1303 may be connected via the bus system.
It should be understood that the processor 1302 may be a chip. For example, the processor 1302 may be a Field Programmable Gate Array (FPGA), an Application Specific Integrated Circuit (ASIC), a system on chip (SoC), a Central Processing Unit (CPU), a Network Processor (NP), a digital signal processing circuit (DSP), a Microcontroller (MCU), a Programmable Logic Device (PLD), or other integrated chips.
In implementation, the steps of the above method may be performed by integrated logic circuits of hardware or instructions in the form of software in the processor 1302. The steps of a method disclosed in connection with the embodiments of the present application may be embodied directly in a hardware processor, or in a combination of the hardware and software modules in the processor 1302. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in the memory 1304, and the processor 1302 reads the information in the memory 1304 and performs the steps of the above method in combination with hardware thereof.
It should be noted that the processor 1302 in the embodiment of the present application may be an integrated circuit chip having signal processing capability. In implementation, the steps of the above method embodiments may be performed by integrated logic circuits of hardware in a processor or instructions in the form of software. The processor described above may be a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in a memory, and a processor reads information in the memory and completes the steps of the method in combination with hardware of the processor.
It will be appreciated that the memory 1304 in the subject embodiment can be either volatile memory or nonvolatile memory, or can include both volatile and nonvolatile memory. The non-volatile memory may be a read-only memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an electrically Erasable EPROM (EEPROM), or a flash memory. Volatile memory can be Random Access Memory (RAM), which acts as external cache memory. By way of example, but not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), Synchronous Dynamic Random Access Memory (SDRAM), double data rate SDRAM, enhanced SDRAM, SLDRAM, Synchronous Link DRAM (SLDRAM), and direct rambus RAM (DR RAM). It should be noted that the memory of the systems and methods described herein is intended to comprise, without being limited to, these and any other suitable types of memory.
In the case that the communication apparatus 1301 corresponds to the first device in the method, the communication apparatus may include a processor 1302, a transceiver 1303, and a memory 1304. The memory 1304 is configured to store instructions, and the processor 1302 is configured to execute the instructions stored by the memory 1304 to implement any one or more of the corresponding methods described above with respect to the first device in fig. 2-7 b.
When the communication device 1301 is the first apparatus, the processor 1302 is configured to generate a data stream; a transceiver 1303 for transmitting a data stream; wherein, the data stream includes N encrypted segments, N is a positive integer greater than 1, and an encrypted segment includes: a segment of consecutive data units starting with a head data unit and ending with a tail data unit; the N encrypted segments comprise at least one first encrypted segment and M1 second encrypted segments corresponding to the first encrypted segment, wherein M1 is zero or a positive integer, and the data stream carries an identifier of a first key for encrypting the first encrypted segment; for each of the M1 second encrypted segments, the data stream does not carry an identification of a second key that encrypted the second encrypted segment; the N encrypted segments comprise at least one third encrypted segment and M2 fourth encrypted segments corresponding to the third encrypted segment, wherein M2 is zero or a positive integer, and the data stream carries an identifier of a third initial vector for encrypting the third encrypted segment; for each of the M2 fourth encrypted segments, the data stream does not carry an identification of a fourth initial vector that encrypted the fourth encrypted segment.
When the communication device 1301 is the second apparatus, the transceiver 1303 is configured to receive a data stream; wherein, the data stream includes N encrypted segments, N is a positive integer greater than 1, and an encrypted segment includes: a segment of consecutive data units starting with a head data unit and ending with a tail data unit; a processor 1302 for, for one encrypted segment of the N encrypted segments: under the condition that the identification of the key for encrypting the encrypted segment is not carried in the data stream, the identification of the key for encrypting the encrypted segment is determined according to the identification of the first key carried in the data stream; under the condition that the identifier of the initial vector for encrypting the encrypted segment is not carried in the data stream, determining the identifier of the initial vector for encrypting the encrypted segment according to the identifier of a third initial vector carried in the data stream; and the receiving end decrypts the encrypted segment by adopting the key and the initial vector for encrypting the encrypted segment to obtain decrypted data.
For the related content in the data stream, reference may be made to the description in the foregoing embodiments, and further description is omitted here.
For the concepts, explanations, details and other steps related to the technical solutions provided in the embodiments of the present application related to the communication device, please refer to the descriptions of the foregoing methods or other embodiments, which are not repeated herein.
Fig. 9 is a schematic structural diagram of a communication apparatus provided in an embodiment of the present application according to the foregoing method, and as shown in fig. 9, the communication apparatus 1401 may include a communication interface 1403, a processor 1402, and a memory 1404. A communication interface 1403 for inputting and/or outputting information; a processor 1402, configured to execute a computer program or an instruction, to enable the communication apparatus 1401 to implement the method of the first device side in the related schemes of fig. 2 to 7b, or to enable the communication apparatus 1401 to implement the method of the second device side in the related schemes of fig. 2 to 7 b. In this embodiment of the application, the communication interface 1403 may implement the scheme implemented by the transceiver 1303 in fig. 8, the processor 1402 may implement the scheme implemented by the processor 1302 in fig. 8, and the memory 1404 may implement the scheme implemented by the memory 1304 in fig. 8, which is not described herein again.
Based on the above embodiments and the same concept, fig. 10 is a schematic diagram of a communication apparatus provided in an embodiment of the present application, and as shown in fig. 10, the communication apparatus 1501 may be a first device or a second device, or may be a chip or a circuit, for example, a chip or a circuit that may be disposed on the first device or the second device.
The communication device may correspond to the first apparatus in the above method. The communication apparatus may implement the steps performed by the first device in any one or any number of corresponding methods as shown in figures 2 to 7b above. The communication device may include a processing unit 1502 and a transceiving unit 1503.
When the communication apparatus 1501 is the above-described first device, the processing unit 1502 is configured to generate a data stream; a transceiving unit 1503 configured to transmit a data stream; wherein, the data stream includes N encrypted segments, N is a positive integer greater than 1, and an encrypted segment includes: a segment of consecutive data units starting with a head data unit and ending with a tail data unit; the N encrypted segments comprise at least one first encrypted segment and M1 second encrypted segments corresponding to the first encrypted segment, wherein M1 is zero or a positive integer, and the data stream carries an identifier of a first key for encrypting the first encrypted segment; for each of the M1 second encrypted segments, the data stream does not carry an identification of a second key that encrypted the second encrypted segment; the N encrypted segments comprise at least one third encrypted segment and M2 fourth encrypted segments corresponding to the third encrypted segment, wherein M2 is zero or a positive integer, and the data stream carries an identifier of a third initial vector for encrypting the third encrypted segment; for each of the M2 fourth encrypted segments, the data stream does not carry an identification of a fourth initial vector that encrypted the fourth encrypted segment.
When the communication device 1501 is the second device, the transceiving unit 1503 is configured to receive a data stream; wherein, the data stream includes N encrypted segments, N is a positive integer greater than 1, and an encrypted segment includes: a segment of consecutive data units starting with a head data unit and ending with a tail data unit; a processing unit 1502 configured to, for one encrypted segment of the N encrypted segments: under the condition that the identification of the key for encrypting the encrypted segment is not carried in the data stream, the identification of the key for encrypting the encrypted segment is determined according to the identification of the first key carried in the data stream; under the condition that the identifier of the initial vector for encrypting the encrypted segment is not carried in the data stream, determining the identifier of the initial vector for encrypting the encrypted segment according to the identifier of a third initial vector carried in the data stream; and the receiving end decrypts the encrypted segment by adopting the key and the initial vector for encrypting the encrypted segment to obtain decrypted data.
For the related content in the data stream, reference may be made to the description in the foregoing embodiments, and further description is omitted here.
For the concepts, explanations, details and other steps related to the technical solutions provided in the embodiments of the present application related to the communication device, please refer to the descriptions of the foregoing methods or other embodiments, which are not repeated herein.
It is to be understood that the functions of the units in the communication apparatus 1501 can refer to the implementation of the corresponding method embodiments, and are not described herein again.
It should be understood that the above division of the units of the communication device is only a division of logical functions, and the actual implementation may be wholly or partially integrated into one physical entity or may be physically separated. In this embodiment of the application, the transceiver unit 1503 may be implemented by the transceiver 1303 in fig. 8, and the processing unit 1502 may be implemented by the processor 1302 in fig. 8.
According to the method provided by the embodiment of the present application, the present application further provides a computer program product, which includes: computer program code or instructions which, when run on a computer, cause the computer to perform the method of any one of the embodiments shown in figures 2 to 7 b.
According to the method provided by the embodiment of the present application, the present application further provides a computer-readable storage medium storing program code, which when run on a computer, causes the computer to execute the method of any one of the embodiments shown in fig. 2 to 7 b.
According to the method provided by the embodiment of the present application, the present application further provides a system, which includes the aforementioned one or more first devices and one or more second devices.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. The processes or functions according to the embodiments of the present application are generated in whole or in part when the computer instructions are loaded and executed on a computer. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored on a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website, computer, server, or data center to another website, computer, server, or data center via wire (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., a floppy disk, a hard disk, a magnetic tape), an optical medium (e.g., a Digital Video Disk (DVD)), or a semiconductor medium (e.g., a Solid State Disk (SSD)), among others.
The network device in the foregoing various apparatus embodiments corresponds to the terminal device or the network device in the terminal device and method embodiments, and the corresponding module or unit executes the corresponding steps, for example, the communication unit (transceiver) executes the steps of receiving or transmitting in the method embodiments, and other steps besides transmitting and receiving may be executed by the processing unit (processor). The functions of the specific elements may be referred to in the respective method embodiments. The number of the processors may be one or more.
As used in this specification, the terms "component," "module," "system," and the like are intended to refer to a computer-related entity, either hardware, firmware, a combination of hardware and software, or software in execution. For example, a component may be, but is not limited to being, a process running on a processor, an object, an executable, a thread of execution, a program, and/or a computer. By way of illustration, both an application running on a computing device and the computing device can be a component. One or more components can reside within a process and/or thread of execution and a component may be localized on one computer and/or distributed between two or more computers. In addition, these components can execute from various computer readable media having various data structures stored thereon. The components may communicate by way of local and/or remote processes such as in accordance with a signal having one or more data packets (e.g., data from two components interacting with another component in a local system, distributed system, and/or across a network such as the internet with other systems by way of the signal).
Those of ordinary skill in the art will appreciate that the various illustrative logical blocks and steps (step) described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, a division of a unit is merely a logical division, and an actual implementation may have another division, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
Units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (30)
1. A method of data transmission, comprising:
generating a data stream;
transmitting the data stream;
wherein the data stream includes N encrypted segments, N being a positive integer greater than 1, one encrypted segment including: a segment of consecutive data units starting with a head data unit and ending with a tail data unit;
the N encrypted segments include at least one first encrypted segment and M1 second encrypted segments corresponding to the first encrypted segment, where the data stream carries an identifier of a first key used to encrypt the first encrypted segment; for each of the M1 second encrypted segments, the data stream does not carry an identification of a second key that encrypted the second encrypted segment;
the N encrypted segments include at least one third encrypted segment and M2 fourth encrypted segments corresponding to the third encrypted segment, where the data stream carries an identifier of a third initial vector that encrypts the third encrypted segment; for each of the M2 fourth encrypted segments, the data stream does not carry an identification of a fourth initial vector that encrypted that fourth encrypted segment;
the M1 is zero or a positive integer, the M2 is zero or a positive integer, and at least one of the M1 and the M2 is a positive integer.
2. The method of claim 1, wherein a data unit for carrying the identification of the first key satisfies one of the following conditions:
before a head data unit of the first encrypted segment and after a tail data unit of a previous encrypted segment of the first encrypted segment;
after the tail data unit of the first encrypted segment and before the head data unit of the next encrypted segment of the first encrypted segment;
the data unit for carrying the identification of the third initial vector satisfies one of the following conditions:
before a head data unit of the third encrypted segment and after a tail data unit of a previous encrypted segment of the third encrypted segment;
after the tail data unit of the third encrypted segment and before the head data unit of the next encrypted segment of the third encrypted segment.
3. The method of claim 1 or 2, wherein the data stream also carries a check value for each of the N encrypted segments.
4. The method of claim 3, wherein when the data stream also carries an identification of a first initial vector that encrypts the first encrypted segment, then:
the identification of the first key, the identification of the first initial vector, and the check value of the first encrypted segment satisfy one of the following conditions:
carried on a continuous segment of data units;
the data unit is loaded on a section of continuous data units, and the section of continuous data units comprise a head data unit, a data unit of a data type and a tail data unit;
the data management system is loaded on a section of continuous data units, and the section of continuous data units comprise operation maintenance management data units;
the data type management unit is loaded on a section of continuous data units, and the section of continuous data units comprises a data type data unit and an operation maintenance management data unit.
5. The method of any one of claims 1-4, wherein, for each of the M1 second encrypted segments corresponding to the first encrypted segment, a second key identification that encrypts the second encrypted segment and the first key identification satisfy a first rule;
for each of the M2 fourth encrypted segments corresponding to the third encrypted segment, a second rule is satisfied by the fourth initial vector identifier and the third initial vector identifier used for encrypting the fourth encrypted segment.
6. The method of claim 5, wherein the first rule comprises: for each of the M1 second encrypted segments, the second key identification used to encrypt the second encrypted segment is the same as the first key identification;
the second rule includes: for each of the M2 fourth encrypted segments, an identification of a fourth initial vector encrypting the fourth encrypted segment: and determining according to the identification of a third initial vector for encrypting the third encrypted segment, the number of the encrypted segments spaced between the fourth encrypted segment and the third encrypted segment, and a third rule.
7. The method of any one of claims 1-6, wherein (1+ M1) of the N encrypted segments include:
k third encrypted segments, and M2 fourth encrypted segments corresponding to each of the K third encrypted segments, the K being a positive integer, the M2 being a positive integer no greater than the M1;
wherein the (1+ M1) encrypted segments include the first encrypted segment and M1 second encrypted segments to which the first encrypted segment corresponds.
8. A method of data transmission, comprising:
receiving a data stream; wherein the data stream includes N encrypted segments, N being a positive integer greater than 1, one encrypted segment including: a segment of consecutive data units starting with a head data unit and ending with a tail data unit;
for one encrypted segment of the N encrypted segments, performing:
under the condition that the data stream does not bear the identification of the key for encrypting the encrypted segment, determining the identification of the key for encrypting the encrypted segment according to the identification of the first key borne in the data stream;
under the condition that the data stream does not bear the identifier of the initial vector used for encrypting the encrypted segment, determining the identifier of the initial vector used for encrypting the encrypted segment according to the identifier of a third initial vector borne in the data stream;
and the receiving end decrypts the encrypted segment by adopting the key and the initial vector for encrypting the encrypted segment to obtain decrypted data.
9. The method of claim 8, wherein for one of the N encrypted segments:
the N encryption segments comprise at least one first encryption segment and M1 second encryption segments corresponding to the first encryption segment, and the identifier of a first key and the identifier of a second key meet a first rule, wherein the identifier of the first key is the identifier of the key for encrypting the first encryption segment; the second key identification is identification of a key for encrypting one of the M1 second encrypted segments;
the N encrypted segments comprise at least one third encrypted segment and M2 fourth encrypted segments corresponding to the third encrypted segment, and the identifier of a third initial vector and the identifier of a fourth initial vector meet a second rule, wherein the identifier of the third initial vector is the identifier of the initial vector used for encrypting the third encrypted segment; the identification of the fourth initial vector is the identification of the initial vector used for encrypting one fourth encryption segment in the M2 fourth encryption segments;
the M1 is zero or a positive integer, the M2 is zero or a positive integer, and at least one of the M1 and the M2 is a positive integer.
10. The method of claim 9, wherein the first rule comprises: for each of the M1 second encrypted segments, the second key identification used to encrypt the second encrypted segment is the same as the first key identification;
the second rule includes: for each of the M2 fourth encrypted segments, an identification of a fourth initial vector encrypting the fourth encrypted segment: and determining according to the identification of a third initial vector for encrypting the third encrypted segment, the number of the encrypted segments spaced between the fourth encrypted segment and the third encrypted segment, and a third rule.
11. The method of any one of claims 9-10, wherein (1+ M1) of the N encrypted segments include:
k third encrypted segments, and M2 fourth encrypted segments corresponding to each of the K third encrypted segments, the K being a positive integer, the M2 being a positive integer no greater than the M1;
wherein the (1+ M1) encrypted segments include the first encrypted segment and M1 second encrypted segments to which the first encrypted segment corresponds.
12. A method according to any of claims 9-11, wherein the data unit carrying the identity of the first key satisfies one of the following conditions:
before a head data unit of the first encrypted segment and after a tail data unit of a previous encrypted segment of the first encrypted segment;
after the tail data unit of the first encrypted segment and before the head data unit of the next encrypted segment of the first encrypted segment;
the data unit for carrying the identification of the third initial vector satisfies one of the following conditions:
before a head data unit of the third encrypted segment and after a tail data unit of a previous encrypted segment of the third encrypted segment;
after the tail data unit of the third encrypted segment and before the head data unit of the next encrypted segment of the third encrypted segment.
13. The method of any one of claims 9-12, wherein the data stream also carries a check value for each of the N encrypted segments.
14. The method of claim 13, wherein when the data stream also carries an identification of a first initial vector that encrypted the first encrypted segment, then:
the identification of the first key, the identification of the first initial vector, and the check value of the first encrypted segment satisfy one of the following conditions:
carried on a continuous segment of data units;
the data type data unit is loaded on a section of continuous data units, and the section of continuous data units comprise a head data unit, a data type data unit and a tail data unit;
the data management system is loaded on a section of continuous data units, and the section of continuous data units comprise operation maintenance management data units;
the data type management unit is loaded on a section of continuous data units, and the section of continuous data units comprises a data type data unit and an operation maintenance management data unit.
15. An apparatus, comprising:
a processor for generating a data stream;
a transceiver for transmitting the data stream;
wherein the data stream includes N encrypted segments, N being a positive integer greater than 1, one encrypted segment including: a segment of consecutive data units starting with a head data unit and ending with a tail data unit;
the N encrypted segments include at least one first encrypted segment and M1 second encrypted segments corresponding to the first encrypted segment, where the data stream carries an identifier of a first key used to encrypt the first encrypted segment; for each of the M1 second encrypted segments, the data stream does not carry an identification of a second key that encrypted the second encrypted segment;
the N encrypted segments include at least one third encrypted segment and M2 fourth encrypted segments corresponding to the third encrypted segment, where the data stream carries an identifier of a third initial vector that encrypts the third encrypted segment; for each of the M2 fourth encrypted segments, the data stream does not carry an identification of a fourth initial vector that encrypted that fourth encrypted segment;
the M1 is zero or a positive integer, the M2 is zero or a positive integer, and at least one of the M1 and the M2 is a positive integer.
16. The apparatus of claim 15, wherein a data unit for carrying the identification of the first key satisfies one of the following conditions:
before a head data unit of the first encrypted segment and after a tail data unit of a previous encrypted segment of the first encrypted segment;
after the tail data unit of the first encrypted segment and before the head data unit of the next encrypted segment of the first encrypted segment;
the data unit for carrying the identification of the third initial vector satisfies one of the following conditions:
before a head data unit of the third encrypted segment and after a tail data unit of a previous encrypted segment of the third encrypted segment;
after the tail data unit of the third encrypted segment and before the head data unit of the next encrypted segment of the third encrypted segment.
17. The device of claim 15 or 16, wherein the data stream also carries a check value for each of the N encrypted segments.
18. The apparatus of claim 17, wherein when the data stream also carries an identification of a first initial vector that encrypts the first encrypted segment, then:
the identification of the first key, the identification of the first initial vector, and the check value of the first encrypted segment satisfy one of the following conditions:
carried on a continuous segment of data units;
the data unit types of the continuous data units comprise a head data unit, a data unit of the data type and a tail data unit;
the data unit type of the continuous data unit comprises an operation maintenance management data unit;
the data unit type of the continuous data unit comprises a data unit of the data type and an operation maintenance management data unit.
19. The apparatus of any one of claims 15-18, wherein for each of the M1 second encrypted segments for which the first encrypted segment corresponds, a second key identification that encrypts the second encrypted segment and the first key identification satisfy a first rule;
for each of the M2 fourth encrypted segments corresponding to the third encrypted segment, a second rule is satisfied by the fourth initial vector identifier and the third initial vector identifier used for encrypting the fourth encrypted segment.
20. The apparatus of claim 19, wherein the first rule comprises: for each of the M1 second encrypted segments, the second key identification used to encrypt the second encrypted segment is the same as the first key identification;
the second rule includes: for each of the M2 fourth encrypted segments, an identification of a fourth initial vector encrypting the fourth encrypted segment: and determining according to the identification of a third initial vector for encrypting the third encrypted segment, the number of the encrypted segments spaced between the fourth encrypted segment and the third encrypted segment, and a third rule.
21. The apparatus of any one of claims 15-20, wherein (1+ M1) of the N encrypted segments include:
k third encrypted segments, and M2 fourth encrypted segments corresponding to each of the K third encrypted segments, the K being a positive integer, the M2 being a positive integer no greater than the M1;
wherein the (1+ M1) encrypted segments include the first encrypted segment and M1 second encrypted segments to which the first encrypted segment corresponds.
22. An apparatus, comprising:
a transceiver for receiving a data stream; wherein the data stream includes N encrypted segments, N being a positive integer greater than 1, one encrypted segment including: a segment of consecutive data units starting with a head data unit and ending with a tail data unit;
a processor to perform:
for one encrypted segment of the N encrypted segments:
under the condition that the data stream does not bear the identification of the key for encrypting the encrypted segment, determining the identification of the key for encrypting the encrypted segment according to the identification of the first key borne in the data stream;
under the condition that the data stream does not bear the identifier of the initial vector used for encrypting the encrypted segment, determining the identifier of the initial vector used for encrypting the encrypted segment according to the identifier of a third initial vector borne in the data stream;
and the receiving end decrypts the encrypted segment by adopting the key and the initial vector for encrypting the encrypted segment to obtain decrypted data.
23. The apparatus of claim 23, wherein for one of the N encrypted segments:
the N encrypted segments comprise at least one first encrypted segment and M1 second encrypted segments corresponding to the first encrypted segment, wherein M1 is zero or a positive integer, and the identifier of a first key and the identifier of a second key meet a first rule, and the identifier of the first key is the identifier of a key used for encrypting the first encrypted segment; the second key identification is identification of a key for encrypting one of the M1 second encrypted segments;
the N encrypted segments comprise at least one third encrypted segment and M2 fourth encrypted segments corresponding to the third encrypted segment, wherein M2 is zero or a positive integer, and the identifier of a third initial vector and the identifier of a fourth initial vector satisfy a second rule, and the identifier of the third initial vector is the identifier of an initial vector used for encrypting the third encrypted segment; the identification of the fourth initial vector is the identification of the initial vector used for encrypting one fourth encryption segment in the M2 fourth encryption segments;
the M1 is zero or a positive integer, the M2 is zero or a positive integer, and at least one of the M1 and the M2 is a positive integer.
24. The apparatus of claim 23, wherein the first rule comprises: for each of the M1 second encrypted segments, the second key identification used to encrypt the second encrypted segment is the same as the first key identification;
the second rule includes: for each of the M2 fourth encrypted segments, an identification of a fourth initial vector encrypting the fourth encrypted segment: and determining according to the identification of a third initial vector for encrypting the third encrypted segment, the number of the encrypted segments spaced between the fourth encrypted segment and the third encrypted segment, and a third rule.
25. The apparatus of any one of claims 23-24, wherein (1+ M1) of the N encrypted segments include:
k third encrypted segments, and M2 fourth encrypted segments corresponding to each of the K third encrypted segments, the K being a positive integer, the M2 being a positive integer no greater than the M1;
wherein the (1+ M1) encrypted segments include the first encrypted segment and M1 second encrypted segments to which the first encrypted segment corresponds.
26. The apparatus of any one of claims 23-25, wherein the data unit for carrying the identification of the first key satisfies one of the following conditions:
before a head data unit of the first encrypted segment and after a tail data unit of a previous encrypted segment of the first encrypted segment;
after the tail data unit of the first encrypted segment and before the head data unit of the next encrypted segment of the first encrypted segment;
the data unit for carrying the identification of the third initial vector satisfies one of the following conditions:
before a head data unit of the third encrypted segment and after a tail data unit of a previous encrypted segment of the third encrypted segment;
after the tail data unit of the third encrypted segment and before the head data unit of the next encrypted segment of the third encrypted segment.
27. The method of any one of claims 23-26, wherein a check value for each of the N encrypted segments is also carried in the data stream.
28. The apparatus of claim 27, wherein when the data stream also carries an identification of a first initial vector that encrypts the first encrypted segment, then:
the identification of the first key, the identification of the first initial vector, and the check value of the first encrypted segment satisfy one of the following conditions:
carried on a continuous segment of data units;
the data unit types of the continuous data units comprise a head data unit, a data unit of the data type and a tail data unit;
the data unit type of the continuous data unit comprises an operation maintenance management data unit;
the data unit type of the continuous data unit comprises a data unit of the data type and an operation maintenance management data unit.
29. A communication apparatus, the apparatus comprising a processor and a communication interface,
the communication interface is used for inputting and/or outputting information;
the processor configured to execute a computer program such that the method of any of claims 1-14 is performed.
30. A computer-readable storage medium, characterized in that it stores a computer-executable program which, when invoked by a computer, causes the computer to perform the method according to any one of claims 1 to 14.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010435052.7A CN113709084A (en) | 2020-05-21 | 2020-05-21 | Data transmission method, data transmission equipment and readable storage medium |
| PCT/CN2021/092990 WO2021233162A1 (en) | 2020-05-21 | 2021-05-11 | Data transmission method and device, and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010435052.7A CN113709084A (en) | 2020-05-21 | 2020-05-21 | Data transmission method, data transmission equipment and readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113709084A true CN113709084A (en) | 2021-11-26 |
Family
ID=78646036
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010435052.7A Pending CN113709084A (en) | 2020-05-21 | 2020-05-21 | Data transmission method, data transmission equipment and readable storage medium |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN113709084A (en) |
| WO (1) | WO2021233162A1 (en) |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2004056112A1 (en) * | 2002-12-16 | 2004-07-01 | Koninklijke Philips Electronics N.V. | Method and apparatus to encrypt video data streams |
| KR101088420B1 (en) * | 2004-02-13 | 2011-12-08 | 아이비아이 스마트 테크놀로지스 인코포레이티드 | Method and apparatus for cryptographically processing data |
| US9537657B1 (en) * | 2014-05-29 | 2017-01-03 | Amazon Technologies, Inc. | Multipart authenticated encryption |
| US9397833B2 (en) * | 2014-08-27 | 2016-07-19 | International Business Machines Corporation | Receipt, data reduction, and storage of encrypted data |
| CN108965302B (en) * | 2018-07-24 | 2021-10-15 | 苏州科达科技股份有限公司 | Media data transmission system, method, device and storage medium |
-
2020
- 2020-05-21 CN CN202010435052.7A patent/CN113709084A/en active Pending
-
2021
- 2021-05-11 WO PCT/CN2021/092990 patent/WO2021233162A1/en active Application Filing
Also Published As
| Publication number | Publication date |
|---|---|
| WO2021233162A1 (en) | 2021-11-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9596075B2 (en) | Transparent serial encryption | |
| US9674204B2 (en) | Compact and efficient communication security through combining anti-replay with encryption | |
| US10182039B2 (en) | Encrypted and authenticated data frame | |
| Homsirikamol et al. | Caesar hardware api | |
| US7398386B2 (en) | Transparent IPSec processing inline between a framer and a network component | |
| US9374218B2 (en) | Method for conducting data encryption and decryption using symmetric cryptography algorithm and table look-up device | |
| WO2021022794A1 (en) | Rdma-based data transmission method, network card, server and medium | |
| CN109417533B (en) | Method for transmitting data and forwarding device | |
| US10686587B2 (en) | Method for safeguarding the information security of data transmitted via a data bus and data bus system | |
| US20190372948A1 (en) | Scalable flow based ipsec processing | |
| US6980649B1 (en) | Hardware-based encryption/decryption employing dual ported memory and fast table initialization | |
| US10797859B2 (en) | Low area optimization for NB-IoT applications | |
| CN115549895A (en) | Encryption transmission method and device | |
| Chavez et al. | Achieving confidentiality security service for can | |
| McGrew | Low power wireless scenarios and techniques for saving bandwidth without sacrificing security | |
| CN113709084A (en) | Data transmission method, data transmission equipment and readable storage medium | |
| CN114826748B (en) | Audio and video stream data encryption method and device based on RTP, UDP and IP protocols | |
| JP4395527B2 (en) | Information processing device | |
| KR102538061B1 (en) | System and method for transmitting security of medical information data | |
| CN110830152B (en) | Method for receiving code block stream, method for transmitting code block stream and communication device | |
| WO2020063350A1 (en) | Quantum key distribution method and device | |
| CN117560226B (en) | Method and device for data transmission through VPN | |
| CN115225296B (en) | Encrypted data transmission method and related equipment | |
| Wiemer et al. | Enabling Secure Communication for Automotive Endpoint-ECUs through Lightweight-Cryptography | |
| Henzen et al. | FPGA implementation of a 2G fibre channel link encryptor with authenticated encryption mode GCM |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |