CN113746861A - Data transmission encryption and decryption method and encryption and decryption system based on state encryption technology - Google Patents
Data transmission encryption and decryption method and encryption and decryption system based on state encryption technology Download PDFInfo
- Publication number
- CN113746861A CN113746861A CN202111070285.2A CN202111070285A CN113746861A CN 113746861 A CN113746861 A CN 113746861A CN 202111070285 A CN202111070285 A CN 202111070285A CN 113746861 A CN113746861 A CN 113746861A
- Authority
- CN
- China
- Prior art keywords
- encryption
- data
- session key
- length
- decryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/061—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
- H04L9/0841—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a data transmission encryption and decryption method and an encryption and decryption system based on a national encryption technology, wherein the encryption process comprises the following steps: acquiring data from an internal network port; acquiring a quintuple of the IP through the data message; inquiring the dialog belonging to the quintuple; checking the validity of the session key, if the session key is illegal, performing key agreement between the internal network port and the external network port to form the session key, and if the session key is legal, performing grouping check on the length of the data message according to the length of grouping encryption of the session key; carrying out packet encryption on the data message by adopting a session key to generate an encrypted load; sending the IP message and the encrypted load to an external network port; the decryption process comprises the following steps: and acquiring data from an external network port, performing the same processing as the encryption process, and decrypting after packet inspection to obtain a plaintext load. The invention ensures the transmission safety of enterprise network boundary data without changing the quality of the original network and communication, and simultaneously, the cryptographic algorithm is independently controllable.
Description
Technical Field
The invention relates to the technical field of internal and external network data transmission encryption, in particular to a data transmission encryption and decryption method and an encryption and decryption system based on a national encryption technology.
Background
When an enterprise faces an external network to access intranet resource data, in order to deal with the problem of network security, a remote access control technology is generally adopted to manage the identity and the authority of an accessor and provide encryption protection for the accessed data in a transmission process. The existing network transmission security scheme is generally implemented by hardware VPN, software VPN and other manners, and may be further divided into PPTP, LP2P, IPSec VPN, SSL VPN and the like according to the protocol type, and currently, enterprises adopt IPSec VPN and SSLVPN in more.
1) The IPSec VPN scheme provides a secure communication channel for two private networks on a public network, performs key agreement through IKE, establishes a bidirectional SA, realizes identity authentication of an access client, encryption of transmission data, and anti-replay and anti-attack, and establishes an encryption channel to ensure the connection security. The IPSec VPN is constructed based on a network layer, any local area network application can be accessed through an IPSec tunnel, and the IPSec VPN is wider in application compared with other schemes and more ideal for management of network authority due to the network layer. However, IPSec vpn needs to modify the network of the user, the network structure needs to be changed when the IPSec security gateway is deployed, and the newly added security gateway needs to be redeployed, and both NAT devices and WAF products in the network need to be configured and redeployed accordingly, which results in high cost for the user's recommendation and complex maintenance.
2) The SSL VPN scheme is a VPN technology for establishing a remote secure access channel based on a secure Socket Layer-SSL (secure Socket Layer-SSL), and has the advantages of simple application and quick implementation, complex installation is not required for a client of the SSL (the SSL protocol is generally embedded in a browser), the SSL is Security protection based on four-Layer and seven-Layer data, only supports a TCP (transmission control protocol) due to the limitation of the SSL protocol, and compared with hardware equipment and IPSec based on a network Layer, the SSL VPN scheme has the performance far lower than that of equipment using the IPSec protocol, and cannot support protocols commonly used on an IP Layer such as UDP (user datagram protocol) and the like on the protocol. Meanwhile, the SSL equipment and the client have poor support for the national password, and the application limitation exists in the face of some Chinese enterprises with national password requirements.
Disclosure of Invention
The purpose of the invention is as follows: the invention aims to provide a data transmission encryption and decryption method and an encryption and decryption system based on a national encryption technology, which can be flexibly deployed at any node in an enterprise network without network modification and re-deployment of other network equipment, ensure the transmission safety of enterprise network boundary data while not changing the quality of the original network and communication, and simultaneously ensure that a cryptographic algorithm is autonomously controllable, thereby meeting the relevant national safety specifications and requirements.
The technical scheme is as follows: the invention provides a data transmission encryption method based on a cryptographic technology, which comprises the following steps:
(1) acquiring data from an internal network port;
(2) acquiring a quintuple of the IP through the data message;
(3) inquiring the session belonging to the quintuple, if the session does not exist, creating a new session, and if the session exists, executing the step (4);
(4) checking the validity of the session key, carrying out key agreement between the internal network port and the external network port to form the session key if the session key is illegal, and executing the step (5) if the session key is legal;
(5) performing grouping check on the length of the data message according to the length of the session key grouping encryption;
(6) carrying out packet encryption on the data message by adopting a session key to generate an encrypted load;
(7) and sending the IP message and the encrypted load to an external network port.
Further improving the above technical solution, the step (1) further includes querying ACL port configuration information and a processing mode of the ACL, and the processing mode is: transparent transmission, encryption and decryption and discarding.
Further, the key agreement using the IKE algorithm in step (4) includes: ready state: the sender enables negotiation of proposed values for the security parameters; and (3) negotiation starting: if the responder does not accept all the proposed values, returning to a ready state, otherwise, the responder selects acceptable safety parameters and performs a selected protocol; selecting a protective sleeve piece: if the selected protocol does not return to the ready state in the initiated protocol, otherwise the sender sends the key material and the necessary auxiliary data; start exchanging key material: if the key format is wrong and returns to a ready state, otherwise, the responder sends key materials and necessary auxiliary data, DH exchange is completed, and SKEYID related materials are calculated; end exchange of key material: if the key format is wrong and returns to the ready state, otherwise, the exchange is finished, and the sender sends the identity information; and (3) identity authentication: if the sender identity is not right, returning to a ready state, otherwise, the responder sends identity information; ISAKMP SA establishment: and if the identity of the responder is not correct, returning to the ready state, otherwise, successfully establishing the ISAKMP SA.
Further, assuming that the length of the data message is n + M, the length of the session key packet encryption is k, and the final encryption load is M; in the step (5), it is checked whether the length of the data packet is an integral multiple of the block encryption: if the integral multiple is found, the data messages are legal data, and the step (6.1) is executed; if the length of the data message is not the integral multiple of the block encryption, executing (6.2); if the length of the data message is too short, executing (6.3);
(6.1) legal data of the data message is n, M =0, n is an integral multiple of block encryption k, a session key is adopted to block encrypt n to obtain a legal encryption load M, the length of M is the same as that of n, and an IP header field does not need to be modified;
(6.2) legal data of the data message is n, n/k > =1, n% k = m, 0< m < k; firstly, encrypting data with the length of n1 at the tail of legal data n, wherein m + n1 = k; secondly, encrypting data with the length n by using a session key packet to obtain a final encrypted payload M, wherein the length of M is the same as that of n, and an IP header field does not need to be modified;
(6.3) the legal data of the data message is n, n < k, M +1 bytes are filled to the back of n, n + M +1 =2k after filling, the data after filling is encrypted to obtain effective encryption loads M, M > n and M = k, the length of the IP header field is modified, and the IP header field and the checksum check are recalculated.
The data transmission decryption method based on the state encryption technology comprises the following steps:
(1) acquiring data from an external network port;
(2) acquiring a quintuple of the IP through the data message;
(3) inquiring the session belonging to the quintuple, if the session does not exist, creating a new session, and if the session exists, executing the step (4);
(4) checking the validity of the session key, carrying out key agreement between the internal network port and the external network port to form the session key if the session key is illegal, and executing the step (5) if the session key is legal;
(5) performing grouping check on the length of the data message according to the length of the session key grouping encryption;
(6) carrying out grouping decryption on the data message by adopting a session key, and restoring a plaintext load;
(7) and sending the IP message and the plaintext load to the internal network port.
Further, assuming that the length of the data packet is n + M, the decryption length of the session key packet is k, and the plaintext payload obtained by final decryption is M: the step (5) checks whether the length of the data message is integral multiple of the packet decryption length: if the data message is not the integral multiple of the packet decryption, executing (6.1); if the data message is twice of the packet decryption, executing (6.2); the other cases carry out (6.3);
(6.1) the payload data is n, n% k = M, 0< M < k, decrypting n by using the session key to obtain a legal payload M1, taking the last n1 bytes from M1, and decrypting n1 + M = k by using the session key to obtain a final plaintext payload M;
(6.2) the payload data is n, n =2 k; step one, decrypting n by using a session key to obtain a legal load M1; secondly, taking the last byte n1 of M1, if n1> k and k-1 bytes before n1 are zero, then 2k-n1 before M1 is a plaintext load M, modifying the length of an IP header field, and recalculating the IP header field and the checksum check; if the above conditions are not met, M1 is the plaintext payload M, and the IP header field does not need to be modified;
(6.3) the payload data is n, n can divide k evenly, and the plaintext payload M is obtained by decrypting n with the session key.
The data transmission encryption and decryption system based on the cryptographic technology is used for realizing the encryption and decryption processes: the encryption and decryption device I is used for connecting an internal network port, the encryption and decryption device II is used for connecting an external network port, and the encryption and decryption device I is connected with the encryption and decryption device II through the switch; the encryption and decryption device I is used for encrypting and decrypting data transmitted from the internal network port to the external network port, and the encryption and decryption device II is used for encrypting and decrypting data transmitted from the external network port to the internal network port.
The first encryption and decryption device and the second encryption and decryption device both comprise: the ACL port inquiry unit is used for inquiring ACL port configuration information and a processing mode; the IP five-tuple query unit is used for acquiring a source IP, a source port, a destination IP, a destination port and a protocol type of the IP; the session query unit is used for querying the session to which the quintuple belongs, and if the session does not exist, a new session is created; a session key checking unit for checking the validity of the session key; the IKE key negotiation unit is used for negotiating the session key when the session key is illegal; a data message length detection unit, configured to check whether the length of the data message is an integer multiple of the session key packet length; an encryption unit: encrypting the data message by adopting a session key to generate an encrypted load; and the decryption unit is used for decrypting the data message by adopting the session key to generate a plaintext load.
Further, assuming that the length of the data message is n + M, the length of the session key block encryption or decryption is k, and the final encryption load or plaintext load is M;
the encryption process of the encryption unit is as follows: legal data of the data message is n, M =0, n is an integral multiple of k, a session key is adopted to encrypt n in a grouping mode to obtain a legal encryption load M, the length of M is the same as that of n, and an IP header field does not need to be modified; legal data of the data message is n, n/k > =1, n% k = m, 0< m < k; firstly, encrypting data with the length of n1 at the tail of legal data n, wherein m + n1 = k; secondly, encrypting data with the length n by using a session key packet to obtain a final encrypted payload M, wherein the length of M is the same as that of n, and an IP header field does not need to be modified; the legal data of the data message is n, n < k, M +1 bytes are filled to the back of n, n + M +1 =2k after filling, the data after filling is encrypted to obtain an effective encryption load M, M > n and M = k, the length of an IP header field is modified, and the IP header field and the checksum check are recalculated;
the decryption process of the decryption unit shown is as follows: the payload data is n, n% k = M, 0< M < k, the n is decrypted by using the session key to obtain a legal payload M1, the last n1 bytes are taken from M1, n1 + M = k, and the final plaintext payload M is obtained by using the session key for decryption; the payload data is n, n =2 k; step one, decrypting n by using a session key to obtain a legal load M1; secondly, taking the last byte n1 of M1, if n1> k and k-1 bytes before n1 are zero, then 2k-n1 before M1 is a plaintext load M, modifying the length of an IP header field, and recalculating the IP header field and the checksum check; if the above conditions are not met, M1 is the plaintext payload M, and the IP header field does not need to be modified; the payload data is n, n can divide k evenly, and the plaintext payload M is obtained by decrypting n with the session key.
Further, the IKE key negotiation unit includes a policy negotiation module, a DH exchange module, and a DH exchange and verification module; the strategy negotiation module is used for the sender to send a local IKE strategy to the receiver, and the receiver searches a matched strategy and confirms the strategy; the DH exchange module is used for the initiator to receive the confirmed strategy and send the key generation information, and the receiver is used for generating the key; the DH exchange and verification module is used for the initiator to receive the key information and initiate the identity verification data, the receiver to carry out identity verification and exchange identity verification, and the initiator to carry out identity verification on the receiver.
Has the advantages that: compared with the prior art, the invention has the advantages that: the encryption and decryption method provided by the invention works in a transmission layer of a network, is an encryption and decryption method for IP data packets in the network, and simultaneously, in order to support a state encryption algorithm and ensure high-performance network data forwarding processing, on the aspect of network card data message processing, based on message processing and forwarding of two layers of the network, when the messages are received and sent, the data packets are filtered according to protocol types, source IP, a source port, a destination IP and a destination port through an access control ACL, so that the processing behaviors of transparent transmission, encryption, decryption, discarding and the like of the messages can be realized. The user service data is not analyzed more deeply, the data encryption protection and the data decryption reduction are carried out on the IP payload, and when the data encryption and decryption configuration is carried out, a state encryption algorithm (SM 4 or SM 1) and the like are supported, the encryption algorithm is independently controllable, and the related national safety specifications and requirements are met.
The invention mainly provides effective encryption and decryption of IP data load, and adopts IKE protocol to negotiate and update session key in order to ensure the security of encrypted and decrypted session key. If the enterprise needs authentication and authorization operation, the scheme of the invention can be matched with AH protocol or other authentication methods (such as authentication mode of business layer).
Compared with the traditional VPN products such as IPSec and the like, the method can be flexibly deployed at any node in the enterprise network, is added according to the needs, does not need network modification and redeployment of other network equipment, ensures that the quality of the original network and communication is not changed, realizes data encryption and decryption in the network and communication transmission process in the network boundary under the condition of no perception, ensures the transmission safety of the enterprise network boundary data, and provides the network communication data transmission encryption and decryption with high performance and high throughput rate.
Drawings
FIG. 1 is a block diagram of the system components of the present invention;
FIG. 2 is a flow chart of data encryption in the present invention;
FIG. 3 is a flow chart of data decryption in the present invention;
FIG. 4 is a schematic diagram of an IKE negotiation process;
FIG. 5 is a schematic diagram of the DH algorithm;
fig. 6 is an IKE main mode state transition diagram.
Detailed Description
The technical solution of the present invention is described in detail below with reference to the accompanying drawings, but the scope of the present invention is not limited to the embodiments.
The data transmission encryption and decryption system based on the cryptographic technology shown in fig. 1 comprises an encryption and decryption device I, an encryption and decryption device II and a switch. Appointing: the network port connected with the service network system is called an internal network port, and the network port connected with an external network is called an external network port; the first encryption and decryption device is used for being connected with the internal network port, the second encryption and decryption device is used for being connected with the external network port, and the first encryption and decryption device is connected with the second encryption and decryption device through the switch.
The data transmission encryption process shown in fig. 2 is as follows:
1) and after receiving data from the internal network port, inquiring ACL port configuration information and inquiring the processing mode (transparent transmission, encryption and decryption and discarding) of the ACL.
2) Acquiring a quintuple of the ip from the data message: source ip, source port, destination ip, destination port, protocol type (tcp/udp, etc.).
3) And finding the session to which the five-tuple belongs, and if the session cannot be found, creating a new session.
4) And after the session is found, checking the validity (whether the session key exists or not and whether the session key is invalid or not), and if the session key is illegal, carrying out key agreement on the session key by adopting the IKE and the opposite terminal.
5) And (3) a session key is legal, whether the length of the data message is integral multiple of the grouping key is checked, the legal key is executed by 6.1, the message is not the multiple of the key and is executed by 6.2, and the short message is executed by 6.3.
Assuming that the length of the data message is n + M, the length of the packet encryption is k, and the final encryption load is M:
6.1) the legal data is n, M =0, the n is encrypted by a session key packet to obtain a legal encryption load M, the length of M is the same as that of n, and an IP header field does not need to be modified;
6.2) legal data n, n can be divided by k, and data m is left (0 < m < k); firstly, taking n1 length data (m + n1 = k) at the end of legal data for encryption; secondly, encrypting data with the length n by using a session key packet to obtain a final encrypted payload M, wherein the length of M is the same as that of n, and an IP header field does not need to be modified;
6.3) the length n of the packet, n < k, padding (M + 1) bytes (the value of M bytes is 0, the value of the last 1 byte is the length M + 1) to the back of n, n + M +1 =2k, encrypting the padded data to obtain a payload M (M > n, M = k), modifying the length of the IP header field, and recalculating the IP header field and the checksum check.
7) And sending the IP message and the encrypted load out from the port of the external network port.
The data transmission decryption function shown in fig. 3 includes the following steps:
1) and after receiving data from the external network port, inquiring ACL port configuration information and inquiring the processing mode (transparent transmission, encryption and decryption and discarding) of the ACL.
2) Acquiring a quintuple of the ip from the data message: source ip, source port, destination ip, destination port, protocol type (tcp/udp, etc.).
3) And finding the session to which the five-tuple belongs, and if the session cannot be found, creating a new session.
4) And after the session is found, checking the validity (whether the session key exists or not and whether the session key is invalid or not), and if the session key is illegal, carrying out key agreement on the session key by adopting the IKE and the opposite terminal.
5) And (3) the session key is legal, whether the length of the data message is integral multiple of the session key grouping key is checked, the data message is executed 6.1 times of the key multiple, the data message is executed 6.2 times of the key grouping length, and the other cases are executed 6.3.
Assuming that the length of the data message is n + M, the length of member key block encryption is k, and the final decryption load is M:
6.1) the payload data is n (n% k = M, 0< M < k), decrypting n with the session key to obtain a legal payload M1, taking the last n1 (n 1 + M = k) bytes from M1, decrypting with the session key to obtain a final plaintext payload M;
6.2) the payload data is n (n =2 k), and in the first step, decrypting n by using the session key to obtain a legal payload M1; secondly, taking the last byte n1 of M1, if n1> k and the (k-1) bytes before n1 are zero, taking 2k-n1 before M1 as a plaintext load M, modifying the length of an IP message header field, and recalculating an IP header field and a checksum comparison test; if the above conditions are not met, M1 is the plaintext payload M, and the IP header field does not need to be modified;
6.3) the payload data is n (n is divided by k), and the plaintext payload M is obtained by decrypting n by using the session key.
7) And sending the IP message and the plaintext load M out of the internal port.
In the step (4) of encryption and decryption, a Key is generated through IKE and DH algorithms, and IKE (Internet Key Exchange protocol) is an Internet Key Exchange protocol. As in the policy negotiation process of fig. 4, the result of IKE negotiation provides information such as encryption algorithm, authentication algorithm, etc. for both communication parties. IKE adopts UDP communication, the ports are 500 and 4500, the negotiation is divided into two stages, the negotiation result of the first stage provides a protection function for the negotiation of the second stage, and the negotiated SA is called ISAKMP SA; the result of the second phase negotiation is the SA used by the final communicating parties. DH (Diffie-Hellman) algorithm, IKE generates a session key K for use in the present invention by DH exchange, with a default validity period of one hour and a maximum validity period of one day.
The principle of DH (Diffie-Hellman) algorithm, as shown in FIG. 5, includes policy negotiation, DH exchange and authentication. Policy negotiation: a sender sends a local IKE strategy, a responder searches a matched strategy and confirms an algorithm used by the other party; DH exchange: the sender receives the strategy confirmed by the responder, and the responder generates a secret key; DH exchange and validation: the sender receives the generated key, and the responder performs identity authentication and exchanges identity authentication with the sender.
The IKE master mode state transition diagram shown in fig. 6:
ready state: the sender enables negotiation of proposed values for the security parameters,
and (3) negotiation starting: if the responder does not accept all the proposed values, returning to a ready state, otherwise, the responder selects acceptable safety parameters and performs a selected protocol;
selecting a protective sleeve piece: if the selected protocol does not return to the ready state in the initiated protocol, otherwise the sender sends the key material and the necessary auxiliary data;
start exchanging key material: if the key format is wrong and returns to a ready state, otherwise, the responder sends key materials and necessary input data, DH exchange is completed, and SKEYID related materials are calculated;
end exchange of key material: if the key format is wrong and returns to the ready state, otherwise, the exchange is finished, and the sender sends the identity information;
and (3) identity authentication: if the sender identity is not right, returning to a ready state, otherwise, the responder sends identity information;
ISAKMP SA establishment: and if the identity of the responder is not correct, returning to the ready state, otherwise, successfully establishing the ISAKMP SA.
The method disclosed by the invention enables enterprises to realize data encryption and decryption in the network and communication transmission process at the network boundary without changing network deployment and under the condition of no perception, ensures the data security of the enterprises, supports the national encryption algorithm, and provides high-performance and high-throughput network communication data transmission encryption and decryption.
As noted above, while the present invention has been shown and described with reference to certain preferred embodiments, it is not to be construed as limited thereto. Various changes in form and detail may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (10)
1. The data transmission encryption method based on the national encryption technology is characterized by comprising the following steps of:
(1) acquiring data from an internal network port;
(2) acquiring a quintuple of the IP through the data message;
(3) inquiring the session belonging to the quintuple, if the session does not exist, creating a new session, and if the session exists, executing the step (4);
(4) checking the validity of the session key, carrying out key agreement between the internal network port and the external network port to form the session key if the session key is illegal, and executing the step (5) if the session key is legal;
(5) performing grouping check on the length of the data message according to the length of the session key grouping encryption;
(6) carrying out packet encryption on the data message by adopting a session key to generate an encrypted load;
(7) and sending the IP message and the encrypted load to an external network port.
2. The data transmission encryption method based on the cryptographic technology of claim 1, characterized in that: the step (1) further includes a processing mode for inquiring the ACL port configuration information and the ACL, and the processing mode is as follows: transparent transmission, encryption and decryption and discarding.
3. The data transmission encryption method based on the cryptographic technology of claim 1, characterized in that: the step (4) of performing key agreement by using an IKE algorithm includes:
ready state: the sender enables negotiation of proposed values for the security parameters;
and (3) negotiation starting: if the responder does not accept all the proposed values, returning to a ready state, otherwise, the responder selects acceptable safety parameters and performs a selected protocol;
selecting a protective sleeve piece: if the selected protocol does not return to the ready state in the initiated protocol, otherwise the sender sends the key material and the necessary auxiliary data;
start exchanging key material: if the key format is wrong and returns to a ready state, otherwise, the responder sends key materials and necessary auxiliary data, DH exchange is completed, and SKEYID related materials are calculated;
end exchange of key material: if the key format is wrong and returns to the ready state, otherwise, the exchange is finished, and the sender sends the identity information;
and (3) identity authentication: if the sender identity is not right, returning to a ready state, otherwise, the responder sends identity information;
ISAKMP SA establishment: and if the identity of the responder is not correct, returning to the ready state, otherwise, successfully establishing the ISAKMP SA.
4. The data transmission encryption method based on the cryptographic technology of claim 1, characterized in that: assuming that the length of the data message is n + M, the length of the session key packet encryption is k, and the final encryption load is M;
in the step (5), it is checked whether the length of the data packet is an integral multiple of the block encryption: if the integral multiple is found, the data messages are legal data, and the step (6.1) is executed; if the length of the data message is not the integral multiple of the block encryption, executing (6.2); if the length of the data message is too short, executing (6.3);
(6.1) legal data of the data message is n, M =0, n is an integral multiple of block encryption k, a session key is adopted to block encrypt n to obtain a legal encryption load M, the length of M is the same as that of n, and an IP header field does not need to be modified;
(6.2) legal data of the data message is n, n/k > =1, n% k = m, 0< m < k; firstly, encrypting data with the length of n1 at the tail of legal data n, wherein m + n1 = k; secondly, encrypting data with the length n by using a session key packet to obtain a final encrypted payload M, wherein the length of M is the same as that of n, and an IP header field does not need to be modified;
(6.3) the legal data of the data message is n, n < k, M +1 bytes are filled to the back of n, n + M +1 =2k after filling, the data after filling is encrypted to obtain effective encryption loads M, M > n and M = k, the length of the IP header field is modified, and the IP header field and the checksum check are recalculated.
5. The data transmission decryption method based on the state encryption technology is characterized by comprising the following steps:
(1) acquiring data from an external network port;
(2) acquiring a quintuple of the IP through the data message;
(3) inquiring the session belonging to the quintuple, if the session does not exist, creating a new session, and if the session exists, executing the step (4);
(4) checking the validity of the session key, carrying out key agreement between the internal network port and the external network port to form the session key if the session key is illegal, and executing the step (5) if the session key is legal;
(5) performing grouping check on the length of the data message according to the length of the session key grouping encryption;
(6) carrying out grouping decryption on the data message by adopting a session key, and restoring a plaintext load;
(7) and sending the IP message and the plaintext load to the internal network port.
6. The data transmission decryption method based on the cryptographic technology of claim 5, wherein: assuming that the length of the data message is n + M, the decryption length of the session key packet is k, and the plaintext load obtained by final decryption is M:
the step (5) checks whether the length of the data message is integral multiple of the packet decryption length: if the data message is not the integral multiple of the packet decryption, executing (6.1); if the data message is twice of the packet decryption, executing (6.2); the other cases carry out (6.3);
(6.1) the payload data is n, n% k = M, 0< M < k, decrypting n by using the session key to obtain a legal payload M1, taking the last n1 bytes from M1, and decrypting n1 + M = k by using the session key to obtain a final plaintext payload M;
(6.2) the payload data is n, n =2 k; step one, decrypting n by using a session key to obtain a legal load M1; secondly, taking the last byte n1 of M1, if n1> k and k-1 bytes before n1 are zero, then 2k-n1 before M1 is a plaintext load M, modifying the length of an IP header field, and recalculating the IP header field and the checksum check; if the above conditions are not met, M1 is the plaintext payload M, and the IP header field does not need to be modified;
(6.3) the payload data is n, n can divide k evenly, and the plaintext payload M is obtained by decrypting n with the session key.
7. Data transmission encryption and decryption system based on state secret technique, its characterized in that: the encryption and decryption device I is used for being connected with an internal network port, the encryption and decryption device II is used for being connected with an external network port, and the encryption and decryption device I is connected with the encryption and decryption device II through the switch.
8. The encryption and decryption system for data transmission based on cryptographic technology of claim 7, wherein: the encryption and decryption equipment is used for encrypting and decrypting data transmitted from the internal network port to the external network port, and the encryption and decryption equipment is used for encrypting and decrypting data transmitted from the external network port to the internal network port;
the first encryption and decryption device and the second encryption and decryption device both comprise: the ACL port inquiry unit is used for inquiring ACL port configuration information and a processing mode; the IP five-tuple query unit is used for acquiring a source IP, a source port, a destination IP, a destination port and a protocol type of the IP; the session query unit is used for querying the session to which the quintuple belongs, and if the session does not exist, a new session is created; a session key checking unit for checking the validity of the session key; the IKE key negotiation unit is used for negotiating the session key when the session key is illegal; a data message length detection unit, configured to check whether the length of the data message is an integer multiple of the session key packet length; an encryption unit: encrypting the data message by adopting a session key to generate an encrypted load; and the decryption unit is used for decrypting the data message by adopting the session key to generate a plaintext load.
9. The encryption and decryption system for data transmission based on cryptographic technology of claim 8, wherein: assuming that the length of the data message is n + M, the length of the session key block encryption or decryption is k, and the final encryption load or plaintext load is M;
the encryption process of the encryption unit is as follows: legal data of the data message is n, M =0, n is an integral multiple of k, a session key is adopted to encrypt n in a grouping mode to obtain a legal encryption load M, the length of M is the same as that of n, and an IP header field does not need to be modified; legal data of the data message is n, n/k > =1, n% k = m, 0< m < k; firstly, encrypting data with the length of n1 at the tail of legal data n, wherein m + n1 = k; secondly, encrypting data with the length n by using a session key packet to obtain a final encrypted payload M, wherein the length of M is the same as that of n, and an IP header field does not need to be modified; the legal data of the data message is n, n < k, M +1 bytes are filled to the back of n, n + M +1 =2k after filling, the data after filling is encrypted to obtain an effective encryption load M, M > n and M = k, the length of an IP header field is modified, and the IP header field and the checksum check are recalculated;
the decryption process of the decryption unit shown is as follows: the payload data is n, n% k = M, 0< M < k, the n is decrypted by using the session key to obtain a legal payload M1, the last n1 bytes are taken from M1, n1 + M = k, and the final plaintext payload M is obtained by using the session key for decryption; the payload data is n, n =2 k; step one, decrypting n by using a session key to obtain a legal load M1; secondly, taking the last byte n1 of M1, if n1> k and k-1 bytes before n1 are zero, then 2k-n1 before M1 is a plaintext load M, modifying the length of an IP header field, and recalculating the IP header field and the checksum check; if the above conditions are not met, M1 is the plaintext payload M, and the IP header field does not need to be modified; the payload data is n, n can divide k evenly, and the plaintext payload M is obtained by decrypting n with the session key.
10. The encryption and decryption system for data transmission based on cryptographic technology of claim 8, wherein: the IKE key negotiation unit comprises a strategy negotiation module, a DH exchange module and a DH exchange and verification module; the strategy negotiation module is used for the sender to send a local IKE strategy to the receiver, and the receiver searches a matched strategy and confirms the strategy; the DH exchange module is used for the initiator to receive the confirmed strategy and send the key generation information, and the receiver is used for generating the key; the DH exchange and verification module is used for the initiator to receive the key information and initiate the identity verification data, the receiver to carry out identity verification and exchange identity verification, and the initiator to carry out identity verification on the receiver.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111070285.2A CN113746861B (en) | 2021-09-13 | 2021-09-13 | Data transmission encryption and decryption method and encryption and decryption system based on national encryption technology |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111070285.2A CN113746861B (en) | 2021-09-13 | 2021-09-13 | Data transmission encryption and decryption method and encryption and decryption system based on national encryption technology |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113746861A true CN113746861A (en) | 2021-12-03 |
| CN113746861B CN113746861B (en) | 2023-03-14 |
Family
ID=78738503
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111070285.2A Active CN113746861B (en) | 2021-09-13 | 2021-09-13 | Data transmission encryption and decryption method and encryption and decryption system based on national encryption technology |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113746861B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114554485A (en) * | 2021-12-22 | 2022-05-27 | 卓望数码技术(深圳)有限公司 | Asynchronous session key negotiation and application method, system, electronic device and medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050149732A1 (en) * | 2004-01-07 | 2005-07-07 | Microsoft Corporation | Use of static Diffie-Hellman key with IPSec for authentication |
| CN101114905A (en) * | 2006-07-28 | 2008-01-30 | 佛山市顺德区顺达电脑厂有限公司 | Method checking wireless network access through fingerprint |
| WO2012018573A2 (en) * | 2010-08-05 | 2012-02-09 | Motorola Solutions, Inc. | Method for key identification using an internet security association and key management based protocol |
| CN105376239A (en) * | 2015-11-25 | 2016-03-02 | 成都三零瑞通移动通信有限公司 | Method and device for supporting mobile terminal to perform IPSec VPN message transmission |
| CN108810023A (en) * | 2018-07-19 | 2018-11-13 | 北京智芯微电子科技有限公司 | Safe encryption method, key sharing method and safety encryption isolation gateway |
| CN111131245A (en) * | 2019-12-24 | 2020-05-08 | 杭州赛客睿特技术有限公司 | Data transmission method and device, electronic equipment and storage medium |
-
2021
- 2021-09-13 CN CN202111070285.2A patent/CN113746861B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050149732A1 (en) * | 2004-01-07 | 2005-07-07 | Microsoft Corporation | Use of static Diffie-Hellman key with IPSec for authentication |
| CN101114905A (en) * | 2006-07-28 | 2008-01-30 | 佛山市顺德区顺达电脑厂有限公司 | Method checking wireless network access through fingerprint |
| WO2012018573A2 (en) * | 2010-08-05 | 2012-02-09 | Motorola Solutions, Inc. | Method for key identification using an internet security association and key management based protocol |
| CN105376239A (en) * | 2015-11-25 | 2016-03-02 | 成都三零瑞通移动通信有限公司 | Method and device for supporting mobile terminal to perform IPSec VPN message transmission |
| CN108810023A (en) * | 2018-07-19 | 2018-11-13 | 北京智芯微电子科技有限公司 | Safe encryption method, key sharing method and safety encryption isolation gateway |
| CN111131245A (en) * | 2019-12-24 | 2020-05-08 | 杭州赛客睿特技术有限公司 | Data transmission method and device, electronic equipment and storage medium |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114554485A (en) * | 2021-12-22 | 2022-05-27 | 卓望数码技术(深圳)有限公司 | Asynchronous session key negotiation and application method, system, electronic device and medium |
| CN114554485B (en) * | 2021-12-22 | 2024-03-12 | 卓望数码技术(深圳)有限公司 | Asynchronous session key negotiation and application method, system, electronic equipment and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113746861B (en) | 2023-03-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9742806B1 (en) | Accessing SSL connection data by a third-party | |
| EP1334600B1 (en) | Securing voice over ip traffic | |
| US8327129B2 (en) | Method, apparatus and system for internet key exchange negotiation | |
| US20010009025A1 (en) | Virtual private networks | |
| US20080187137A1 (en) | Method and Apparatus for Ensuring Privacy in Communications Between Parties | |
| EP1374533B1 (en) | Facilitating legal interception of ip connections | |
| US20220263811A1 (en) | Methods and Systems for Internet Key Exchange Re-Authentication Optimization | |
| US20050160269A1 (en) | Common security key generation apparatus | |
| Kaufman et al. | Rfc 7296: Internet key exchange protocol version 2 (ikev2) | |
| KR100948604B1 (en) | Security method of mobile internet protocol based server | |
| CN114285571A (en) | Method, gateway device and system for using quantum key in IPSec protocol | |
| CN113746861B (en) | Data transmission encryption and decryption method and encryption and decryption system based on national encryption technology | |
| US20080104693A1 (en) | Transporting keys between security protocols | |
| Cisco | Configuring IPSec Network Security | |
| Eronen et al. | Internet key exchange protocol version 2 (IKEv2) | |
| AU2010245117A1 (en) | Method and apparatus for secure packet transmission | |
| EP3131269B1 (en) | Method and device for conducting ah authentication on ipsec packet which has gone through nat traversal | |
| CN116389169B (en) | Method for avoiding disorder and fragmentation of data packets of national security IPSecVPN gateway | |
| EP2579537A1 (en) | Method for securing data communication | |
| CN117640087A (en) | IPSec VPN security gateway system integrating quantum key distribution network technology | |
| US20210297391A1 (en) | Method for Securing a Data Communication Network | |
| Rose et al. | Network Working Group T. Pauly Internet-Draft Apple Inc. Intended status: Informational C. Perkins Expires: January 1, 2019 University of Glasgow | |
| Brower et al. | Integrating header compression with ipsec | |
| KR100411436B1 (en) | Method for distributing calculation of router in virtual private network | |
| CN115766172A (en) | Message forwarding method, device, equipment and medium based on DPU and national password |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |