Disclosure of Invention
Therefore, the invention provides a method and a system for realizing safe and reliable data transmission based on a user mode protocol stack, which can provide safety protection for a high-performance data forwarding process while meeting the reliability and availability requirements in the data transmission process by integrating a safe communication protocol in the user mode protocol stack.
According to the design scheme provided by the invention, the method for realizing safe and reliable data transmission based on the user mode protocol stack comprises the following steps:
a security communication protocol for carrying out encryption authentication and fragmentation processing on an application service request data packet is encapsulated in a user state protocol stack by setting a calling function;
creating an interface data calling function aiming at an application service request; the interface data calling function is used for associating with the calling function in the corresponding user state protocol stack, and the application service data packet is sent to the user state protocol stack for processing;
the user state protocol stack performs the process of inserting and extracting data packets of the received application service message according to the associated calling function, and forwards the processed data packets to the application service corresponding to the user state protocol stack, wherein the process of inserting and extracting data packets at least comprises the processes of data packet authentication, fragment recombination, encryption and decryption, encapsulation and decapsulation.
As the method for realizing safe and reliable data transmission based on the user mode protocol stack, the invention further comprises the following steps: the system comprises an authentication and key exchange protocol for providing a service for negotiating shared key parameters for both communication entities, a transmission security protocol for providing a data packet authentication, encapsulation and decapsulation service for both communication entities, a key update protocol for providing a key update service in a key update period for both communication entities, a data transmission protocol for providing a data fragment reassembly service for both communication entities, a reliable data transmission protocol for providing a data fragment reassembly and timeout retransmission acknowledgement service for both communication entities, an RTT measurement protocol for providing a service for calculating message round trip time for both communication entities, and a heartbeat protocol for providing a service for providing a communication link connection anomaly check for both communication entities, wherein each protocol in the security communication protocol corresponds to a calling function, wherein the calling functions of the key update protocol and the authentication and key exchange protocol are associated with the calling functions of the transmission security protocol, the data transmission protocol and the reliable data transmission protocol, so as to provide a key and encryption and decryption parameters in the authentication and encryption and decryption processes in the data transmission process, and the RTT measurement protocol provides a timeout retransmission acknowledgement service reference for the reliable data transmission through the calling function, and provides a communication link data state for the reliable data transmission protocol through the calling function.
The method for realizing safe and reliable data transmission based on the user mode protocol stack comprises the following steps: the method comprises the steps of providing a packet security authentication protocol SPA of a source authentication service and a replay attack resistant service for both communication entities and providing a package security payload protocol ESP of a data confidentiality and integrity service for both communication entities by adopting an encryption and verification mechanism.
As the method for realizing safe and reliable data transmission based on the user mode protocol stack, the invention further comprises the following steps: the system comprises an alarm protocol for providing transmission abnormality alarm service for both communication entities and a flow control protocol for providing data transmission flow control service for both communication entities, wherein both ends of a channel between both communication entities monitor data transmission abnormality and flow through calling functions of the alarm protocol and the flow control protocol.
The method for realizing safe and reliable data transmission based on the user state protocol stack is further characterized in that the user state protocol stack encapsulates protocols in a link layer, a network layer, a transmission layer, a session layer, a presentation layer and an application layer according to an OSI model in ISO 7498.
The method for realizing safe and reliable data transmission based on the user state protocol stack is further characterized in that in the data transmission and forwarding process, the user state protocol stack is positioned between an upper layer load protocol and a lower layer load protocol, and the user state protocol stack shields the lower layer load protocol from the upper layer load protocol, wherein the upper layer load protocol is a protocol for packaging application data and a network layer and bearing a load part of the user state protocol stack, and the lower layer load protocol is a protocol for processing a user state protocol load service data packet.
In the method for realizing safe and reliable data transmission based on the user-mode protocol stack, the user-mode protocol stack performs stack stripping processing on the data packet, firstly, a safety association in communication connection is searched according to a safety association identifier in the stack stripping data packet between two communication entities, if the safety association is searched, a data transmission protocol or a reliable data transmission protocol in the user-mode protocol stack safety communication protocol is extracted according to the communication safety requirement to fragment the stack stripping data packet, and head authentication and password encapsulation processing are added to the stack stripping data packet after the fragment processing by utilizing the transmission safety protocol in the user-mode protocol stack safety communication protocol; if the security association is not found, discarding the data packet; the security association identifier comprises a source identifier and a destination identifier.
The invention is used as a method for realizing safe and reliable data transmission based on a user mode protocol stack, further, the reliable data transmission protocol in the user mode protocol stack safe communication protocol is extracted by calling a function according to the communication safety requirement to carry out fragmentation and overtime retransmission confirmation processing on the popped data packet, and then an authentication head and a password encapsulation processing are added to the popped data packet after the fragmentation processing, wherein the overtime retransmission confirmation processing comprises the following steps: when the push receives the data packet sent by the push, the push end sends a confirmation packet to the push end, and if the push end does not receive the confirmation packet within a preset time length, the push end retransmits the data packet sent by the push.
In the method for realizing safe and reliable data transmission based on the user-mode protocol stack, the user-mode protocol stack performs the push processing, firstly, the safety association in the communication connection is searched according to the safety association identification in the push data packet between the two communication entities, if the safety association is searched, the push data packet sent by the push terminal is processed by the transmission safety protocol in the user-mode protocol stack safety communication protocol, the authentication header added by the push terminal is extracted to authenticate and remove the password package, and the push data packet is subjected to fragment recombination by extracting the data transmission protocol in the user-mode protocol stack safety communication protocol according to the data transmission type of the push data packet by calling a function and is transferred to the corresponding application service.
Further, the invention also provides a system for realizing safe and reliable data transmission based on the user mode protocol stack, which comprises: a protocol setting module, a data processing module and a data transmission module, wherein,
the protocol setting module is used for packaging a safety communication protocol for carrying out encryption authentication and fragmentation processing on the application service request data packet by setting a calling function in a user state protocol stack;
the data processing module is used for creating an interface data calling function aiming at the application service request; the interface data calling function is used for associating with the calling function in the corresponding user state protocol stack, and the application service data packet is sent to the user state protocol stack for processing;
and the data transmission module is used for carrying out stack pushing and stack pulling data packet processing on the received application service message according to the associated calling function and forwarding the processed data packet to the application service corresponding to the user state protocol stack, wherein the stack pushing and stack pulling data packet processing at least comprises data packet authentication, fragment recombination, encryption and decryption, encapsulation and decapsulation processing.
The invention has the beneficial effects that:
the invention integrates a plurality of safety communication protocols in the user mode protocol stack, meets the requirements of reliability and availability in the data transmission process, and simultaneously provides safety protection for the high-performance data forwarding process; the method can form a user state protocol stack which is homomorphic with a kernel tcp/ip protocol, can provide security protection in the data forwarding process in a layered manner by combining 9 protocols such as a data security transmission protocol, a data reliability transmission protocol and the like, can support the construction of a virtual local area network and a virtual generalized network, and has a good application prospect.
The specific embodiment is as follows:
the present invention will be described in further detail with reference to the drawings and the technical scheme, in order to make the objects, technical schemes and advantages of the present invention more apparent.
The embodiment of the invention provides a method for realizing safe and reliable data transmission based on a user mode protocol stack, which comprises the following steps:
s101, a safe communication protocol for carrying out encryption authentication and fragmentation processing on an application service request data packet is packaged in a user state protocol stack by setting a calling function;
s102, creating an interface data calling function aiming at an application service request; the interface data calling function is used for associating with the calling function in the corresponding user state protocol stack, and the application service data packet is sent to the user state protocol stack for processing;
s103, the user state protocol stack carries out stack-entering and stack-exiting data packet processing on the received application service message according to the associated calling function, and forwards the processed data packet to the application service corresponding to the user state protocol stack, wherein the stack-entering and stack-exiting data packet processing at least comprises data packet authentication, fragment recombination, encryption and decryption, encapsulation and decapsulation processing.
The user mode protocol stack builds an abstract service layer on the actual transmission network and the concrete bearing protocol thereof, and provides a safety transmission mechanism and safety service for data transmission. In the scheme, a user mode protocol stack is used for integrating a secure communication protocol, and network security is realized by using an authentication encryption mechanism, wherein the authentication encryption mechanism can comprise communication confidentiality and integrity protection, an access control mechanism, a traffic filling mechanism and source authentication, and is resistant to replay attacks and denial of service attacks. While providing port hiding, authentication-based firewall functionality, and NAT (network address translation) mechanisms in view of security of network boundary access. The method meets the requirements of reliability and availability in the data transmission process, and simultaneously provides safety protection for the high-performance data forwarding process.
As the method for realizing safe and reliable data transmission based on the user mode protocol stack, the invention further comprises the following steps: the system comprises an authentication and key exchange protocol for providing a service for negotiating shared key parameters for both communication entities, a transmission security protocol for providing a data packet authentication, encapsulation and decapsulation service for both communication entities, a key update protocol for providing a key update service in a key update period for both communication entities, a data transmission protocol for providing a data fragment reassembly service for both communication entities, a reliable data transmission protocol for providing a data fragment reassembly and timeout retransmission acknowledgement service for both communication entities, an RTT measurement protocol for providing a service for calculating message round trip time for both communication entities, and a heartbeat protocol for providing a service for providing a communication link connection anomaly check for both communication entities, wherein each protocol in the security communication protocol corresponds to a calling function, wherein the calling functions of the key update protocol and the authentication and key exchange protocol are associated with the calling functions of the transmission security protocol, the data transmission protocol and the reliable data transmission protocol, so as to provide a key and encryption and decryption parameters in the authentication and encryption and decryption processes in the data transmission process, and the RTT measurement protocol provides a timeout retransmission acknowledgement service reference for the reliable data transmission through the calling function, and provides a communication link data state for the reliable data transmission protocol through the calling function. Further, the transmission security protocol includes: the method comprises the steps of providing a packet security authentication protocol SPA of a source authentication service and a replay attack resistant service for both communication entities and providing a package security payload protocol ESP of a data confidentiality and integrity service for both communication entities by adopting an encryption and verification mechanism. Further, the secure communication protocol further comprises: the system comprises an alarm protocol for providing transmission abnormality alarm service for both communication entities and a flow control protocol for providing data transmission flow control service for both communication entities, wherein both ends of a channel between both communication entities monitor data transmission abnormality and flow through calling functions of the alarm protocol and the flow control protocol.
The user state protocol stack can carry out network communication security architecture according to 7498-2, and can realize four security services of authentication, access control, confidentiality and integrity, and six security mechanisms of data encryption, digital signature, access control, data integrity, authentication exchange and service flow filling. In this embodiment, the user state security protocol stack may further implement a security management function by integrating an alarm protocol and a flow control protocol, so that an abnormal problem occurring in the security protocol stack protocol executing process may be fed back, and some corresponding processes may be executed.
Referring to fig. 2, an authentication and key update protocol is used to negotiate some security parameters that result in a security association between devices at both ends of a communication. The protocol is based on RFC8446, and besides the cipher suite specified by RFC8446, the cipher suite of the national encryption algorithm is added; digital certificates may also be augmented with digital certificates that contain cryptographic algorithms. The transport security protocol includes two protocols: packet security authentication protocol (SPA) and packet security encapsulation protocol (ESP). The SPA protocol provides source authentication services and replay attack resistant services for both communication parties. The ESP protocol provides confidentiality and integrity of information for both parties. When the key updating protocol, namely the working key of the security association, reaches the key updating period, the old key is replaced by the new key, and the capability of key updating is provided for the network data security transmission protocol. Protocol implementations may maintain a copy of key lifetime metrics that have values that are less than the actual lifetime. When the working key reaches the value specified by this copy, a key update is initiated. The data transmission protocol provides a software definable transmission mechanism for data transmission, with the main functions being reorganized and reordered by fragmentation. The data slicing and reorganizing mainly aims to prevent the length of data from being increased after the data passes through SPA, ESP and other protocols, and avoid the loss of the data caused by the fact that a receiving end cannot authenticate or decrypt the data after the data passes through a network card slicing in the forwarding process. The reliable data transmission protocol provides definable safety reliability for the data transmission channel, and has the main functions of fragment reorganization, reordering, timeout retransmission and confirmation mechanism. Wherein the fragment reorganization and reordering function is consistent with the data transmission protocol. The timeout retransmission and acknowledgement mechanism is that the receiving end uses an acknowledgement mechanism for each data packet of the transmitting end, and returns an acknowledgement data packet every time a data packet is received. However, if the receiving end does not receive the data message within the specified time, the sending end starts the timeout retransmission. The RTT measurement protocol is used for calculating the round trip time of the message from the starting end to the receiving end, and providing RTT service for other protocols. The heartbeat protocol is used for checking whether the connection is normal or not, judging whether the two communication parties are connected normally or not, and ensuring that the data transmitting end and the receiving end are reachable. The alert protocol reports to the peer some alarm information that occurs during the secure transmission. The flow control protocol provides software definable flow control for the data transmission process, detects the congestion condition in the data transmission process, and executes corresponding flow control according to the congestion condition transmitting end.
As a method for implementing secure and reliable data transmission based on a user mode protocol stack in the embodiment of the present invention, further, the user mode protocol stack encapsulates protocols in a link layer, a network layer, a transport layer, a session layer, a presentation layer and an application layer according to an OSI model in ISO 7498. Further, in the data transmission forwarding process, the user mode protocol stack is located between an upper layer load protocol and a lower layer load protocol, and the user mode protocol stack shields the lower layer load protocol from the upper layer load protocol, wherein the upper layer load protocol is a protocol for packaging application data and a network layer and bearing a load part of the user mode protocol stack, and the lower layer load protocol is a protocol for processing a user mode protocol load service data packet.
Referring to the working model of the user mode protocol stack shown in fig. 3, the user mode protocol stack is located between an upper layer load protocol and a lower layer load protocol. The bearer protocol refers to a lower layer protocol for bearing user mode protocol data, and the payload protocol is a payload part of the user mode protocol. The user state protocol stack encapsulates the load protocol based on the password, and simultaneously shields the load protocol of the bearing layer for the load protocol of the upper layer. The upper layer of the user mode protocol stack is called the payload layer, and for the user mode protocol stack, the payload protocol is the application data of the upper layer plus the network layer protocol part to be encapsulated, and the network layer protocol part can start from any one layer from layers 2 to 7 of the OSI network model, so that the user mode protocol stack can encapsulate the protocols from the second layer to the seventh layer according to the OSI model in ISO 7498. When the two-layer encapsulation and data forwarding of the user mode protocol stack are used, the user mode protocol stack can be used as a two-layer exchange protocol to support the enterprise-level virtual local area network. When the three-layer encapsulation and data forwarding of the user mode protocol stack are used, the user mode protocol stack can be used as a three-layer switching protocol to support an enterprise-level virtual local area network. When three or more layers of the protocol stack are used for encapsulation and data forwarding, the protocol stack can be used as a VPN gateway protocol to support an enterprise-level virtual wide area network. For example, from the network layer (third layer), the encapsulation starts, and the load protocol is: application layer data + transport layer header + network layer header. In the use process of the user state protocol stack, the user state protocol stack can be called by a special application program, the application program transmits the load layer data to be processed to the user state protocol stack for processing, and after the user state protocol stack is processed, the application program transmits the load layer data to other functional modules for carrying out subsequent bearing layer protocol encapsulation. For example: the load layer protocol is application layer HTTP request data of a user, after being processed by a user state protocol stack, the data can still be regarded as application layer HTTP request data, but after being processed by a series of user state protocol stacks such as encryption, authentication, fragmentation and the like, the load layer protocol is added by other functional modules, for example, a switch module adds four-layer to two-layer protocol packages, and then the data is forwarded by a network card, so that the high-performance data forwarding and the reliable and safe transmission of the user state protocol stack are sequentially completed.
The process of processing the data packet by the user mode protocol stack comprises a push processing and a pop processing. A push protocol packet, or referred to as a push packet, is the payload received by the protocol stack from the lower layer; the pop protocol packet, or referred to as a pop packet, is a packet that the protocol stack needs to forward further to the underlying bearer protocol. The user mode protocol stack workflow of high performance data forwarding is mainly divided into two workflows of push and push. The push is a process of processing a data packet received by a protocol stack from a lower layer bearer protocol, and the pop is a processing flow before the protocol stack gives the data packet forwarded by the lower layer bearer protocol. First, both parties to the communication need to perform a Security Association (SA) procedure, which is mainly used to establish and maintain a secure communication connection. The SA mainly contains a source identifier and a destination identifier.
Referring to fig. 4, data received from a specific network card is grabbed to a user state protocol stack through an interface provided by the system, forwarded through a network port of a transmitting end after being popped from the user state protocol stack, and received from a network port of a receiving end is processed by the user state protocol stack in a push mode.
And (3) a data packet pop process: the user state protocol stack searches SA for the data packet which is popped, if no associated SA exists, the packet is discarded; if so, continuing the subsequent packet processing process. Depending on the security requirements of the communication, a data transmission protocol or a reliable data transmission protocol is selected to be used, and the two protocols are different in that one is reliable data transmission, one is unreliable, the unreliable means that the data packet cannot be guaranteed to reach the receiving end, and the reliable data transmission protocol provides a confirmation and retransmission mechanism of the data packet. In the data transmission protocol, the data packet is mainly fragmented and recombined, and the process mainly carries out corresponding fragmentation and adds fragmentation identification according to whether the size of the data packet exceeds the maximum transmission unit or not and if so. The function of sending the traffic filling message is also added, and the traffic filling mechanism of 7498-2 is realized. Processing a secure transmission protocol, firstly performing authentication processing through a secure authentication protocol (SPA), and adding an authentication header; the cryptographic processing and encapsulation is then performed by the encapsulation protocol (ESP).
The stacking flow of the data packet: it is also necessary to find the SA first, if not, reject the packet push, if so, select an appropriate push path for the data packet, and then follow the subsequent packet processing procedure. The security transmission protocol is processed, authentication processing is firstly carried out through a security authentication protocol (SPA), then encryption processing is continuously carried out through an encapsulation protocol (ESP), and encapsulation is released. And selecting to use a data transmission protocol or a reliable data transmission protocol for processing according to the data transmission type of the data packet. Firstly, judging whether the packet is a fragmented packet, if so, carrying out subsequent data packet fragmentation recombination. If the data transmission protocol is reliable, a data packet confirmation message is required to be sent; if the sending end does not receive the confirmation message for a long time, the message retransmission is also carried out. After the data is packaged, the data is forwarded by the network card and transmitted.
For the data packets which are popped, a reliable data transmission protocol or a data transmission protocol is selectively used according to the reliability requirement of communication. The two protocols have the common feature that the data packets are packetized, and the slicing operation is performed mainly according to whether the size of the data packets exceeds the maximum transmission unit or not. The reliability of reliable transport protocols is mainly reflected in data retransmission and acknowledgement. After the slicing, the data packet is encrypted and authenticated, the security transmission protocol is used in the process, the authentication header is added mainly through the security authentication protocol (SPA), and the encryption processing and encapsulation are carried out through the encapsulation protocol (ESP).
For the data packet to be put on stack, authentication processing is required to be performed through a secure authentication protocol (SPA), and then encryption processing is performed through an encapsulation protocol (ESP) to remove encapsulation. The process of slicing and reassembling the data packet is mainly to use a reliable data transmission protocol and a data transmission protocol, where the reliable data transmission protocol also sends an acknowledgement message to each received data packet, and if the opposite end does not receive the acknowledgement message for a long time, the previously sent data packet is retransmitted.
User state protocol stack security: and (3) carrying out data packet authentication, wherein an authentication part function is added through a secure authentication (SPA) protocol in the pop process and is used for carrying out authentication processing on the data packet in the push process, and the subsequent processing can be carried out through the authenticated data packet. In the data transmission process, encryption processing and package integrity verification are carried out through a package security encapsulation protocol ESP in a security transmission protocol. The encryption, the integrity check and the encryption parameters used in the authentication process are updated by a key updating protocol.
The reliability protection of the user mode protocol stack data transmission process: the reliable data transmission protocol not only can carry out fragment recombination on the data packets, but also provides a timeout retransmission and confirmation mechanism and solves the problem of packet loss in the transmission process. The RTT measurement protocol serves as a reliable data transmission protocol and provides a reference for the round trip delay time for packet retransmission. The specific formula is shown in fig. 5, where RTO is a timeout retransmission time and RTT is a round trip time of a given channel measured by a measurement protocol. The heartbeat protocol serves a reliable data transmission protocol and ensures that the communication link provided by the channel is reachable. The flow control protocol is used for ensuring the speed matching of the transmitted and received data at two ends of the channel and avoiding the occurrence of packet loss caused by mismatching of the speed of the transmitted and received data. The alarm protocol reports to the peer some alarm information that occurs during the secure transmission.
Further, the embodiment of the invention also provides a system for realizing safe and reliable data transmission based on the user mode protocol stack, which comprises: a protocol setting module, a data processing module and a data transmission module, wherein,
the protocol setting module is used for packaging a safety communication protocol for carrying out encryption authentication and fragmentation processing on the application service request data packet by setting a calling function in a user state protocol stack;
the data processing module is used for creating an interface data calling function aiming at the application service request; the interface data calling function is used for associating with the calling function in the corresponding user state protocol stack, and the application service data packet is sent to the user state protocol stack for processing;
the data transmission module is used for carrying out stack-entering and stack-pulling data packet processing on the received application service message according to the associated calling function by the user state protocol stack, and forwarding the processed data packet to the application service corresponding to the user state protocol stack, wherein the stack-entering and stack-pulling data packet processing at least comprises data packet authentication, fragment recombination, encryption and decryption, encapsulation and decapsulation processing
The relative steps, numerical expressions and numerical values of the components and steps set forth in these embodiments do not limit the scope of the present invention unless it is specifically stated otherwise.
Based on the above method and/or system, the embodiment of the present invention further provides a server, including: one or more processors; and a storage device for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to implement the method described above.
Based on the above-described method and/or system, embodiments of the present invention also provide a computer-readable medium having a computer program stored thereon, wherein the program, when executed by a processor, implements the above-described method.
Any particular values in all examples shown and described herein are to be construed as merely illustrative and not a limitation, and thus other examples of exemplary embodiments may have different values.
It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.
Finally, it should be noted that: the above examples are only specific embodiments of the present invention, and are not intended to limit the scope of the present invention, but it should be understood by those skilled in the art that the present invention is not limited thereto, and that the present invention is described in detail with reference to the foregoing examples: any person skilled in the art may modify or easily conceive of the technical solution described in the foregoing embodiments, or perform equivalent substitution of some of the technical features, while remaining within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention, and are intended to be included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.