CN113746861B - Data transmission encryption and decryption method and encryption and decryption system based on national encryption technology - Google Patents
Data transmission encryption and decryption method and encryption and decryption system based on national encryption technology Download PDFInfo
- Publication number
- CN113746861B CN113746861B CN202111070285.2A CN202111070285A CN113746861B CN 113746861 B CN113746861 B CN 113746861B CN 202111070285 A CN202111070285 A CN 202111070285A CN 113746861 B CN113746861 B CN 113746861B
- Authority
- CN
- China
- Prior art keywords
- encryption
- data
- session key
- length
- decryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/061—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
- H04L9/0841—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a data transmission encryption and decryption method and an encryption and decryption system based on a national encryption technology, wherein the encryption process comprises the following steps: acquiring data from an internal network port; acquiring a quintuple of an IP (Internet protocol) through a data message; inquiring the conversation to which the quintuple belongs; checking the validity of the session key, if the session key is illegal, performing key agreement between the internal network port and the external network port to form the session key, and if the session key is legal, performing grouping check on the length of the data message according to the length of grouping encryption of the session key; carrying out packet encryption on the data message by adopting a session key to generate an encrypted load; sending the IP message and the encrypted load to an external network port; the decryption process comprises the following steps: and acquiring data from an external network port, performing the same processing as the encryption process, and decrypting after packet inspection to obtain a plaintext load. The invention ensures the transmission safety of enterprise network boundary data without changing the quality of the original network and communication, and simultaneously, the cryptographic algorithm is independently controllable.
Description
Technical Field
The invention relates to the technical field of internal and external network data transmission encryption, in particular to a data transmission encryption and decryption method and an encryption and decryption system based on a national encryption technology.
Background
When an enterprise faces an external network to access intranet resource data, in order to deal with the problem of network security, a remote access control technology is generally adopted to manage the identity and the authority of an accessor and provide encryption protection for the accessed data in a transmission process. The existing network transmission security scheme is generally implemented by hardware VPN, software VPN and other modes, and can be divided into PPTP, LP2P, IPSec VPN, SSL VPN and the like according to protocol types, and currently, enterprises adopt IPSec VPN and SSLVPN in a large number.
1) The IPSec VPN scheme provides a secure communication channel for two private networks on a public network, performs key agreement through IKE, establishes a bidirectional SA, realizes identity authentication of an access client, encryption of transmission data, and anti-replay and anti-attack, and establishes an encryption channel to ensure the connection security. The IPSec VPN is constructed based on a network layer, any local area network application can be accessed through an IPSec tunnel, and the IPSec VPN is wider in application compared with other schemes and more ideal for management of network authority due to the network layer. However, IPSec vpn needs to modify the network of the user, the network structure needs to be changed when the IPSec security gateway is deployed, the newly added security gateway needs to be re-deployed, the NAT device and the WAF product in the network need to be configured and re-deployed accordingly, the recommendation cost of the user is high, and the maintenance is complex.
2) The SSL VPN scheme is a VPN technology for establishing a remote secure access channel based on a secure Socket Layer-SSL (secure Socket Layer-SSL), and has the advantages of simple application and quick implementation, complex installation is not required for a client of the SSL (the SSL protocol is generally embedded in a browser), the SSL is Security protection based on four-Layer and seven-Layer data, only supports a TCP (transmission control protocol) due to the limitation of the SSL protocol, and compared with hardware equipment and IPSec based on a network Layer, the SSL VPN scheme has the performance far lower than that of equipment using the IPSec protocol, and cannot support protocols commonly used on an IP Layer such as UDP (user datagram protocol) and the like on the protocol. Meanwhile, the SSL equipment and the client have poor support for the national password, and the application limitation exists in the face of some Chinese enterprises with national password requirements.
Disclosure of Invention
The purpose of the invention is as follows: the invention aims to provide a data transmission encryption and decryption method and an encryption and decryption system based on a national encryption technology, which can be flexibly deployed at any node in an enterprise network without network modification and re-deployment of other network equipment, ensure the transmission safety of enterprise network boundary data while not changing the quality of the original network and communication, and simultaneously ensure that a cryptographic algorithm is independently controllable and meets the relevant national safety specifications and requirements.
The technical scheme is as follows: the invention provides a data transmission encryption method based on a cryptographic technology, which comprises the following steps:
(1) Acquiring data from an internal network port;
(2) Acquiring a quintuple of an IP (Internet protocol) through a data message;
(3) Inquiring the session belonging to the quintuple, if the session does not exist, creating a new session, and if the session exists, executing the step (4);
(4) Checking the validity of the session key, if the session key is illegal, carrying out key negotiation between the internal network port and the external network port to form the session key, and if the session key is legal, executing the step (5);
(5) Performing grouping check on the length of the data message according to the length of the session key grouping encryption;
(6) Performing packet encryption on the data message by adopting a session key to generate an encrypted load;
(7) And sending the IP message and the encrypted load to an external network port.
Further perfecting the technical scheme, the step (1) further comprises a processing mode of inquiring ACL port configuration information and ACL, and the processing mode is as follows: transparent transmission, encryption and decryption and discarding.
Further, the key agreement using the IKE algorithm in step (4) includes: ready state: the sender enables negotiation of proposed values for the security parameters; and (3) negotiation starting: if the responder does not accept all the proposed values, returning to a ready state, otherwise, the responder selects acceptable safety parameters and performs a selected protocol; selecting a protective sleeve piece: if the selected protocol does not return to the ready state in the initiated protocol, otherwise the sender sends the key material and the necessary auxiliary data; start exchanging key material: if the key format is wrong and returns to a ready state, otherwise, the responder sends key materials and necessary auxiliary data, DH exchange is completed, and SKEYID related materials are calculated; end exchange of key material: if the key format is wrong and returns to the ready state, otherwise, finishing the exchange and sending the identity information by the sender; and (3) identity authentication: if the sender identity is not right, returning to a ready state, otherwise, the responder sends identity information; ISAKMP SA establishment: and if the identity of the responder is not correct, returning to the ready state, otherwise, successfully establishing the ISAKMP SA.
Further, assuming that the length of the data message is n + M, the length of the session key packet encryption is k, and the final encryption load is M; in the step (5), it is checked whether the length of the data packet is an integral multiple of the block encryption: if the integral multiple is found, the data messages are legal data, and the step (6.1) is executed; if the length of the data message is not the integral multiple of the block encryption, executing (6.2); if the length of the data message is too short, executing (6.3);
(6.1) legal data of the data message is n, M =0, n is an integral multiple of block encryption k, a session key is adopted to block encrypt n to obtain a legal encryption load M, the length of M is the same as that of n, and an IP header field does not need to be modified;
(6.2) legal data of the data message are n, n/k > =1, n% k = m, and 0-m-k-s; firstly, encrypting n 1-length data at the tail of legal data n, wherein m + n1 = k; secondly, encrypting data with the length n by using a session key packet to obtain a final encrypted payload M, wherein the length of M is the same as that of n, and an IP header field does not need to be modified;
(6.3) the legal data of the data message is n, n < k, M +1 bytes are filled to the back of n, n + M +1 =2k after filling, the data after filling is encrypted to obtain effective encryption loads M, M > n and M = k, the length of the IP header field is modified, and the IP header field and the checksum check are recalculated.
The data transmission decryption method based on the state encryption technology comprises the following steps:
(1) Acquiring data from an external network port;
(2) Acquiring a quintuple of an IP (Internet protocol) through a data message;
(3) Inquiring the session belonging to the quintuple, if the session does not exist, creating a new session, and if the session exists, executing the step (4);
(4) Checking the validity of the session key, carrying out key agreement between the internal network port and the external network port to form the session key if the session key is illegal, and executing the step (5) if the session key is legal;
(5) Performing grouping check on the length of the data message according to the length of the session key grouping encryption;
(6) Carrying out grouping decryption on the data message by adopting a session key, and restoring a plaintext load;
(7) And sending the IP message and the plaintext load to the internal network port.
Further, assuming that the length of the data packet is n + M, the decryption length of the session key packet is k, and the plaintext payload obtained by final decryption is M: the step (5) checks whether the length of the data message is integral multiple of the packet decryption length: if the data message is not the integral multiple of the packet decryption, executing (6.1); if the data message is twice of the packet decryption, executing (6.2); the other cases are carried out (6.3);
(6.1) load data is n, n% k = M,0 & num & lt M & gt k, n is decrypted by using a session key to obtain legal load M1, the last n1 bytes are taken from M1, n1 + M = k is decrypted by using the session key to obtain final plaintext load M;
(6.2) the payload data is n, n =2k; step one, decrypting n by using a session key to obtain a legal load M1; secondly, taking the last byte n1 of the M1, if n1 is larger than k and k-1 bytes in front of n1 are zero, taking 2k-n1 in front of M1 as a plaintext load M, modifying the length of an IP header field, and recalculating the IP header field and the checksum check; if the conditions are not met, the M1 is the plaintext effective load M, and the IP header field does not need to be modified;
(6.3) the payload data is n, n can divide k evenly, and the plaintext payload M is obtained by decrypting n with the session key.
The data transmission encryption and decryption system based on the cryptographic technology is used for realizing the encryption and decryption processes: the encryption and decryption device I is used for being connected with an internal network port, the encryption and decryption device II is used for being connected with an external network port, and the encryption and decryption device I is connected with the encryption and decryption device II through the switch; the encryption and decryption equipment I is used for encrypting and decrypting data transmitted from the internal network port to the external network port, and the encryption and decryption equipment II is used for encrypting and decrypting data transmitted from the external network port to the internal network port.
The first encryption and decryption device and the second encryption and decryption device both comprise: the ACL port inquiry unit is used for inquiring ACL port configuration information and a processing mode; the IP five-tuple query unit is used for acquiring a source IP, a source port, a destination IP, a destination port and a protocol type of the IP; the session query unit is used for querying the session to which the quintuple belongs, and if the session does not exist, a new session is created; a session key checking unit for checking the validity of the session key; the IKE key negotiation unit is used for negotiating the session key when the session key is illegal; a data message length detection unit, configured to check whether the length of the data message is an integer multiple of the session key packet length; an encryption unit: encrypting the data message by adopting a session key to generate an encrypted load; and the decryption unit is used for decrypting the data message by adopting the session key to generate a plaintext load.
Further, assuming that the length of the data message is n + M, the length of the session key block encryption or decryption is k, and the final encryption load or plaintext load is M;
the encryption process of the encryption unit is as follows: legal data of the data message is n, M =0, n is an integral multiple of k, a session key is adopted to encrypt n in a grouping mode to obtain a legal encryption load M, the length of M is the same as that of n, and an IP header field does not need to be modified; legal data of the data message are n, n/k > =1, n% k = m,0 is constructed by a plurality of pieces of m and k; firstly, encrypting n 1-length data at the tail of legal data n, wherein m + n1 = k; secondly, encrypting data with the length n by using a session key packet to obtain a final encrypted payload M, wherein the length of M is the same as that of n, and an IP (Internet protocol) header field does not need to be modified; the legal data of the data message is n, n < k, M +1 bytes are filled to the back of n, n + M +1 =2k after filling, the data after filling is encrypted to obtain an effective encryption load M, M > n and M = k, the length of an IP header field is modified, and the IP header field and the checksum check are recalculated;
the decryption process of the decryption unit shown is as follows: load data is n, n% k = M,0 is composed of M and k, a session key is used for decrypting n to obtain a legal load M1, the last n1 bytes are taken from M1, n1 + M = k, and a session key is used for decrypting to obtain a final plaintext load M; the payload data is n, n =2k; step one, decrypting n by using a session key to obtain a legal load M1; secondly, taking the last byte n1 of the M1, if n1 is larger than k and k-1 bytes in front of n1 are zero, taking 2k-n1 in front of M1 as a plaintext load M, modifying the length of an IP header field, and recalculating the IP header field and the checksum check; if the conditions are not met, M1 is the plaintext payload M, and the IP header field does not need to be modified; and the payload data is n, n can divide k evenly, and the plaintext payload M is obtained by decrypting n by using the session key.
Further, the IKE key negotiation unit includes a policy negotiation module, a DH exchange module, and a DH exchange and verification module; the strategy negotiation module is used for the sender to send a local IKE strategy to the receiver, and the receiver searches a matched strategy and confirms the strategy; the DH exchange module is used for the initiator to receive the confirmed strategy and send the key generation information, and the receiver is used for generating the key; the DH exchange and verification module is used for receiving the key information and initiating the identity verification data by the initiator, carrying out identity verification and exchange identity verification by the receiver, and carrying out identity verification on the receiver by the initiator.
Has the advantages that: compared with the prior art, the invention has the advantages that: the encryption and decryption method provided by the invention works in a transmission layer of a network, is an encryption and decryption method aiming at an IP data packet in the network, and simultaneously, in order to support a state encryption algorithm and ensure high-performance network data forwarding processing, in network card data message processing, based on message processing and forwarding of two layers of the network, when a message is received and sent, the data packet is filtered according to a protocol type, a source IP, a source port, a destination IP and a destination port through an access control ACL, so that the processing behaviors of transparent transmission, encryption, decryption, discarding and the like of the message can be realized. The user service data is not analyzed more deeply, the data encryption protection and the data decryption reduction are carried out on the effective load of the IP, and a cryptographic algorithm (SM 4 or SM 1) and the like are supported during the data encryption and decryption configuration, is autonomously controllable and meets the relevant national safety specifications and requirements.
The invention mainly provides effective encryption and decryption of IP data loads, and adopts an IKE protocol to carry out negotiation and rapid updating of session keys in order to ensure the security of the session keys for encryption and decryption. If the enterprise needs authentication and authorization operation, the scheme of the invention can be matched with AH protocol or other authentication methods (such as an authentication mode of a business layer).
Compared with the traditional VPN products such as IPSec and the like, the method can be flexibly deployed at any node in the enterprise network, is added according to the needs, does not need network modification and redeployment of other network equipment, ensures that the quality of the original network and communication is not changed, realizes data encryption and decryption in the network and communication transmission process in the network boundary under the condition of no perception, ensures the transmission safety of the enterprise network boundary data, and provides the network communication data transmission encryption and decryption with high performance and high throughput rate.
Drawings
FIG. 1 is a block diagram of the system components of the present invention;
FIG. 2 is a flow chart of data encryption in the present invention;
FIG. 3 is a flow chart of data decryption in the present invention;
FIG. 4 is a schematic diagram of an IKE negotiation process;
FIG. 5 is a schematic diagram of the DH algorithm;
fig. 6 is an IKE main mode state transition diagram.
Detailed Description
The technical solution of the present invention is described in detail below with reference to the accompanying drawings, but the scope of the present invention is not limited to the embodiments.
The data transmission encryption and decryption system based on the cryptographic technology shown in fig. 1 comprises an encryption and decryption device I, an encryption and decryption device II and a switch. Appointing: the network port connected with the service network system is called an internal network port, and the network port connected with an external network is called an external network port; the first encryption and decryption device is used for being connected with the internal network port, the second encryption and decryption device is used for being connected with the external network port, and the first encryption and decryption device is connected with the second encryption and decryption device through the switch.
The data transmission encryption process shown in fig. 2 is as follows:
1) And after receiving data from the internal network port, inquiring ACL port configuration information and inquiring the processing mode (transparent transmission, encryption and decryption and discarding) of the ACL.
2) Acquiring a quintuple of the ip from the data message: source ip, source port, destination ip, destination port, protocol type (tcp/udp, etc.).
3) And finding the session to which the five-tuple belongs, and if the session cannot be found, creating a new session.
4) And after the session is found, checking the validity (whether the session key exists or not and whether the session key is invalid or not), and if the session key is illegal, carrying out key agreement on the session key by adopting the IKE and the opposite terminal.
5) And (3) a session key is legal, whether the length of the data message is integral multiple of the grouping key is checked, the legal key is executed by 6.1, the message is not the multiple of the key and is executed by 6.2, and the short message is executed by 6.3.
Assuming that the length of the data message is n + M, the length of the packet encryption is k, and the final encryption load is M:
6.1 N, M = 0), encrypting n by using a session key packet to obtain a legal encryption load M, wherein the length of M is the same as that of n, and the IP header field does not need to be modified;
6.2 Legal data n, n can divide k evenly, and residual data m (0 & lt m & gt k); firstly, taking n1 length data (m + n1 = k) at the tail of legal data for encryption; secondly, encrypting data with the length n by using a session key packet to obtain a final encrypted payload M, wherein the length of M is the same as that of n, and an IP (Internet protocol) header field does not need to be modified;
6.3 N < k), padding (M + 1) bytes (the value of M bytes is 0, the value of the last 1 byte is the byte length M + 1) to the rear of n, wherein n + M +1 =2k, encrypting the padded data to obtain an effective encryption load M (M > n, M = k), modifying the length of an IP header field, and recalculating the IP header field and the checksum check.
7) And sending the IP message and the encrypted load out from the port of the external network port.
The data transmission decryption function shown in fig. 3 includes the following steps:
1) And after receiving data from the external network port, inquiring ACL port configuration information and inquiring the processing mode (transparent transmission, encryption and decryption and discarding) of the ACL.
2) Acquiring the quintuple of the ip from the data message: source ip, source port, destination ip, destination port, protocol type (tcp/udp, etc.).
3) And finding the session to which the five-tuple belongs, and if the session cannot be found, creating a new session.
4) And after the session is found, checking the validity (whether the session key exists or not and whether the session key is invalid or not), and if the session key is illegal, carrying out key agreement on the session key by adopting the IKE and the opposite terminal.
5) And (3) the session key is legal, whether the length of the data message is integral multiple of the session key grouping key is checked, the data message is executed 6.1 times of the key multiple, the data message is executed 6.2 times of the key grouping length, and the other cases are executed 6.3.
Assuming that the length of the data message is n + M, the length of member key block encryption is k, and the final decryption load is M:
6.1 Load data is n (n% k = M,0 & ltn & gt M & ltn & gt k), n is decrypted by using a session key to obtain a legal load M1, the last n1 (n 1 + M = k) bytes are taken from M1, and a final plaintext load M is obtained by using the session key for decryption;
6.2 Load data is n (n =2 k), and in the first step, a session key is used for decrypting n to obtain a legal load M1; secondly, taking the last byte n1 of the M1, if n1 is larger than k and the (k-1) bytes before n1 are zero, then 2k-n1 before M1 is a plaintext load M, modifying the length of an IP message header field, and recalculating an IP header field and a checksum comparison test; if the conditions are not met, M1 is the plaintext payload M, and the IP header field does not need to be modified;
6.3 Payload data is n (n divided by k), and decryption of n with the session key yields the plaintext payload M.
7) And sending the IP message and the plaintext load M out of the internal port.
In the step (4) of encryption and decryption, a Key is generated by IKE and DH algorithms, IKE (Internet Key Exchange Protocol) being an Internet Key Exchange Protocol. As in the policy negotiation process of fig. 4, the result of IKE negotiation provides information such as encryption algorithm, authentication algorithm, etc. for both communication parties. IKE adopts UDP communication, the ports are 500 and 4500, the negotiation is divided into two stages, the negotiation result of the first stage provides a protection function for the negotiation of the second stage, and the negotiated SA is called ISAKMP SA; the result of the second phase negotiation is the SA used by the final communicating parties. DH (Diffie-Hellman) algorithm, IKE generates a session key K for use in the present invention by DH exchange, with a default validity period of one hour and a maximum validity period of one day.
The DH (Diffie-Hellman) algorithm principle, as shown in fig. 5, includes policy negotiation, DH exchange and authentication. Policy negotiation: a sender sends a local IKE strategy, a responder searches a matched strategy and confirms an algorithm used by the other party; DH exchange: the sender receives the strategy confirmed by the responder, and the responder generates a secret key; DH exchange and validation: the sender receives the generated key, and the responder performs authentication and exchanges authentication with the sender.
The IKE master mode state transition diagram shown in fig. 6:
ready state: the sender enables negotiation of proposed values for the security parameters,
and (3) negotiation starting: if the responder does not accept all the proposed values, returning to a ready state, otherwise, the responder selects acceptable safety parameters and performs a selected protocol;
selecting a protective sleeve piece: if the selected protocol does not return to the ready state in the initiated protocol, otherwise the sender sends the key material and the necessary auxiliary data;
start exchanging key material: if the key format is wrong and returns to a ready state, otherwise, the responder sends key materials and necessary auxiliary data, DH exchange is completed, and SKEYID related materials are calculated;
end exchange of key material: if the key format is wrong and returns to the ready state, otherwise, the exchange is finished, and the sender sends the identity information;
and (3) identity authentication: if the sender identity is not right, returning to a ready state, otherwise, the responder sends identity information;
ISAKMP SA establishment: and if the identity of the responder is not correct, returning to a ready state, otherwise, successfully establishing the ISAKMP SA.
The method disclosed by the invention enables enterprises to realize data encryption and decryption in the network and communication transmission process at the network boundary without changing network deployment and under the condition of no perception, ensures the data security of the enterprises, supports the national encryption algorithm, and provides high-performance and high-throughput network communication data transmission encryption and decryption.
As noted above, while the present invention has been shown and described with reference to certain preferred embodiments, it is not to be construed as limited to the invention itself. Various changes in form and detail may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (6)
1. The data transmission encryption method based on the national encryption technology is characterized by comprising the following steps of:
(1) Acquiring data from an internal network port;
(2) Acquiring a quintuple of an IP (Internet protocol) through a data message;
(3) Inquiring the session belonging to the quintuple, if the session does not exist, creating a new session, and if the session exists, executing the step (4);
(4) Checking the validity of the session key, if the session key is illegal, carrying out key negotiation between the internal network port and the external network port to form the session key, and if the session key is legal, executing the step (5);
the step (4) of performing key agreement by using an IKE algorithm includes: ready state: the sender enables negotiation of proposed values for the security parameters; and (3) negotiation starting: if the responder does not accept all the proposed values, returning to a ready state, otherwise, the responder selects acceptable safety parameters and performs a selected protocol; selecting a protective sleeve piece: if the selected protocol does not return to the ready state in the initiated protocol, otherwise the sender sends the key material and the necessary auxiliary data; start exchanging key material: if the key format is wrong and returns to a ready state, otherwise, the responder sends key materials and necessary auxiliary data, DH exchange is completed, and SKEYID related materials are calculated; end exchange of key material: if the key format is wrong and returns to the ready state, otherwise, the exchange is finished, and the sender sends the identity information; and (3) identity authentication: if the sender identity is not right, returning to a ready state, otherwise, sending identity information by the responder; ISAKMP SA establishment: if the identity of the responder is not correct, returning to a ready state, otherwise, successfully establishing the ISAKMP SA;
(5) Performing grouping check on the length of the data message according to the length of the session key grouping encryption;
(6) Carrying out packet encryption on the data message by adopting a session key to generate an encrypted load;
(7) And sending the IP message and the encrypted load to an external network port.
2. The data transmission encryption method based on the cryptographic technology of claim 1, characterized in that: the step (1) further includes a processing mode for inquiring the ACL port configuration information and the ACL, and the processing mode is as follows: transparent transmission, encryption and decryption and discarding.
3. The data transmission encryption method based on the cryptographic technology of claim 1, characterized in that: assuming that the length of the data message is n + M, the length of the session key packet encryption is k, and the final encryption load is M;
in the step (5), it is checked whether the length of the data packet is an integral multiple of the block encryption: if the integral multiple is found, the data messages are legal data, and the step (6.1) is executed; if the length of the data message is not the integral multiple of the block encryption, executing (6.2); if the length of the data message is too short, executing (6.3);
(6.1) legal data of the data message is n, M =0, n is an integral multiple of block encryption k, a session key is adopted to encrypt the block encryption n to obtain a legal encryption load M, the length of the M is the same as that of the n, and an IP header field does not need to be modified;
(6.2) legal data of the data message are n, n/k > =1, n% k = m, and 0-m-k; firstly, encrypting n 1-length data at the tail of legal data n, wherein m + n1 = k; secondly, encrypting data with the length n by using a session key packet to obtain a final encrypted payload M, wherein the length of M is the same as that of n, and an IP header field does not need to be modified;
(6.3) the legal data of the data message is n, n < k, M +1 bytes are filled to the back of n, n + M +1 =2k after filling, the data after filling is encrypted to obtain effective encryption loads M, M > n and M = k, the length of the IP header field is modified, and the IP header field and the checksum check are recalculated.
4. The data transmission decryption method based on the cryptographic technology is characterized by comprising the following steps:
(1) Acquiring data from an external network port;
(2) Acquiring a quintuple of the IP through the data message;
(3) Inquiring the session belonging to the quintuple, if the session does not exist, creating a new session, and if the session exists, executing the step (4);
(4) Checking the validity of the session key, carrying out key agreement between the internal network port and the external network port to form the session key if the session key is illegal, and executing the step (5) if the session key is legal;
(5) Performing grouping check on the length of the data message according to the length of the session key grouping encryption; assuming that the length of the data message is n + M, the decryption length of the session key packet is k, and the plaintext load obtained by final decryption is M: checking whether the length of the data message is integral multiple of the packet decryption length: if the data message is not the integral multiple of the packet decryption, executing (6.1); if the data message is twice of the packet decryption, executing (6.2); the other cases carry out (6.3);
(6.1) the load data is n, n% k = M,0 is less than M and is less than k, the n is decrypted by using the session key to obtain a legal load M1, the last n1 bytes are taken from M1, n1 + M = k, and the final plaintext load M is obtained by using the session key for decryption;
(6.2) the payload data is n, n =2k; step one, decrypting n by using a session key to obtain a legal load M1; secondly, taking the last byte n1 of the M1, if n1 is larger than k and k-1 bytes in front of n1 are zero, taking 2k-n1 in front of M1 as a plaintext load M, modifying the length of an IP header field, and recalculating the IP header field and the checksum check; if the conditions are not met, the M1 is the plaintext effective load M, and the IP header field does not need to be modified;
(6.3) the payload data is n, n can divide k evenly, and the n is decrypted by the session key to obtain a plaintext payload M;
(7) And sending the IP message and the plaintext load to the internal network port.
5. The data transmission encryption and decryption system based on the state encryption technology comprises the following steps: the method is characterized in that: the encryption and decryption device I is used for connecting an internal network port, the encryption and decryption device II is used for connecting an external network port, and the encryption and decryption device I is connected with the encryption and decryption device II through the switch; the encryption and decryption equipment is used for encrypting and decrypting data transmitted from the internal network port to the external network port, and the encryption and decryption equipment is used for encrypting and decrypting data transmitted from the external network port to the internal network port; the first encryption and decryption device and the second encryption and decryption device both comprise: the ACL port inquiry unit is used for inquiring the ACL port configuration information and the processing mode; the IP five-tuple query unit is used for acquiring a source IP, a source port, a destination IP, a destination port and a protocol type of the IP; the session query unit is used for querying the session to which the quintuple belongs, and if the session does not exist, a new session is created; a session key checking unit for checking the validity of the session key; the IKE key negotiation unit is used for negotiating the session key when the session key is illegal; a data message length detection unit, configured to check whether the length of the data message is an integer multiple of the session key packet length; an encryption unit: encrypting the data message by adopting a session key to generate an encrypted load; the decryption unit is used for decrypting the data message by adopting the session key to generate a plaintext load;
assuming that the length of the data message is n + M, the length of the session key grouping encryption or decryption is k, and the final encryption load or plaintext load is M; the encryption process of the encryption unit is as follows: legal data of the data message is n, M =0, n is an integral multiple of k, a session key is adopted to encrypt n in a grouping mode to obtain a legal encryption load M, the length of M is the same as that of n, and an IP header field does not need to be modified; legal data of the data message are n, n/k > =1, n% k = m, and 0-m-k-s; firstly, taking n1 length data at the tail of legal data n for encryption, wherein m + n1 = k; secondly, encrypting data with the length n by using a session key packet to obtain a final encrypted payload M, wherein the length of M is the same as that of n, and an IP header field does not need to be modified; the legal data of the data message is n, n < k, M +1 bytes are filled to the back of n, n + M +1 =2k after filling, the data after filling is encrypted to obtain an effective encryption load M, M > n and M = k, the length of an IP header field is modified, and the IP header field and the checksum check are recalculated;
the decryption process of the decryption unit shown is as follows: load data is n, n% k = M,0 is composed of M and k, a session key is used for decrypting n to obtain a legal load M1, the last n1 bytes are taken from M1, n1 + M = k, and a session key is used for decrypting to obtain a final plaintext load M; the payload data is n, n =2k; step one, decrypting n by using a session key to obtain a legal load M1; secondly, taking the last byte n1 of the M1, if n1 is larger than k and k-1 bytes in front of n1 are zero, taking 2k-n1 in front of M1 as a plaintext load M, modifying the length of an IP header field, and recalculating the IP header field and the checksum check; if the conditions are not met, M1 is the plaintext payload M, and the IP header field does not need to be modified; the payload data is n, n can divide k evenly, and the plaintext payload M is obtained by decrypting n with the session key.
6. The cryptographic technology-based data transmission encryption and decryption system of claim 5, wherein: the IKE key negotiation unit comprises a strategy negotiation module, a DH exchange module and a DH exchange and verification module; the strategy negotiation module is used for the sender to send a local IKE strategy to the receiver, and the receiver searches a matched strategy and confirms the strategy; the DH exchange module is used for the initiator to receive the confirmed strategy and send the key generation information, and the receiver is used for generating the key; the DH exchange and verification module is used for the initiator to receive the key information and initiate the identity verification data, the receiver to carry out identity verification and exchange identity verification, and the initiator to carry out identity verification on the receiver.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111070285.2A CN113746861B (en) | 2021-09-13 | 2021-09-13 | Data transmission encryption and decryption method and encryption and decryption system based on national encryption technology |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111070285.2A CN113746861B (en) | 2021-09-13 | 2021-09-13 | Data transmission encryption and decryption method and encryption and decryption system based on national encryption technology |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113746861A CN113746861A (en) | 2021-12-03 |
| CN113746861B true CN113746861B (en) | 2023-03-14 |
Family
ID=78738503
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111070285.2A Active CN113746861B (en) | 2021-09-13 | 2021-09-13 | Data transmission encryption and decryption method and encryption and decryption system based on national encryption technology |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113746861B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114554485B (en) * | 2021-12-22 | 2024-03-12 | 卓望数码技术(深圳)有限公司 | Asynchronous session key negotiation and application method, system, electronic equipment and medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2012018573A2 (en) * | 2010-08-05 | 2012-02-09 | Motorola Solutions, Inc. | Method for key identification using an internet security association and key management based protocol |
| CN105376239A (en) * | 2015-11-25 | 2016-03-02 | 成都三零瑞通移动通信有限公司 | Method and device for supporting mobile terminal to perform IPSec VPN message transmission |
| CN111131245A (en) * | 2019-12-24 | 2020-05-08 | 杭州赛客睿特技术有限公司 | Data transmission method and device, electronic equipment and storage medium |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7546357B2 (en) * | 2004-01-07 | 2009-06-09 | Microsoft Corporation | Configuring network settings using portable storage media |
| CN101114905A (en) * | 2006-07-28 | 2008-01-30 | 佛山市顺德区顺达电脑厂有限公司 | Method checking wireless network access through fingerprint |
| CN108810023A (en) * | 2018-07-19 | 2018-11-13 | 北京智芯微电子科技有限公司 | Safe encryption method, key sharing method and safety encryption isolation gateway |
-
2021
- 2021-09-13 CN CN202111070285.2A patent/CN113746861B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2012018573A2 (en) * | 2010-08-05 | 2012-02-09 | Motorola Solutions, Inc. | Method for key identification using an internet security association and key management based protocol |
| CN105376239A (en) * | 2015-11-25 | 2016-03-02 | 成都三零瑞通移动通信有限公司 | Method and device for supporting mobile terminal to perform IPSec VPN message transmission |
| CN111131245A (en) * | 2019-12-24 | 2020-05-08 | 杭州赛客睿特技术有限公司 | Data transmission method and device, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113746861A (en) | 2021-12-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9742806B1 (en) | Accessing SSL connection data by a third-party | |
| US6976177B2 (en) | Virtual private networks | |
| EP1334600B1 (en) | Securing voice over ip traffic | |
| US8837729B2 (en) | Method and apparatus for ensuring privacy in communications between parties | |
| US8327129B2 (en) | Method, apparatus and system for internet key exchange negotiation | |
| US20060031936A1 (en) | Encryption security in a network system | |
| EP1374533B1 (en) | Facilitating legal interception of ip connections | |
| US20220263811A1 (en) | Methods and Systems for Internet Key Exchange Re-Authentication Optimization | |
| Kaufman et al. | Rfc 7296: Internet key exchange protocol version 2 (ikev2) | |
| CN113572766A (en) | Power data transmission method and system | |
| CN114285571A (en) | Method, gateway device and system for using quantum key in IPSec protocol | |
| JP2010539839A (en) | Security method in server-based mobile Internet protocol system | |
| CN113746861B (en) | Data transmission encryption and decryption method and encryption and decryption system based on national encryption technology | |
| Cisco | Configuring IPSec Network Security | |
| Eronen et al. | Internet key exchange protocol version 2 (IKEv2) | |
| AU2010245117A1 (en) | Method and apparatus for secure packet transmission | |
| EP3131269B1 (en) | Method and device for conducting ah authentication on ipsec packet which has gone through nat traversal | |
| CN116389169B (en) | Method for avoiding disorder and fragmentation of data packets of national security IPSecVPN gateway | |
| KR100411436B1 (en) | Method for distributing calculation of router in virtual private network | |
| CN117640087A (en) | IPSec VPN security gateway system integrating quantum key distribution network technology | |
| US20210297391A1 (en) | Method for Securing a Data Communication Network | |
| CN115766172A (en) | Message forwarding method, device, equipment and medium based on DPU and national password | |
| Baltatu et al. | IP security | |
| LIOY | Advanced Security Technologies in Networking 55 95 B. Jerman-Blažič et al.(Eds.) IOS Press, 2001 | |
| Roepke et al. | A Survey on Protocols securing the Internet of Things: DTLS, IPSec and IEEE 802.11 i |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |