CN113824743B - Sensitive data blocking method and system suitable for private encryption communication - Google Patents
Sensitive data blocking method and system suitable for private encryption communication Download PDFInfo
- Publication number
- CN113824743B CN113824743B CN202111398016.9A CN202111398016A CN113824743B CN 113824743 B CN113824743 B CN 113824743B CN 202111398016 A CN202111398016 A CN 202111398016A CN 113824743 B CN113824743 B CN 113824743B
- Authority
- CN
- China
- Prior art keywords
- sensitive data
- data
- communication
- notification message
- blocking
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
Abstract
The application provides a sensitive data blocking method and system suitable for private encryption communication. The method comprises the following steps: the first communication main body acquires the plaintext data sent to the second communication main body, encapsulates a notification message according to the sensitive data under the condition that the plaintext data contains the sensitive data, and sends the notification message to the corresponding first gateway, wherein the notification message is used for positioning the sensitive data from the plaintext data, and the notification message reaches the first gateway earlier than the sensitive data. The whole method informs the first gateway of gateway blocking of the sensitive data by sending the notification message with the time delay smaller than the sensitive data, so that the blocking of the sensitive data is not limited by whether the encryption mode is known in advance, the packet sending logic of the encrypted data does not need to be modified, information leakage is avoided, and the communication process is not influenced.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a sensitive data blocking method and system suitable for private encrypted communication.
Background
The birth of the internet greatly facilitates information interaction among communication subjects in the internet, and in order to improve the safety of the information interaction, the information interaction is developed from early plaintext communication to current encrypted communication. The encrypted communication is to encrypt transmission information by using a specific encryption method so as to reduce the risk of information leakage, and may be classified into standard encrypted communication and private encrypted communication according to the difference of the encryption method. Since the sensitive data in the transmission information may adversely affect the network security, the sensitive data needs to be blocked.
The method includes the steps of blocking sensitive Data in encrypted information, generally adopting an intermediate proxy mode, namely setting a proxy main body between two communication main bodies, obtaining the encrypted information in a TCP (Transport Control Protocol)/UDP (User Data Protocol) transmission layer sent by a first communication main body by the proxy main body, decrypting the encrypted information according to a decryption mode matched with the encryption mode of the encrypted information, determining the sensitive Data from the decrypted information, removing the sensitive Data, encrypting the rest information according to the same encryption mode as the original encryption mode, sending the encrypted information to a TCP/UDP transmission layer in a second communication main body, and finally reaching the second communication main body, thus completing the blocking of the sensitive Data in the encrypted information transmitted between the first communication main body and the second communication main body.
Because the encryption modes of the standard encryption communication are all specified by the general standard, and the encryption modes of the private encryption communication are only known by a communication main body and a manufacturer designing a communication process, and cannot be known by an agent main body, the sensitive data blocking method can only be applied to the standard encryption communication to complete sensitive data blocking, and cannot be applied to the private encryption communication.
Disclosure of Invention
The application provides a sensitive data blocking method and system suitable for private encryption communication, which can be used for solving the technical problems that the existing sensitive data blocking method can only be suitable for standard encryption communication to complete sensitive data blocking and cannot be suitable for private encryption communication.
In a first aspect, an embodiment of the present application provides a sensitive data blocking method applicable to private encryption communication, which is applied to a first communication subject, and includes:
acquiring plaintext data sent by the first communication main body to the second communication main body;
judging whether the plaintext data contains sensitive data;
if the plaintext data contains sensitive data, encapsulating a notification message according to the sensitive data, wherein the notification message is used for positioning the sensitive data from the plaintext data and reaches a first gateway corresponding to the first communication main body earlier than the sensitive data;
and sending the notification message to the first gateway, wherein the first gateway is used for generating a blocking strategy according to the notification message and blocking the sensitive data according to the blocking strategy.
With reference to the first aspect, in an implementation manner of the first aspect, the encapsulating a notification packet according to the sensitive data includes:
acquiring information of a sensitive data packet, wherein the sensitive data packet is an original data packet containing sensitive data in an original packet sending sequence, and the original packet sending sequence is a plurality of original data packets which are split and transmitted according to preset packet sending logic after plaintext data is encrypted and enters a TCP/UDP transmission layer corresponding to the first communication main body;
determining the information of the sensitive data packet as the carried information of the option field in the notification message;
and setting the value of the URG control bit in the notification message to be 1.
With reference to the first aspect, in an implementation manner of the first aspect, the information of the sensitive data packet includes a sequence number, a communication source port, a communication destination port, and a destination IP address of the sensitive data packet in the original packet sending sequence.
With reference to the first aspect, in an implementation manner of the first aspect, the determining whether the plaintext data includes sensitive data includes:
matching the plaintext data with a preset keyword index by using a keyword matching technology;
and if the plaintext data is matched with the key index, determining the data conforming to the key index as sensitive data.
With reference to the first aspect, in an implementation manner of the first aspect, the obtaining plaintext data that the first communication entity sends to the second communication entity includes:
starting an internal monitoring process;
and the monitoring process acquires plaintext data sent by the first communication main body to the second communication main body.
With reference to the first aspect, in an implementation manner of the first aspect, after starting an internal listening process, the sensitive data blocking method further includes:
adjusting a processing priority of the listening process to be highest in the first communication subject.
In a second aspect, an embodiment of the present application provides a sensitive data blocking method applicable to private encryption communication, where the method is applied to a first gateway corresponding to a first communication subject, and includes:
receiving a notification message, wherein the notification message is used for positioning the sensitive data from the plaintext data and arrives at the first gateway earlier than the sensitive data;
generating a blocking strategy according to the notification message;
and performing gateway blocking on the sensitive data according to the blocking strategy.
With reference to the second aspect, in an implementation manner of the second aspect, the generating a blocking policy according to the notification packet includes:
acquiring information of a sensitive data packet according to the notification message, wherein the sensitive data packet is an original data packet containing the sensitive data in an original packet sending sequence, and the original packet sending sequence is a plurality of original data packets which are distributed and transmitted according to preset packet sending logic after the plaintext data are encrypted and enter a TCP/UDP transmission layer corresponding to the first communication main body;
and generating a blocking strategy according to the information of the sensitive data packet, wherein the blocking strategy is used for indicating that the sensitive data packet is blocked when the sensitive data packet arrives.
With reference to the second aspect, in an implementation manner of the second aspect, the information of the sensitive data packet includes a sequence number, a communication source port, a communication destination port, and a destination IP address of the sensitive data packet in the original packet sending sequence.
In a third aspect, an embodiment of the present application provides a sensitive data blocking system applicable to private encrypted communication, including a first communication subject and a first gateway corresponding to the first communication subject;
the first communication entity is configured to perform the steps of:
acquiring plaintext data sent by the first communication main body to the second communication main body;
judging whether the plaintext data contains sensitive data;
if the plaintext data contains sensitive data, encapsulating a notification message according to the sensitive data, wherein the notification message is used for positioning the sensitive data from the plaintext data and arrives at the first gateway earlier than the sensitive data;
sending the notification message to the first gateway;
the first gateway is configured to perform the steps of:
receiving the notification message;
generating a blocking strategy according to the notification message;
and performing gateway blocking on the sensitive data according to the blocking strategy.
With reference to the third aspect, in an implementation manner of the third aspect, the encapsulating a notification packet according to the sensitive data includes:
acquiring information of a sensitive data packet, wherein the sensitive data packet is an original data packet containing sensitive data in an original packet sending sequence, and the original packet sending sequence is a plurality of original data packets which are split and transmitted according to preset packet sending logic after plaintext data is encrypted and enters a TCP/UDP transmission layer corresponding to the first communication main body;
determining the information of the sensitive data packet as the carried information of the option field in the notification message;
and setting the value of the URG control bit in the notification message to be 1.
With reference to the third aspect, in an implementation manner of the third aspect, the information of the sensitive data packet includes a sequence number, a communication source port, a communication destination port, and a destination IP address of the sensitive data packet in the original packet sending sequence.
With reference to the third aspect, in an implementation manner of the third aspect, the determining whether the plaintext data includes sensitive data includes:
matching the plaintext data with a preset keyword index by using a keyword matching technology;
and if the plaintext data is matched with the key index, determining the data conforming to the key index as sensitive data.
With reference to the third aspect, in an implementation manner of the third aspect, the obtaining plaintext data that the first communication entity sends to the second communication entity includes:
starting an internal monitoring process;
and the monitoring process acquires plaintext data sent by the first communication main body to the second communication main body.
With reference to the third aspect, in an implementable manner of the third aspect, after the internal listening process is started, the first communication subject is further configured to perform:
adjusting a processing priority of the listening process to be highest in the first communication subject.
With reference to the third aspect, in an implementation manner of the third aspect, the generating a blocking policy according to the notification packet includes:
acquiring the information of the sensitive data packet according to the notification message;
and generating a blocking strategy according to the information of the sensitive data packet, wherein the blocking strategy is used for indicating that the sensitive data packet is blocked when the sensitive data packet arrives.
In the sensitive data blocking method, a first communication main body acquires plaintext data sent to a second communication main body, and encapsulates a notification message according to the sensitive data and sends the notification message to a corresponding first gateway under the condition that the plaintext data contains the sensitive data, wherein the notification message is used for positioning the sensitive data from the plaintext data, and the notification message reaches the first gateway earlier than the sensitive data. The whole method informs the first gateway of gateway blocking of the sensitive data by sending the notification message with the time delay smaller than the sensitive data, so that the blocking of the sensitive data is not limited by whether the encryption mode is known in advance, the packet sending logic of the encrypted data does not need to be modified, information leakage is avoided, and the communication process is not influenced.
Drawings
FIG. 1 is a schematic flow chart of sensitive data blocking by using an intermediate proxy;
fig. 2 is a schematic workflow diagram of a sensitive data blocking method suitable for private encrypted communication according to an embodiment of the present application;
fig. 3 is a schematic diagram of a data structure of a notification message according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of an exemplary notification message provided in the embodiment of the present application;
fig. 5 is a schematic workflow diagram of another sensitive data blocking method suitable for private encrypted communication according to an embodiment of the present application;
fig. 6 is a schematic data interaction diagram of a sensitive data blocking system suitable for private encrypted communication according to an embodiment of the present application.
Detailed Description
To make the objects, technical solutions and advantages of the present application more clear, embodiments of the present application will be described in further detail below with reference to the accompanying drawings.
The flow of blocking sensitive data by using the intermediate proxy is described below with reference to the accompanying drawings.
Fig. 1 exemplarily shows a flow diagram of blocking sensitive data by using an intermediate proxy, as shown in fig. 1, a proxy agent is disposed between a communication agent a and a communication agent B, the communication agent a sends data through a communication process, the sent data is encrypted to form encrypted data, the encrypted data enters a TCP/UDP transport layer corresponding to the communication agent a and is split into a plurality of original data packets, such as a data packet 11, a data packet 12, a data packet 13 and a data packet 14, which are transmitted according to a preset packet sending logic, the proxy agent first serves as the communication agent B, after receiving the original data packets, decrypts the original data packets according to a decryption method matching the encryption method of the encrypted data, the communication process receives the decrypted data, and then, after removing the sensitive data in the decrypted data, the proxy agent assumes that the data packet 13 includes the sensitive data, and recharging the role of the communication main body A, encrypting the residual information, namely the data packet 11, the data packet 12 and the data packet 14, according to the same encryption mode as the original encryption mode, and then sending the encrypted information to the communication main body B, wherein the encrypted information enters a TCP/UDP transmission layer corresponding to the communication main body B, and is decrypted and received by a communication process in the communication main body B.
Since the encryption mode of the private encryption communication is only known by the communication main body and the manufacturer designing the communication process, and the agent main body cannot know, the process can only be applied to the standard encryption communication, and cannot be applied to the private encryption communication.
In order to solve the problem that sensitive data of private encryption communication is not easy to block, the embodiment of the present application provides a method and a system for blocking sensitive data suitable for private encryption communication. The scheme provided by the application is described by various embodiments in the following with reference to the attached drawings.
The embodiment of the application provides a sensitive data blocking method applicable to private encryption communication, which is applied to a first communication main body, in particular to a monitoring module in the first communication main body. The first communication main body also comprises a private encryption communication module, and the private encryption communication module is used for encrypting the plaintext data sent by the first communication main body and then sending the encrypted plaintext data to the first gateway. Referring to a workflow diagram shown in fig. 2, a method for blocking sensitive data applicable to private encrypted communication disclosed in an embodiment of the present application includes the following steps:
201: and acquiring plaintext data sent by the first communication main body to the second communication main body.
Specifically, the interception module may acquire plaintext data sent to the second communication subject by:
an internal listening process is started.
The monitoring process acquires plaintext data sent by the first communication main body to the second communication main body.
Wherein the interception process enables the first communication subject to implement data interception at an application level. And the monitoring process acquires the plaintext data of the application layer and copies the plaintext data to a storage space controlled by the monitoring process.
After the internal listening process is started, the method for blocking sensitive data provided by the embodiment of the application further includes:
the processing priority of the listening process in the first communication subject is adjusted to be highest.
By adopting the mode, the CPU in the first communication main body can respond to the processing request of the monitoring process at the first time, and the processing time delay is reduced to a certain extent, so that the basis is established for realizing the subsequent sensitive data blocking.
202: and judging whether the clear text data contains sensitive data. If the plaintext data contains sensitive data, step 203 is executed, otherwise step 204 is executed.
Specifically, whether the plaintext data contains sensitive data can be judged by the following steps:
firstly, matching plaintext data with a preset keyword index by using a keyword matching technology.
The matching modes with different degrees of strictness can be set according to different scenes, and are not particularly limited.
And secondly, if the plaintext data is matched with the key index, determining the data conforming to the key index as sensitive data.
The keyword index may be set according to the determination of the sensitive data, and is not limited specifically.
By adopting the method, the sensitive data can be simply and efficiently judged, and the method is easy to realize.
203: and encapsulating the notification message according to the sensitive data.
The notification message is used for locating the sensitive data from the plaintext data, and reaches the first gateway corresponding to the first communication subject earlier than the sensitive data.
Wherein, the notification message is a TCP message. TCP is a connection-oriented, reliable, byte-stream-based transport-layer communication protocol, and the data components of a notification message include the data portions of a TCP header and a TCP segment.
Fig. 3 exemplarily shows a data structure diagram of a notification packet provided in an embodiment of the present application, and as shown in fig. 3, IP data is used as a carrier of a notification message TCP, the notification message is completed using TCP, and a format of an IP data packet is as follows: the 20-byte header plus the data part is the complete information of the TCP, and the IP header mainly contains version number, header length, service priority, total packet length, identifier, flag, segment offset, TTL, protocol number, header checksum, and most important source address and destination address. The IP packet data part is the TCP content, i.e. the notification message. The data component of the notification packet includes a TCP header and a data portion of a TCP segment, where the TCP header is usually 20 bytes, and 4 bytes, i.e. 32 bits, are used as a group, and there are 5 groups, where the first group includes a source port and a destination port, which are respectively 16 bits, and is mainly used to mark port information of TCP communication. The second group is a sequence number, which is 32 bits in total and mainly represents the sequence number of the first byte of the data sent by the segment. The third group has an acknowledgement number of 32 bits and mainly indicates the sequence number of the first data byte of the next segment expected to be received. The fourth group comprises 4-bit data offset, 6-bit reservation, 6-bit control bit and 16-bit window, the data offset is how far the data starting position of the TCP segment is from the starting position of the TCP segment, the reservation is not all 0 for the moment, and the control bit is divided into: URG control bit, ACK control bit, PSH control bit, RST control bit, SYN control bit, and FIN control bit, the window refers to the receive window of the party sending the segment. The fifth group comprises a 16-bit check sum and a 16-bit emergency pointer, the check sum comprises a header part and a data part of the TCP, the emergency pointer is used in combination with the URG control bit to represent the byte number of the emergency data in the segment, and the byte number of the part of the byte is determined to be the common data after the transmission is finished, so that the normal processing of the system can be restored. The subsequent options and padding are both extensions, and the TCP header can be extended to 60 bytes at most.
Specifically, the notification message may be encapsulated by the following steps:
first, information of a sensitive data packet is acquired.
The sensitive data packets are original data packets containing sensitive data in an original packet sending sequence, and the original packet sending sequence is a plurality of original data packets which are transmitted according to preset packet sending logic after plaintext data are encrypted and enter a TCP/UDP transmission layer corresponding to a first communication main body. The plaintext data is encrypted by a private encryption communication module in the first communication subject.
The information of the sensitive data packet comprises a serial number, a communication source port, a communication destination port and a destination IP address of the sensitive data packet in an original packet sending sequence.
And secondly, determining the information of the sensitive data packet as the carried information of the option field in the notification message.
Specifically, the option field is mainly used to specify the destination IP address, the source port, the destination port and the sequence number that need to be blocked.
By adopting the mode, the option field is used for carrying the information of the sensitive data packet, the length of the notification message can be reduced, the message analysis speed of the subsequent first gateway is accelerated, the specific information can be obtained at the transmission layer, and the information does not need to be raised to the application layer, so that the first gateway can quickly read the blocking information, the processing time delay is reduced, and the notification efficiency is improved.
In other possible examples, the extension field of the IP header may also be used to carry information of the sensitive data packet, and is not limited specifically.
And thirdly, setting the value of the URG control bit in the notification message to be 1.
Specifically, the value of the URG control bit is set to 1, which indicates that the notification message is forwarded in an emergency, and needs to be sent with the highest priority, and is also used as a notification flag bit, and may notify the first gateway that the notification message is a notification message that needs to be handled in an emergency, where the notification message content is in an option field of TCP or an extension field of an IP header.
By adopting the mode, the URG control bit of the notification message is set to be 1, so that the sending time delay can be reduced, the notification message can reach the first gateway earlier than sensitive data, the purpose of analyzing related control information by the notification control gateway is realized on the basis of borrowing the existing zone bit, the zone bit effect multiplexing is realized, and the notification overhead is greatly saved.
Illustratively, assume that the listener module monitors that the private encrypted communication process sends a piece of data as follows: some country carries out monitoring activities for a. Matching the data with the keyword index, and if the matching of A is successful, acquiring the related information containing A: and the source port, the destination IP and the serial number are used as accurate control input information, and an example notification message is packaged according to the related information of A. Fig. 4 exemplarily shows a structural diagram of an exemplary notification message provided in the embodiment of the present application, as shown in fig. 4, a source port of sending a is 64381, a destination port is 64382, a sensitive packet where a is located has a sequence number of 15, a next packet has a sequence number of 16, and a URG control bit is 1.
Because the time delay of the sensitive data packet = packet sending queuing time delay + transmission time delay + processing time delay, and the time delay of the notification message = packet sending queuing time delay + transmission time delay + processing time delay, because the notification message sets the URG control bit to be 1, the packet sending queuing time delay of the notification message is smaller than the packet sending queuing time delay of the sensitive data packet, the transmission time delays of the sensitive data packet and the notification message are equal, because the notification message carries the information of the sensitive data packet by using the option field, the processing time delay of the notification message is smaller than the processing time delay of the sensitive data packet, the time delay of the notification message is finally smaller than the time delay of the sensitive data packet, and the notification message can reach the first gateway earlier than the sensitive data packet.
By adopting the mode, the URG control bit of the notification message is set to be 1, and the information of the sensitive data packet is carried by the option field, so that the sending delay and the processing delay can be reduced to the minimum, and the notification efficiency is improved.
204: and continuing to acquire plaintext data.
205: and sending the notification message to the first gateway. Step 205 is performed after step 203.
The first gateway is used for generating a blocking strategy according to the notification message and blocking the sensitive data according to the blocking strategy.
In this way, according to the sensitive data blocking method applicable to private encryption communication provided by the embodiment of the present application, a first communication subject acquires plaintext data sent to a second communication subject, and encapsulates a notification message according to the sensitive data when the plaintext data includes the sensitive data, and sends the notification message to a corresponding first gateway, where the notification message is used to locate the sensitive data from the plaintext data, and the notification message reaches the first gateway earlier than the sensitive data. The whole method ensures that the notification message can reach the first gateway before the sensitive data from multiple dimensions, thereby realizing gateway blocking, preventing the blocking of the sensitive data from being limited by whether the encryption mode is known in advance, and not needing to modify the packet sending logic of the encrypted data, further not causing information leakage and not influencing the communication process, so that the method is suitable for standard encryption communication, is also suitable for private encryption communication better, and is simple and efficient.
The embodiment of the application provides another sensitive data blocking method suitable for private encryption communication, and the sensitive data blocking method is applied to a first gateway. Referring to the workflow diagram shown in fig. 5, another sensitive data blocking method applicable to private encrypted communication disclosed in the embodiment of the present application includes the following steps:
501: and receiving a notification message.
Wherein the notification message is used to locate the sensitive data from the plaintext data and the notification message arrives at the first gateway earlier than the sensitive data.
502: and generating a blocking strategy according to the notification message.
In particular, the blocking strategy may be generated by:
the first step, according to the notice message, the information of the sensitive data packet is obtained.
The sensitive data packets are original data packets containing sensitive data in an original packet sending sequence, and the original packet sending sequence is a plurality of original data packets which are transmitted according to preset packet sending logic after plaintext data are encrypted and enter a TCP/UDP transmission layer corresponding to a first communication main body.
Specifically, the information of the sensitive data packet includes a sequence number, a communication source port, a communication destination port and a destination IP address of the sensitive data packet in the original packet sending sequence.
And secondly, generating a blocking strategy according to the information of the sensitive data packet.
The blocking strategy is used for indicating that the sensitive data packet is blocked when the sensitive data packet arrives.
503: and judging whether the original data packet is a sensitive data packet or not according to the blocking strategy, if so, executing step 504, and otherwise, executing step 505.
504: and performing gateway blocking on the sensitive data.
505: and forwarding the original data packet normally.
Therefore, another sensitive data blocking method suitable for private encryption communication provided by the embodiment of the application blocks sensitive data from a gateway level, is not limited by whether an encryption mode is known in advance, does not need to modify packet sending logic of encrypted data, is easier to implement, can also consider standard encryption communication, and is simple and efficient.
The following are embodiments of the system of the present application that may be used to perform embodiments of the method of the present application. For details which are not disclosed in the embodiments of the system of the present application, reference is made to the embodiments of the method of the present application.
Fig. 6 is a schematic data interaction diagram illustrating a sensitive data blocking system adapted to private encrypted communication according to an embodiment of the present application. As shown in fig. 6, the system provided in this embodiment of the present application has a function of implementing the above sensitive data blocking method suitable for private encrypted communication, where the function may be implemented by hardware, or may be implemented by hardware executing corresponding software. The system may include: the first communication body 601 and the first gateway 602 corresponding to the first communication body 601, where the first communication body 601 includes a monitoring module 6011 and a private encryption communication module 6012. Specifically, the data interaction process between the first communication agent 601 and the first gateway 602 is as follows:
step 1: the interception module 6011 acquires plaintext data that is sent by the first communication entity to the second communication entity. Meanwhile, the private encryption communication module 6012 encrypts plaintext data and subpackages the original sending sequence.
Step 2: the interception module 6011 determines whether the plaintext data includes sensitive data. And if the clear text data contains the sensitive data, the notification message is packaged according to the sensitive data. At the same time, the private encrypted communication module 6012 sends the original packet sequence to the first gateway 602.
Wherein the notification message is used to locate the sensitive data from the plaintext data and the notification message arrives at the first gateway earlier than the sensitive data.
And step 3: the monitoring module 6011 sends the notification message to the first gateway 602. At the same time, the first gateway 602 receives the notification message.
And 4, step 4: the first gateway 602 generates a blocking policy according to the notification packet.
And 5: the first gateway 602 performs gateway blocking on the sensitive data when the sensitive data packet in the original packet sending sequence is transmitted to the first gateway 602 according to the blocking policy.
In this way, in the sensitive data blocking system applicable to private encryption communication provided in the embodiment of the present application, the first communication main body obtains plaintext data sent to the second communication main body, and encapsulates a notification message according to the sensitive data when the plaintext data includes the sensitive data, and sends the notification message to the corresponding first gateway, where the notification message is used to locate the sensitive data from the plaintext data, and the notification message reaches the first gateway earlier than the sensitive data. The whole method informs the first gateway of gateway blocking of the sensitive data by sending the notification message with the time delay smaller than the sensitive data, so that the blocking of the sensitive data is not limited by whether the encryption mode is known in advance, the packet sending logic of the encrypted data does not need to be modified, information leakage is avoided, and the communication process is not influenced.
The present application has been described in detail with reference to specific embodiments and illustrative examples, but the description is not intended to be construed in a limiting sense. Those skilled in the art will appreciate that various equivalent substitutions, modifications or improvements may be made to the presently disclosed embodiments and implementations thereof without departing from the spirit and scope of the present disclosure, and these fall within the scope of the present disclosure. The protection scope of this application is subject to the appended claims.
Claims (9)
1. A sensitive data blocking method suitable for private encryption communication is applied to a first communication main body and is characterized by comprising the following steps:
acquiring plaintext data sent by the first communication main body to the second communication main body;
judging whether the plaintext data contains sensitive data;
if the plaintext data contains sensitive data, encapsulating a notification message according to the sensitive data, wherein the notification message is used for positioning the sensitive data from the plaintext data and reaches a first gateway corresponding to the first communication main body earlier than the sensitive data;
sending the notification message to the first gateway, wherein the first gateway is used for generating a blocking strategy according to the notification message and blocking the sensitive data according to the blocking strategy;
the acquiring plaintext data sent by the first communication main body to the second communication main body comprises:
starting an internal monitoring process;
and acquiring plaintext data sent by the first communication main body to the second communication main body according to the monitoring process.
2. The method of claim 1, wherein encapsulating the notification packet according to the sensitive data comprises:
acquiring information of a sensitive data packet, wherein the sensitive data packet is an original data packet containing sensitive data in an original packet sending sequence, and the original packet sending sequence is a plurality of original data packets which are split and transmitted according to preset packet sending logic after plaintext data is encrypted and enters a TCP/UDP transmission layer corresponding to the first communication main body;
determining the information of the sensitive data packet as the carried information of the option field in the notification message;
and setting the value of the URG control bit in the notification message to be 1.
3. The sensitive data blocking method according to claim 2, wherein the information of the sensitive data packet includes a sequence number, a communication source port, a communication destination port, and a destination IP address of the sensitive data packet in the original packet sending sequence.
4. The sensitive data blocking method according to claim 1, wherein the determining whether the plaintext data includes sensitive data comprises:
matching the plaintext data with a preset keyword index by using a keyword matching technology;
and if the plaintext data is matched with the key index, determining the data conforming to the key index as sensitive data.
5. The sensitive data blocking method of claim 1, wherein after initiating an internal listening process, the sensitive data blocking method further comprises:
adjusting a processing priority of the listening process to be highest in the first communication subject.
6. A sensitive data blocking method suitable for private encryption communication is applied to a first gateway corresponding to a first communication subject, and is characterized by comprising the following steps:
receiving a notification message, wherein the notification message is used for positioning sensitive data from plaintext data and arrives at the first gateway earlier than the sensitive data; the notification message is sent by the first communication agent;
generating a blocking strategy according to the notification message;
and performing gateway blocking on the sensitive data according to the blocking strategy.
7. The sensitive data blocking method according to claim 6, wherein the generating a blocking policy according to the notification packet includes:
acquiring information of a sensitive data packet according to the notification message, wherein the sensitive data packet is an original data packet containing the sensitive data in an original packet sending sequence, and the original packet sending sequence is a plurality of original data packets which are distributed and transmitted according to preset packet sending logic after the plaintext data are encrypted and enter a TCP/UDP transmission layer corresponding to the first communication main body;
and generating a blocking strategy according to the information of the sensitive data packet, wherein the blocking strategy is used for indicating that the sensitive data packet is blocked when the sensitive data packet arrives.
8. The sensitive data blocking method of claim 7, wherein the information of the sensitive data packet comprises a sequence number, a communication source port, a communication destination port and a destination IP address of the sensitive data packet in the original packet sending sequence.
9. A sensitive data blocking system suitable for private encryption communication is characterized by comprising a first communication main body and a first gateway corresponding to the first communication main body;
the first communication entity is configured to perform the steps of:
acquiring plaintext data sent by the first communication main body to the second communication main body;
judging whether the plaintext data contains sensitive data;
if the plaintext data contains sensitive data, encapsulating a notification message according to the sensitive data, wherein the notification message is used for positioning the sensitive data from the plaintext data and arrives at the first gateway earlier than the sensitive data;
sending the notification message to the first gateway;
the acquiring plaintext data sent by the first communication main body to the second communication main body comprises:
starting an internal monitoring process;
acquiring plaintext data sent by the first communication main body to the second communication main body according to the monitoring process;
the first gateway is configured to perform the steps of:
receiving the notification message;
generating a blocking strategy according to the notification message;
and performing gateway blocking on the sensitive data according to the blocking strategy.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111398016.9A CN113824743B (en) | 2021-11-24 | 2021-11-24 | Sensitive data blocking method and system suitable for private encryption communication |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111398016.9A CN113824743B (en) | 2021-11-24 | 2021-11-24 | Sensitive data blocking method and system suitable for private encryption communication |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113824743A CN113824743A (en) | 2021-12-21 |
| CN113824743B true CN113824743B (en) | 2022-04-19 |
Family
ID=78919760
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111398016.9A Active CN113824743B (en) | 2021-11-24 | 2021-11-24 | Sensitive data blocking method and system suitable for private encryption communication |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113824743B (en) |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018161302A1 (en) * | 2017-03-09 | 2018-09-13 | 西门子公司 | Data processing method, device, and system |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6959393B2 (en) * | 2002-04-30 | 2005-10-25 | Threat Guard, Inc. | System and method for secure message-oriented network communications |
| CN113612746B (en) * | 2021-07-26 | 2023-05-09 | 中国建设银行股份有限公司 | Sensitive information storage method and system based on Android system |
-
2021
- 2021-11-24 CN CN202111398016.9A patent/CN113824743B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018161302A1 (en) * | 2017-03-09 | 2018-09-13 | 西门子公司 | Data processing method, device, and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113824743A (en) | 2021-12-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10135771B2 (en) | Secure end-to-end transport through intermediary nodes | |
| US9553892B2 (en) | Selective modification of encrypted application layer data in a transparent security gateway | |
| US9100370B2 (en) | Strong SSL proxy authentication with forced SSL renegotiation against a target server | |
| US9094365B2 (en) | Method and apparatus for resource locator identifier rewrite | |
| CN109150688B (en) | IPSec VPN data transmission method and device | |
| US7003118B1 (en) | High performance IPSEC hardware accelerator for packet classification | |
| US7082477B1 (en) | Virtual application of features to electronic messages | |
| CN109428867B (en) | Message encryption and decryption method, network equipment and system | |
| US7434045B1 (en) | Method and apparatus for indexing an inbound security association database | |
| GB2357229A (en) | Security protocol with messages formatted according to a self describing markup language | |
| CN114503507A (en) | Secure publish-subscribe communications method and apparatus | |
| WO2007103338A2 (en) | Technique for processing data packets in a communication network | |
| WO2010124014A2 (en) | Methods, systems, and computer readable media for maintaining flow affinity to internet protocol security (ipsec) sessions in a load-sharing security gateway | |
| EP1639780B1 (en) | Security for protocol traversal | |
| CN114095195B (en) | Method, network device, and non-transitory computer readable medium for adaptive control of secure socket layer proxy | |
| CN113824743B (en) | Sensitive data blocking method and system suitable for private encryption communication | |
| CN114039812B (en) | Data transmission channel establishment method, device, computer equipment and storage medium | |
| US20220360644A1 (en) | Packet Acknowledgment Techniques for Improved Network Traffic Management | |
| CN112104635B (en) | Communication method, system and network equipment | |
| US20230239279A1 (en) | Method and apparatus for security communication | |
| CN116827692B (en) | Secure communication method and secure communication system | |
| US20230379150A1 (en) | Methods and apparatuses for providing communication between a server and a client device via a proxy node | |
| US20220200971A1 (en) | Methods, devices, and systems for secure communications over a network | |
| KR20050051220A (en) | Apparatus and method processing internet protocol security protocol in network processor | |
| KR101594897B1 (en) | Secure Communication System and Method for Building a Secure Communication Session between Lightweight Things |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |