CN114205073B - Password Reverse Firewall and Its Security Defense Method - Google Patents

Password Reverse Firewall and Its Security Defense Method Download PDF

Info

Publication number
CN114205073B
CN114205073B CN202010978321.4A CN202010978321A CN114205073B CN 114205073 B CN114205073 B CN 114205073B CN 202010978321 A CN202010978321 A CN 202010978321A CN 114205073 B CN114205073 B CN 114205073B
Authority
CN
China
Prior art keywords
ciphertext
public key
random number
reverse firewall
password reverse
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010978321.4A
Other languages
Chinese (zh)
Other versions
CN114205073A (en
Inventor
张宗洋
李耕
刘建伟
刘懿中
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beihang University
Original Assignee
Beihang University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beihang University filed Critical Beihang University
Priority to CN202010978321.4A priority Critical patent/CN114205073B/en
Publication of CN114205073A publication Critical patent/CN114205073A/en
Application granted granted Critical
Publication of CN114205073B publication Critical patent/CN114205073B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

本发明公开了一种密码反向防火墙及其安全防御方法,其中,密码反向防火墙包括第一密码反向防火墙和第二密码反向防火墙,每个密码反向防火墙用于对实体与外部信息之间传输的消息进行处理,方法包括以下步骤:对第一公钥进行随机数提取以获得第一随机数;根据第一随机数对第一公钥进行公钥再随机化处理以获得第二公钥;对第一密文进行随机数提取以获得第二随机数,并根据第二随机数对第一密文进行密文再随机化处理以获得第二密文;根据第一随机数对第二密文进行处理以获得第三密文。由此,有效减少密码反向防火墙在运行过程中产生的随机数数量,降低对可信随机源的依赖程度,提高可实现性。

Figure 202010978321

The invention discloses a password reverse firewall and a security defense method thereof, wherein the password reverse firewall includes a first password reverse firewall and a second password reverse firewall, and each password reverse firewall is used to link entities and external information The method includes the following steps: performing random number extraction on the first public key to obtain the first random number; performing public key re-randomization processing on the first public key according to the first random number to obtain the second public key; random number extraction is performed on the first ciphertext to obtain a second random number, and ciphertext re-randomization is performed on the first ciphertext according to the second random number to obtain the second ciphertext; according to the first random number pair The second ciphertext is processed to obtain a third ciphertext. As a result, the number of random numbers generated during the operation of the password reverse firewall is effectively reduced, the degree of dependence on trusted random sources is reduced, and the realizability is improved.

Figure 202010978321

Description

密码反向防火墙及其安全防御方法Password Reverse Firewall and Its Security Defense Method

技术领域technical field

本发明涉及密码学领域,特别涉及一种密码反向防火墙的安全防御方法和一种密码反向防火墙。The invention relates to the field of cryptography, in particular to a security defense method of a password reverse firewall and a password reverse firewall.

背景技术Background technique

大规模监视问题在以“棱镜门”为代表的一系列安全事件后,受到了密码学理论界与信息安全产业界的广泛关注。作为大规模监视的重要可能手段之一,颠覆攻击(Subversion attack)因其高度隐蔽性和广泛危害性,得到了学界的重点讨论。监视者可利用特殊权力及手段,在密码系统构建和应用的各个阶段,对用户所使用的密码算法的执行进行替换(颠覆),使之一定程度上区别于标准算法说明,从而实现对用户隐私的获取。在某些特殊案例中,对于不掌握特殊后门信息的使用者,被颠覆的算法执行与标准算法说明甚至具有理论上的计算不可识别特性,这使得对于颠覆攻击的防御具有相当难度。After a series of security incidents represented by "Prism Gate", the issue of mass surveillance has attracted extensive attention from the field of cryptography theory and information security industry. As one of the important possible means of mass surveillance, subversion attack (Subversion attack) has been discussed in the academic circle because of its high concealment and extensive harm. Monitors can use special powers and means to replace (subvert) the execution of the cryptographic algorithm used by the user at various stages of cryptographic system construction and application, making it different from the standard algorithm description to a certain extent, thereby realizing protection of user privacy. of acquisition. In some special cases, for users who do not have special backdoor information, the subverted algorithm execution and standard algorithm description even have theoretical computational unrecognizable characteristics, which makes it quite difficult to defend against subversion attacks.

密码反向防火墙(Cryptographic reverse firewall,CRF)是对抗颠覆攻击的有效手段之一。作为可信器件,其可以以各种形式,存在于用户计算机与外界之间,对密码协议中所有进出计算机的信息进行处理,以达到防止用户隐私泄露的目的。然而,现有的密码反向防火墙在设计时仅仅考虑了一个CRF针对一种协议中的一个实体进行防御的形式,直接按照这种设计构造的CRF实体,理论上不具备可扩展和可组合的能力。并且,如采用这种设计,在实际应用中需要设置大量的CRF,考虑大规模监视的背景,部署如此多数量的可信模块显然不符合产业现实。此外,当前所有的CRF具体构造中,协议实体每产生一个随机数,CRF都要重新生成一个与之对应的随机数,即,CRF需要生成与协议运行中产生随机数等量的可信随机数,这种设计需要消耗大量的可信资源,现实可行性不高。Cryptographic reverse firewall (CRF) is one of the effective means against subversive attacks. As a trusted device, it can exist in various forms between the user's computer and the outside world, and process all the information entering and leaving the computer in the cryptographic protocol, so as to prevent the user's privacy from being leaked. However, the existing cryptographic reverse firewalls only consider the form of a CRF defending against an entity in a protocol when designing, and the CRF entity constructed directly according to this design does not have expandable and combinable capabilities in theory. ability. Moreover, if this design is adopted, a large number of CRFs need to be set in practical applications. Considering the background of large-scale surveillance, deploying such a large number of trusted modules is obviously not in line with industrial reality. In addition, in the specific construction of all current CRFs, each time the protocol entity generates a random number, the CRF must regenerate a corresponding random number, that is, the CRF needs to generate a trusted random number equal to the random number generated during the protocol operation , this design needs to consume a large amount of trusted resources, and the actual feasibility is not high.

发明内容Contents of the invention

本发明旨在至少在一定程度上解决相关技术中的技术问题之一。为此,本发明的第一个目的在于提出一种密码反向防火墙的安全防御方法,能够有效减少密码反向防火墙在运行过程中产生的随机数数量,降低对可信随机源的依赖程度,提高可实现性。The present invention aims to solve one of the technical problems in the related art at least to a certain extent. For this reason, the first object of the present invention is to propose a security defense method of a password reverse firewall, which can effectively reduce the random number quantity generated by the password reverse firewall during operation, reduce the dependence on trusted random sources, Improve realizability.

本发明的第二个目的在于提出一种密码反向防火墙。The second object of the present invention is to propose a password reverse firewall.

为达到上述目的,本发明第一方面实施例提出了一种密码反向防火墙的安全防御方法,其中,所述密码反向防火墙包括第一密码反向防火墙和第二密码反向防火墙,所述第一密码反向防火墙对应消息发送实体设置,所述第二密码反向防火墙对应消息接收实体设置,每个所述密码反向防火墙均包括第一端口和第二端口,所述第一端口与所述实体相连,所述第二端口与外部信道相连,每个所述密码反向防火墙用于对所述实体与所述外部信息之间传输的消息进行处理,所述方法包括以下步骤:所述第二密码反向防火墙的第一端口接收来自所述消息接收实体发送的第一公钥,利用内部会话单元对所述第一公钥进行随机数提取以获得第一随机数,并根据所述第一随机数对所述第一公钥进行公钥再随机化处理以获得第二公钥,以及将所述第二公钥通过相应的第二端口向所述外部信道发送;所述第一密码反向防火墙的第二端口接收来自所述外部信道的所述第二公钥,利用内部会话单元将所述第二公钥通过相应的第一端口向所述消息发送实体透传,并对所述第二公钥进行记录;所述第一密码反向防火墙的第一端口接收来自所述消息发送实体发送的第一密文,利用内部会话单元对所述第一密文进行随机数提取以获得第二随机数,并根据所述第二随机数对所述第一密文进行密文再随机化处理以获得第二密文,以及将所述第二密文通过相应的第二端口向所述外部信道发送;所述第二密码反向防火墙的第二端口接收来自所述外部信道的所述第二密文,利用内部会话单元根据所述第一随机数对所述第二密文进行处理以获得第三密文,并将所述第三密文通过相应的第一端口向所述消息接收实体透传。In order to achieve the above purpose, the embodiment of the first aspect of the present invention proposes a security defense method for a password reverse firewall, wherein the password reverse firewall includes a first password reverse firewall and a second password reverse firewall, the The corresponding message sending entity of the first password reverse firewall is set, and the corresponding message receiving entity of the second password reverse firewall is set, and each of the password reverse firewalls includes a first port and a second port, and the first port is connected to the second port. The entity is connected, the second port is connected to an external channel, and each of the password reverse firewalls is used to process messages transmitted between the entity and the external information, and the method includes the following steps: The first port of the second password reverse firewall receives the first public key sent by the message receiving entity, and uses the internal session unit to extract a random number from the first public key to obtain a first random number, and according to the performing public key re-randomization processing on the first public key with the first random number to obtain a second public key, and sending the second public key to the external channel through a corresponding second port; the second public key A second port of a cryptographic reverse firewall receives the second public key from the external channel, uses an internal session unit to transparently transmit the second public key to the message sending entity through the corresponding first port, and Recording the second public key; the first port of the first password reverse firewall receives the first ciphertext sent by the message sending entity, and uses the internal session unit to perform a random number on the first ciphertext Extracting to obtain a second random number, performing ciphertext re-randomization on the first ciphertext according to the second random number to obtain a second ciphertext, and passing the second ciphertext through the corresponding second The port sends to the external channel; the second port of the second password reverse firewall receives the second ciphertext from the external channel, and uses the internal session unit to pair the second cipher text according to the first random number. The ciphertext is processed to obtain a third ciphertext, and the third ciphertext is transparently transmitted to the message receiving entity through the corresponding first port.

根据本发明实施例的密码反向防火墙的安全防御方法,首先,第二密码反向防火墙的第一端口接收来自消息接收实体发送的第一公钥,利用内部会话单元对第一公钥进行随机数提取以获得第一随机数,并根据第一随机数对第一公钥进行公钥再随机化处理以获得第二公钥,以及将第二公钥通过相应的第二端口向外部信道发送,然后,第一密码反向防火墙的第二端口接收来自外部信道的第二公钥,利用内部会话单元将第二公钥通过相应的第一端口向消息发送实体透传,并对第二公钥进行记录,进而,第一密码反向防火墙的第一端口接收来自消息发送实体发送的第一密文,利用内部会话单元对第一密文进行随机数提取以获得第二随机数,并根据第二随机数对第一密文进行密文再随机化处理以获得第二密文,以及将第二密文通过相应的第二端口向外部信道发送,最后,第二密码反向防火墙的第二端口接收来自外部信道的第二密文,利用内部会话单元根据第一随机数对第二密文进行处理以获得第三密文,并将第三密文通过相应的第一端口向消息接收实体透传。由此,有效减少密码反向防火墙在运行过程中产生的随机数数量,降低对可信随机源的依赖程度,提高可实现性。According to the security defense method of the cryptographic reverse firewall of the embodiment of the present invention, first, the first port of the second cryptographic reverse firewall receives the first public key sent from the message receiving entity, and uses the internal session unit to randomize the first public key. Number extraction to obtain the first random number, and perform public key re-randomization on the first public key according to the first random number to obtain the second public key, and send the second public key to the external channel through the corresponding second port , then, the second port of the first cryptographic reverse firewall receives the second public key from the external channel, uses the internal session unit to transparently transmit the second public key to the message sending entity through the corresponding first port, and transmits the second public key to the second public key Then, the first port of the first password reverse firewall receives the first ciphertext sent by the message sending entity, uses the internal session unit to extract the random number from the first ciphertext to obtain the second random number, and according to The second random number performs ciphertext randomization processing on the first ciphertext to obtain the second ciphertext, and sends the second ciphertext to the external channel through the corresponding second port. Finally, the second password reverses the first ciphertext of the firewall. The second port receives the second ciphertext from the external channel, uses the internal session unit to process the second ciphertext according to the first random number to obtain the third ciphertext, and sends the third ciphertext to the message through the corresponding first port Entity transparent transmission. As a result, the number of random numbers generated during the operation of the password reverse firewall is effectively reduced, the degree of dependence on trusted random sources is reduced, and the realizability is improved.

另外,根据本发明上述实施例的密码反向防火墙的安全防御方法,还可以具有如下的附加技术特征:In addition, the security defense method of the password reverse firewall according to the foregoing embodiments of the present invention may also have the following additional technical features:

根据本发明的一个实施例,所述对所述第一公钥进行随机数提取以获得第一随机数,包括:利用第一预设单射函数对所述第一公钥进行编码以将所述第一公钥映射至第一预设伪随机置换函数的输入空间并获得第一编码信息;如果所述第一编码信息已经存在,则进行报警提醒,并阻断所有消息传输;如果所述第一编码信息未存在,则记录所述第一编码信息,并利用所述第一预设伪随机置换函数和所述第一预设伪随机置换函数的密钥对所述第一编码信息进行置换以获得所述第一随机数,其中,所述第一预设伪随机置换函数的密钥在所述第二密码反向防火墙启动时由外部注入或自动生成。According to an embodiment of the present invention, the extracting the random number from the first public key to obtain the first random number includes: using a first preset injective function to encode the first public key to encode the The first public key is mapped to the input space of the first preset pseudo-random permutation function and the first encoded information is obtained; if the first encoded information already exists, an alarm is issued and all message transmissions are blocked; if the described If the first encoded information does not exist, then record the first encoded information, and use the first preset pseudo-random permutation function and the key of the first preset pseudo-random permutation function to perform the first encoding information permutation to obtain the first random number, wherein the key of the first preset pseudo-random permutation function is externally injected or automatically generated when the second password reverse firewall is started.

根据本发明的一个实施例,所述根据所述第一随机数对所述第一公钥进行公钥再随机化处理以获得第二公钥,包括:利用预设公钥再随机化函数根据所述第一随机数对所述第一公钥进行公钥再随机化处理以获得所述第二公钥。According to an embodiment of the present invention, performing public key re-randomization processing on the first public key according to the first random number to obtain a second public key includes: using a preset public key re-randomization function according to The first random number performs public key re-randomization processing on the first public key to obtain the second public key.

根据本发明的一个实施例,所述对所述第一密文进行随机数提取以获得第二随机数,包括:利用第二预设单射函数对所述第一密文进行编码以将所述第一密文映射至第二预设伪随机置换函数的输入空间并获得第二编码信息;如果所述第二编码信息已经存在,则进行报警提醒,并阻断所有消息传输;如果所述第二编码信息未存在,则记录所述第二编码信息,并利用所述第二预设伪随机置换函数和所述第二预设伪随机置换函数的密钥对所述第二编码信息进行置换以获得所述第二随机数,其中,所述第二预设伪随机置换函数的密钥在所述第一密码反向防火墙启动时由外部注入或自动生成。According to an embodiment of the present invention, the extracting the random number from the first ciphertext to obtain the second random number includes: using a second preset injective function to encode the first ciphertext to convert the The first ciphertext is mapped to the input space of the second preset pseudo-random permutation function and the second encoded information is obtained; if the second encoded information already exists, an alarm is issued and all message transmissions are blocked; if the described If the second coded information does not exist, then record the second coded information, and use the second preset pseudo-random permutation function and the key of the second preset pseudo-random permutation function to process the second coded information permutation to obtain the second random number, wherein the key of the second preset pseudo-random permutation function is externally injected or automatically generated when the first password reverse firewall is started.

根据本发明的一个实施例,所述根据所述第二随机数对所述第一密文进行密文再随机化处理以获得第二密文,包括:利用预设密文再随机化函数根据所述第二随机数和所述第二公钥对所述第一密文进行密文再随机化处理以获得所述第二密文。According to an embodiment of the present invention, performing ciphertext re-randomization processing on the first ciphertext according to the second random number to obtain a second ciphertext includes: using a preset ciphertext re-randomization function according to The second random number and the second public key perform ciphertext re-randomization processing on the first ciphertext to obtain the second ciphertext.

根据本发明的一个实施例,所述根据所述第一随机数对所述第二密文进行处理以获得第三密文,包括:利用预设密文恢复函数根据所述第一随机数对所述第二密文进行恢复以获得所述第三密文。According to an embodiment of the present invention, the processing the second ciphertext according to the first random number to obtain the third ciphertext includes: using a preset ciphertext recovery function to The second ciphertext is recovered to obtain the third ciphertext.

根据本发明的一个实施例,所述第一密码反向防火墙和所述第二密码反向防火墙接收和发送的消息均满足六元组格式,如果不满足,则进行报警提醒,其中,所述六元组格式包括协议种类标识、会话标识、消息发送实体标识、消息接收实体标识、消息内容和消息的联合数据。According to an embodiment of the present invention, the messages received and sent by the first password reverse firewall and the second password reverse firewall all satisfy the six-tuple format, and if not, an alarm reminder is given, wherein the The six-tuple format includes the protocol type identifier, session identifier, message sending entity identifier, message receiving entity identifier, message content and combined data of the message.

根据本发明的一个实施例,所述密码反向防火墙的安全防御方法,还包括:所述第二密码反向防火墙在接收到所述第一公钥后,生成所述内部会话单元,并对该内部会话单元进行标记,其中标记信息包括所述协议种类标识、所述会话标识和所述消息接收实体标识;所述第二密码反向防火墙在接收到所述第二密文后,还查找所述内部会话单元是否存在,如果不存在,则进行报警提醒;如果存在,则运行该内部会话单元。According to an embodiment of the present invention, the security defense method of the password reverse firewall further includes: after the second password reverse firewall receives the first public key, generates the internal session unit, and The internal session unit performs marking, wherein the marking information includes the protocol type identification, the session identification and the message receiving entity identification; after the second password reverse firewall receives the second ciphertext, it also searches Whether the internal conversational unit exists, if not, an alarm is given; if it exists, the internal conversational unit is run.

根据本发明的一个实施例,所述密码反向防火墙的安全防御方法,还包括:所述第一密码反向防火墙在接收到所述第二公钥后,生成所述内部会话单元,并对该内部会话单元进行标记,其中标记信息包括所述协议种类标识、所述会话标识和所述消息发送实体标识;所述第一密码反向防火墙在接收到所述第一密文后,还查找所述内部会话单元是否存在,如果不存在,则进行报警提醒;如果存在,则运行该内部会话单元。According to an embodiment of the present invention, the security defense method of the password reverse firewall further includes: after the first password reverse firewall receives the second public key, generates the internal session unit, and The internal session unit performs marking, wherein the marking information includes the protocol type identification, the session identification and the message sending entity identification; after the first password reverse firewall receives the first ciphertext, it also searches Whether the internal conversational unit exists, if not, an alarm is given; if it exists, the internal conversational unit is run.

为达到上述目的,本发明第二方面实施例提出的密码反向防火墙,包括如上所述的密码反向防火墙的安全防御方法。In order to achieve the above purpose, the password reverse firewall proposed in the embodiment of the second aspect of the present invention includes the security defense method of the password reverse firewall as described above.

根据本发明实施例的密码反向防火墙,应用上述密码反向防火墙的安全防御方法,能够有效减少密码反向防火墙在运行过程中产生的随机数数量,降低对可信随机源的依赖程度,提高可实现性。According to the password reverse firewall of the embodiment of the present invention, the security defense method of the above password reverse firewall can effectively reduce the number of random numbers generated by the password reverse firewall during operation, reduce the dependence on credible random sources, and improve Realizability.

本发明附加的方面和优点将在下面的描述中部分给出,部分将从下面的描述中变得明显,或通过本发明的实践了解到。Additional aspects and advantages of the invention will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention.

附图说明Description of drawings

图1为根据本发明实施例的密码反向防火墙的部署方式的示意图;FIG. 1 is a schematic diagram of a deployment mode of a password reverse firewall according to an embodiment of the present invention;

图2为根据本发明实施例的密码反向防火墙所服务的消息传输协议原理的示意图;Fig. 2 is a schematic diagram of the message transmission protocol principle served by the password reverse firewall according to an embodiment of the present invention;

图3为根据本发明实施例的密码反向防火墙通讯方式的示意图3 is a schematic diagram of a password reverse firewall communication method according to an embodiment of the present invention

图4为根据本发明实施例的密码反向防火墙的安全防御方法的流程示意图;4 is a schematic flow diagram of a security defense method for a password reverse firewall according to an embodiment of the present invention;

图5为根据本发明一个实施例的密码反向防火墙的安全防御方法的流程示意图;FIG. 5 is a schematic flow diagram of a security defense method for a password reverse firewall according to an embodiment of the present invention;

图6为根据本发明一个实施例的密码反向防火墙的安全防御方法的流程示意图;6 is a schematic flow diagram of a security defense method for a password reverse firewall according to an embodiment of the present invention;

图7为根据本发明一个实施例的密码反向防火墙的安全防御方法的流程示意图;7 is a schematic flow diagram of a security defense method for a password reverse firewall according to an embodiment of the present invention;

图8为根据本发明一个实施例的密码反向防火墙的安全防御方法的流程示意图。FIG. 8 is a schematic flowchart of a security defense method for a password reverse firewall according to an embodiment of the present invention.

具体实施方式detailed description

下面详细描述本发明的实施例,所述实施例的示例在附图中示出,其中自始至终相同或类似的标号表示相同或类似的元件或具有相同或类似功能的元件。下面通过参考附图描述的实施例是示例性的,旨在用于解释本发明,而不能理解为对本发明的限制。Embodiments of the present invention are described in detail below, examples of which are shown in the drawings, wherein the same or similar reference numerals designate the same or similar elements or elements having the same or similar functions throughout. The embodiments described below by referring to the figures are exemplary and are intended to explain the present invention and should not be construed as limiting the present invention.

在介绍本发明实施例的密码反向防火墙和密码反向防火墙的安全防御方法之前,结合图1对本发明实施例的密码反向防火墙的部署方式,以及结合图2对本发明实施例的密码反向防火墙所服务的消息传输协议的原理进行介绍。Before introducing the password reverse firewall and the security defense method of the password reverse firewall in the embodiment of the present invention, the deployment method of the password reverse firewall in the embodiment of the present invention is described in conjunction with FIG. The principle of the message transmission protocol served by the firewall is introduced.

具体地,如图1所示,本发明实施例中的密码反向防火墙采取群服务式架构,即一台密码反向防火墙服务于局域网内多台计算机,且具备可组合能力,即当密码反向防火墙所服务的主机数量任意增多、密码反向防火墙所支持的协议种类任意扩展、所服务的协议的调用方式和运行环境任意改变时,密码反向防火墙对每一个协议会话的安全防护性能不下降。Specifically, as shown in Figure 1, the password reverse firewall in the embodiment of the present invention adopts a group service architecture, that is, one password reverse firewall serves multiple computers in the LAN, and has the ability to be combined, that is, when the password reverse When the number of hosts served by the firewall increases arbitrarily, the types of protocols supported by the password reverse firewall expand arbitrarily, and the calling methods and operating environments of the protocols served change arbitrarily, the security protection performance of the password reverse firewall for each protocol session is not good. decline.

进一步地,如图2所示,本发明实施例的密码反向防火墙涉及的消息传输协议基于公钥加密体制PE=(KeyGen,Enc,Dec),其中,KeyGen为密钥生成算法,Enc为加密算法,Dec为解密算法。Further, as shown in FIG. 2 , the message transmission protocol involved in the cryptographic reverse firewall of the embodiment of the present invention is based on the public key encryption system PE=(KeyGen, Enc, Dec), wherein, KeyGen is a key generation algorithm, and Enc is an encryption Algorithm, Dec is the decryption algorithm.

举例而言,协议中消息的发送方为Alice,接收方为Bob,协议的初始输入为对Alice输入消息m,最终输出为Bob输出消息m′,且协议的正确性体现为m′=m,则协议运行具体方式为:首先,Bob运行密钥生成算法产生公私密钥对(pk,sk)←KeyGen(1λ),并将公钥pk发送给协议中消息的发送方Alice,然后,Alice运行c←Enc(pk,m),并将c发送给Bob,最后,Bob对c进行解密m′←Dec(sk,c),并输出m′,其中,sk为用于加密得到c的公钥的对应私钥。For example, in the protocol, the sender of the message is Alice, and the receiver is Bob. The initial input of the protocol is to input message m to Alice, and the final output is to output message m' to Bob, and the correctness of the protocol is reflected by m'=m, The specific way of running the protocol is as follows: First, Bob runs the key generation algorithm to generate a public-private key pair (pk, sk)←KeyGen(1 λ ), and sends the public key pk to Alice, the sender of the message in the protocol, and then, Alice Run c←Enc(pk, m), and send c to Bob, and finally, Bob decrypts c m′←Dec(sk, c), and outputs m′, where sk is the public key used to encrypt c The corresponding private key of the key.

下面参考附图描述本发明实施例的密码反向防火墙和密码反向防火墙的安全防御方法。The password reverse firewall and the security defense method of the password reverse firewall according to the embodiments of the present invention are described below with reference to the accompanying drawings.

具体地,如图3所示,密码反向防火墙包括第一密码反向防火墙和第二密码反向防火墙,第一密码反向防火墙对应消息发送实体设置,第二密码反向防火墙对应消息接收实体设置,每个密码反向防火墙均包括第一端口和第二端口,第一端口与实体相连,第二端口与外部信道相连,每个密码反向防火墙用于对实体与外部信息之间传输的消息进行处理。Specifically, as shown in Figure 3, the password reverse firewall includes a first password reverse firewall and a second password reverse firewall, the first password reverse firewall corresponds to the message sending entity setting, and the second password reverse firewall corresponds to the message receiving entity Setting, each password reverse firewall includes a first port and a second port, the first port is connected to the entity, and the second port is connected to the external channel, and each password reverse firewall is used for transmitting between the entity and external information The message is processed.

进一步地,如图4所示,密码反向防火墙的安全防御方法包括以下步骤:Further, as shown in Figure 4, the security defense method of password reverse firewall comprises the following steps:

S101,第二密码反向防火墙的第一端口接收来自消息接收实体发送的第一公钥,利用内部会话单元对第一公钥进行随机数提取以获得第一随机数,并根据第一随机数对第一公钥进行公钥再随机化处理以获得第二公钥,以及将第二公钥通过相应的第二端口向外部信道发送。S101. The first port of the second cryptographic reverse firewall receives the first public key sent by the message receiving entity, uses the internal session unit to perform random number extraction on the first public key to obtain the first random number, and based on the first random number Perform public key re-randomization processing on the first public key to obtain a second public key, and send the second public key to an external channel through a corresponding second port.

也就是说,第二密码反向防火墙通过第一端口接收来自信息接收实体发送的第一公钥pk,并通过内部会话单元根据获得的第一随机数人r1对第一公钥pk进行公钥再随机化处理,以获得第二公钥pk′,以及通过相应的第二端口将第二公钥pk′发送至外部信道。That is to say, the second encrypted reverse firewall receives the first public key pk from the information receiving entity through the first port, and publicizes the first public key pk according to the obtained first random number r 1 through the internal session unit. The key is re-randomized to obtain the second public key pk', and the second public key pk' is sent to the external channel through the corresponding second port.

S102,第一密码反向防火墙的第二端口接收来自外部信道的第二公钥,利用内部会话单元将第二公钥通过相应的第一端口向消息发送实体透传,并对第二公钥进行记录。S102, the second port of the first password reverse firewall receives the second public key from the external channel, uses the internal session unit to transparently transmit the second public key to the message sending entity through the corresponding first port, and transmits the second public key Make a note.

也就是说,第一密码反向防火墙通过第二端口接收来自外部信道的第二公钥pk′,并通过内部会话单元记录第二公钥pk′,以及将第二公钥pk′通过相应的第一端口向消息发送实体透传。That is to say, the first password reverse firewall receives the second public key pk' from the external channel through the second port, and records the second public key pk' through the internal session unit, and passes the second public key pk' through the corresponding The first port transparently transmits to the message sending entity.

S103,第一密码反向防火墙的第一端口接收来自消息发送实体发送的第一密文,利用内部会话单元对第一密文进行随机数提取以获得第二随机数,并根据第二随机数对第一密文进行密文再随机化处理以获得第二密文,以及将第二密文通过相应的第二端口向外部信道发送。S103. The first port of the first password reverse firewall receives the first ciphertext sent by the message sending entity, uses the internal session unit to extract the random number from the first ciphertext to obtain the second random number, and based on the second random number Perform ciphertext re-randomization on the first ciphertext to obtain the second ciphertext, and send the second ciphertext to the external channel through the corresponding second port.

也就是说,第一密码反向防火墙通过第一端口接收来自消息发送实体发送的第一密文c,并通过内部会话单元根据获得的第二随机数r2对第一密文c进行密文再随机化处理,以获得第二密文c′,以及通过相应的第二端口将第二密文c′发送至外部信道。That is to say, the first password reverse firewall receives the first ciphertext c sent from the message sending entity through the first port, and encrypts the first ciphertext c according to the obtained second random number r2 through the internal session unit Randomize again to obtain the second ciphertext c', and send the second ciphertext c' to the external channel through the corresponding second port.

S104,第二密码反向防火墙的第二端口接收来自外部信道的第二密文,利用内部会话单元根据第一随机数对第二密文进行处理以获得第三密文,并将第三密文通过相应的第一端口向消息接收实体透传。S104, the second port of the second password reverse firewall receives the second ciphertext from the external channel, uses the internal session unit to process the second ciphertext according to the first random number to obtain the third ciphertext, and sends the third ciphertext The text is transparently transmitted to the message receiving entity through the corresponding first port.

也就是说,第二密码反向防火墙通过第二端口接收来自外部信道的第二密文c′,并通过内部会话单元根据第一随机数r1对第二密文c′进行处理,以获取第三密文c”,并通过相应的第一端口将第三密文c”向消息接收实体透传。That is to say, the second password reverse firewall receives the second ciphertext c' from the external channel through the second port, and processes the second ciphertext c' according to the first random number r1 through the internal session unit to obtain The third ciphertext c", and transparently transmit the third ciphertext c" to the message receiving entity through the corresponding first port.

由此,本申请的密码反向防火墙的安全防御方法,对第一公钥进行随机数提取以获得第一随机数,并根据第一随机数对第一公钥进行公钥再随机化处理以获得第二公钥,以及对第一密文进行随机数提取以获得第二随机数,并根据第二随机数对第一密文进行密文再随机化处理以获得第二密文,进而,根据第一随机数对第二密文进行处理以获得第三密文,从而,有效减少密码反向防火墙在运行过程中产生的随机数数量,降低对可信随机源的依赖程度,提高可实现性。Thus, the security defense method of the cryptographic reverse firewall of the present application extracts a random number from the first public key to obtain the first random number, and performs public key re-randomization processing on the first public key according to the first random number to obtain Obtaining the second public key, performing random number extraction on the first ciphertext to obtain a second random number, and re-randomizing the ciphertext on the first ciphertext according to the second random number to obtain a second ciphertext, and then, Process the second ciphertext according to the first random number to obtain the third ciphertext, thereby effectively reducing the number of random numbers generated by the password reverse firewall during operation, reducing the dependence on trusted random sources, and improving the realizable sex.

具体地,如图5所示,对第一公钥进行随机数提取以获得第一随机数,包括:Specifically, as shown in Figure 5, the random number extraction is performed on the first public key to obtain the first random number, including:

S201,利用第一预设单射函数对第一公钥进行编码以将第一公钥映射至第一预设伪随机置换函数的输入空间并获得第一编码信息。S201. Encode the first public key by using a first preset injective function to map the first public key to an input space of a first preset pseudo-random permutation function and obtain first encoding information.

也就是说,可通过第一预设单射函数Map1对第一公钥pk进行编码,以将第一公钥pk映射至第一预设伪随机置换函数Per1的输入空间并获得第一编码信息rpk←Map1(pk)。That is to say, the first public key pk can be encoded by the first preset injective function Map1, so as to map the first public key pk to the input space of the first preset pseudo-random permutation function Per1 and obtain the first encoding information r pk ←Map1(pk).

可选地,第一预设单射函数Map1可以预设为

Figure BDA0002686643930000061
其中,
Figure BDA0002686643930000062
为密文空间。Optionally, the first preset injective function Map1 can be preset as
Figure BDA0002686643930000061
in,
Figure BDA0002686643930000062
is the ciphertext space.

S202,如果第一编码信息已经存在,则进行报警提醒,并阻断所有消息传输。S202. If the first coded information already exists, perform an alarm and block all message transmissions.

可以理解的是,若第二密码反向防火墙的内部会话单元检测到第一编码信息rpk已经存在,则内部会话单元将进行报警提醒,并阻断第二密码反向防火墙中的所有消息传输。It can be understood that if the internal session unit of the second password reverse firewall detects that the first encoded information r pk already exists, the internal session unit will give an alarm reminder and block all message transmissions in the second password reverse firewall .

S203,如果第一编码信息未存在,则记录第一编码信息,并利用第一预设伪随机置换函数和第一预设伪随机置换函数的密钥对第一编码信息进行置换以获得第一随机数,其中,第一预设伪随机置换函数的密钥在第二密码反向防火墙启动时由外部注入或自动生成。S203. If the first encoding information does not exist, record the first encoding information, and use the first preset pseudo-random permutation function and the key of the first preset pseudo-random permutation function to permute the first encoding information to obtain the first The random number, wherein the key of the first preset pseudo-random permutation function is externally injected or automatically generated when the second password reverse firewall is started.

可以理解的是,若第一编码信息rpk未存在,则在列表内记录第一编码信息rpk,并利用第一预设伪随机置换函数Per1和第一预设伪随机置换函数的密钥s1对第一编码信息rpk进行置换以获得第一随机数r1←Per1(s1,rpk),其中,第一预设伪随机置换函数的密钥s1在第二密码反向防火墙启动时由外部注入或自动生成。It can be understood that if the first encoded information r pk does not exist, record the first encoded information r pk in the list, and use the first preset pseudo-random permutation function Per1 and the key of the first preset pseudo-random permutation function s 1 permutes the first encoded information r pk to obtain the first random number r 1 ←Per1(s 1 , r pk ), where the key s 1 of the first preset pseudo-random permutation function is reversed in the second password Injected externally or generated automatically when the firewall starts.

可选地,第一预设伪随机置换函数Per1可以预设为

Figure BDA0002686643930000071
其中,
Figure BDA0002686643930000072
为密钥空间。Optionally, the first preset pseudo-random permutation function Per1 can be preset as
Figure BDA0002686643930000071
in,
Figure BDA0002686643930000072
is the key space.

进一步地,根据第一随机数对所述第一公钥进行公钥再随机化处理以获得第二公钥,包括:Further, performing public key re-randomization processing on the first public key according to the first random number to obtain a second public key includes:

利用预设公钥再随机化函数根据第一随机数对第一公钥进行公钥再随机化处理以获得第二公钥。Using a preset public key rerandomization function to perform public key rerandomization processing on the first public key according to the first random number to obtain a second public key.

也就是说,可通过预设公钥再随机化函数Keymaul根据第一随机数r1对第一公钥pk进行公钥再随机化pk′←Keymaul(pk,r1),以获得第二公钥pk′。That is to say, the public key re-randomization pk′←Keymaul(pk, r 1 ) can be performed on the first public key pk according to the first random number r 1 through the preset public key re-randomization function Keymaul to obtain the second public key Key pk'.

进一步地,如图6所示,对第一密文进行随机数提取以获得第二随机数,包括:Further, as shown in Figure 6, random number extraction is performed on the first ciphertext to obtain a second random number, including:

S301,利用第二预设单射函数对第一密文进行编码以将第一密文映射至第二预设伪随机置换函数的输入空间并获得第二编码信息。S301. Encode the first ciphertext by using a second preset injective function to map the first ciphertext to an input space of a second preset pseudo-random permutation function and obtain second encoding information.

也就是说,可通过第二预设单射函数Map2对第一密文c进行编码以将第一密文c映射至第二预设伪随机置换函数Per2的输入空间并获得第二编码信息rc←Map2(c)。That is to say, the first ciphertext c can be encoded by the second preset injective function Map2 to map the first ciphertext c to the input space of the second preset pseudo-random permutation function Per2 and obtain the second encoding information r c ← Map2(c).

可选地,第二预设单射函数Map2可以预设为

Figure BDA0002686643930000073
其中,
Figure BDA0002686643930000074
为公钥空间。Optionally, the second preset injective function Map2 can be preset as
Figure BDA0002686643930000073
in,
Figure BDA0002686643930000074
is the public key space.

S302,如果第二编码信息已经存在,则进行报警提醒,并阻断所有消息传输。S302. If the second coded information already exists, perform an alarm and block all message transmissions.

可以理解的是,若第一密码反向防火墙的内部会话单元检测到第二编码信息rc已经存在,则内部会话单元将进行报警提醒,并阻断第一密码反向防火墙中的所有消息传输。It can be understood that if the internal session unit of the first password reverse firewall detects that the second coded information rc already exists, the internal session unit will give an alarm reminder and block all message transmissions in the first password reverse firewall .

S303,如果第二编码信息未存在,则记录第二编码信息,并利用第二预设伪随机置换函数和第二预设伪随机置换函数的密钥对第二编码信息进行置换以获得第二随机数,其中,第二预设伪随机置换函数的密钥在第一密码反向防火墙启动时由外部注入或自动生成。S303. If the second encoding information does not exist, record the second encoding information, and use the second preset pseudo-random permutation function and the key of the second preset pseudo-random permutation function to replace the second encoding information to obtain the second The random number, wherein the key of the second preset pseudo-random permutation function is externally injected or automatically generated when the first password reverse firewall is started.

可以理解的是,若第二编码信息rc未存在,则在列表内记录第二编码信息rc,并利用第二预设伪随机置换函数Per2和第二预设伪随机置换函数的密钥s2对第二编码信息rc进行置换以获得第一随机数r2←Per2(s2,rc),其中,第二预设伪随机置换函数的密钥s2在第一密码反向防火墙启动时由外部注入或自动生成。It can be understood that if the second coded information rc does not exist, record the second coded information rc in the list, and use the second preset pseudo-random permutation function Per2 and the key of the second preset pseudo-random permutation function s 2 permutes the second coded information r c to obtain the first random number r 2 ←Per2(s 2 , r c ), where the key s 2 of the second preset pseudo-random permutation function is reversed in the first password Injected externally or generated automatically when the firewall starts.

可选地,第一预设伪随机置换函数Per2可以预设为

Figure BDA0002686643930000075
其中,
Figure BDA0002686643930000076
为密钥空间。Optionally, the first preset pseudo-random permutation function Per2 can be preset as
Figure BDA0002686643930000075
in,
Figure BDA0002686643930000076
is the key space.

由此,本发明实施例的密码反向防火墙内采用伪随机置换策略,通过在密码反向防火墙内嵌两个伪随机置换函数Per1和Per2,并在密码反向防火墙启动阶段,通过外部注入或自身生成的方式产生伪随机置换函数的密钥s1和s2,以及在协议运行过程中需要对所传输的公钥或密文进行伪随机化时,首先使用单射函数对待处理的公钥或密文进行编码,然后,将之映射到伪随机置换函数的输入空间中,再使用伪随机置换函数对其进行置换,最后,使用置换得到的随机数,对待处理的公钥或密文进行再随机化,得到相应处理后的公钥或密文。Therefore, the password reverse firewall in the embodiment of the present invention adopts a pseudo-random permutation strategy, by embedding two pseudo-random permutation functions Per1 and Per2 in the password reverse firewall, and during the startup phase of the password reverse firewall, through external injection or The key s 1 and s 2 of the pseudo-random permutation function are generated in a self-generated way, and when the transmitted public key or ciphertext needs to be pseudo-randomized during the operation of the protocol, the public key to be processed is firstly used by the injective function or ciphertext, and then map it to the input space of the pseudo-random permutation function, and then use the pseudo-random permutation function to permute it, and finally, use the random number obtained from the permutation to process the public key or ciphertext to be processed Then randomize to obtain the correspondingly processed public key or ciphertext.

以及,采用在线看门狗策略,通过设置有具有报警功能的在线看门狗模块,实时监测通过密码反向防火墙的数据,并在检测到颠覆攻击的风险时报警,例如,针对每一个伪随机置换建立有一个列表,以记录当前置换密钥下所有输入该置换的数据,并在伪随机置换每次被调用前,均对此次输入进行检查,一旦发现此次输入与列表中某条记录重复(碰撞),则密码反向防火墙对外报警,同时,切断计算机与外界之间的所有通信,网络协议运行暂停。And, adopting the online watchdog strategy, by setting up an online watchdog module with alarm function, real-time monitoring of the data passing through the password reverse firewall, and alarming when the risk of subversion attack is detected, for example, for each pseudo-random The permutation creates a list to record all the data entered into the permutation under the current permutation key, and checks the input before each call of the pseudo-random permutation. Once the input is found to be consistent with a record in the list Repeat (collision), then the password reverse firewall externally reports to the police, simultaneously, cuts off all communication between the computer and the outside world, and the network protocol operation suspends.

需要说明的是,在生成第一公钥pk时,满足以下条件:随机生成的两个公钥相等的概率小于等于第一预设值、且利用随机生成的两个公钥对随机产生的两个合法明文进行加密生成的两个密文相等的概率小于等于第一预设值。It should be noted that when generating the first public key pk, the following conditions are met: the probability that the two randomly generated public keys are equal is less than or equal to the first preset value, and the two randomly generated public keys are used to pair the randomly generated two The probability that two ciphertexts generated by encrypting a legitimate plaintext are equal is less than or equal to the first preset value.

可以理解的是,当生成第一公钥pk时,满足随机生成的两个公钥(pk0,sk0)相等的概率小于等于第一预设值Pr[pk0=pk1]≤negl(λ),以及利用随机生成的两个公钥对随机产生的两个合法明文m0和m1进行加密生成的两个密文相等的概率小于等于第一预设值Pr[Enc(pka,mb)=Enc(pkc,md)]≤negl(λ),其中,

Figure BDA0002686643930000081
且(a,b)≠(c,d)。It can be understood that when the first public key pk is generated, the probability that the two randomly generated public keys (pk 0 , sk 0 ) are equal is less than or equal to the first preset value Pr[pk 0 =pk 1 ]≤negl( λ), and using two randomly generated public keys to encrypt two randomly generated legal plaintexts m 0 and m 1 , the probability that the generated two ciphertexts are equal is less than or equal to the first preset value Pr[Enc(pk a , m b )=Enc(pk c ,m d )]≤negl(λ), where,
Figure BDA0002686643930000081
And (a, b)≠(c, d).

进一步地,根据第二随机数对第一密文进行密文再随机化处理以获得第二密文,包括:Further, performing ciphertext re-randomization processing on the first ciphertext according to the second random number to obtain the second ciphertext, including:

利用预设密文再随机化函数根据第二随机数和第二公钥对第一密文进行密文再随机化处理以获得第二密文。Using a preset ciphertext rerandomization function to perform ciphertext rerandomization processing on the first ciphertext according to the second random number and the second public key to obtain the second ciphertext.

也就是说,可通过预设密文再随机化函数Rerand根据第二随机数r2和第二公钥pk′对第一密文c进行密文再随机化处理c′←Rerand(pk,c,r2),以获得第二密文c′。That is to say, the first ciphertext c can be re-randomized according to the second random number r 2 and the second public key pk' through the preset ciphertext re-randomization function Rerand c'←Rerand(pk,c , r 2 ), to obtain the second ciphertext c′.

进一步地,根据第一随机数对第二密文进行处理以获得第三密文,包括:Further, the second ciphertext is processed according to the first random number to obtain the third ciphertext, including:

利用预设密文恢复函数根据第一随机数对第二密文进行恢复以获得第三密文。Using a preset ciphertext recovery function to recover the second ciphertext according to the first random number to obtain the third ciphertext.

也就是说,可通过预设密文恢复函数CKeymaul根据第一随机数r1对第二密文c′进行恢复c”←CKeymaul(c′,r1),以获得第三密文c”。That is to say, the second ciphertext c' can be recovered c"←CKeymaul(c', r 1 ) according to the first random number r 1 through the preset ciphertext recovery function CKeymaul to obtain the third ciphertext c".

可选地,在本发明的实施例中以El-Gamal公钥加密体制为例,公钥再随机化函数Keymaul可设计为:

Figure BDA0002686643930000082
相应的,密文恢复函数CKeymaul可设计为:
Figure BDA0002686643930000083
Figure BDA0002686643930000084
密文再随机化函数Rerand可设计为:
Figure BDA0002686643930000085
Optionally, taking the El-Gamal public key encryption system as an example in the embodiments of the present invention, the public key re-randomization function Keymaul can be designed as:
Figure BDA0002686643930000082
Correspondingly, the ciphertext recovery function CKeymaul can be designed as:
Figure BDA0002686643930000083
Figure BDA0002686643930000084
The ciphertext re-randomization function Rerand can be designed as:
Figure BDA0002686643930000085

进一步地,第一密码反向防火墙和第二密码反向防火墙接收和发送的消息均满足六元组格式,如果不满足,则进行报警提醒,其中,六元组格式包括协议种类标识、会话标识、消息发送实体标识、消息接收实体标识、消息内容和消息的联合数据。Further, the messages received and sent by the first password reverse firewall and the second password reverse firewall all meet the six-tuple format, if not, an alarm reminder is given, wherein the six-tuple format includes the protocol type identifier, the session identifier , the identifier of the message sending entity, the identifier of the message receiving entity, the content of the message, and the combined data of the message.

也就是说,若在协议的运行过程中,第一密码反向防火墙和第二密码反向防火墙接收和发送的消息不满足六元组格式时,将进行报警提醒,同时,禁止第一密码反向防火墙和第二密码反向防火墙进行信息交流。That is to say, if during the operation of the protocol, the messages received and sent by the first password reverse firewall and the second password reverse firewall do not meet the six-tuple format, an alarm will be issued, and at the same time, the first password reverse firewall will be prohibited. Information exchange is performed to the firewall and the second password reverse firewall.

进一步地,如图7所示,密码反向防火墙的安全防御方法,还包括:Further, as shown in Figure 7, the security defense method of password reverse firewall also includes:

S401,第二密码反向防火墙在接收到第一公钥后,生成内部会话单元,并对该内部会话单元进行标记,其中标记信息包括协议种类标识、会话标识和消息接收实体标识。S401. After receiving the first public key, the second encrypted reverse firewall generates an internal session unit and marks the internal session unit, where the tag information includes a protocol type identifier, a session identifier, and a message receiving entity identifier.

可以理解的是,可通过标记信息包括协议种类标识、会话标识和消息接收实体标识确定第二密码反向防火墙中对应的内部会话单元。It can be understood that the corresponding internal session unit in the second password reverse firewall can be determined through the tag information including the protocol type identifier, the session identifier and the message receiving entity identifier.

S402,第二密码反向防火墙在接收到第二密文后,还查找内部会话单元是否存在,如果不存在,则进行报警提醒;如果存在,则运行该内部会话单元。S402. After receiving the second ciphertext, the second password reverse firewall also checks whether the internal session unit exists, and if not, sends an alarm; if it exists, runs the internal session unit.

应理解的是,若第二密码反向防火墙通过查找内部会话单元的标记信息后发现,该内部会话单元不存在,则进行报警提醒,同时,阻断第二密码反向防火墙中的所有通信,若发现该内部单元存在,则运行该内部会话单元。It should be understood that if the second password reverse firewall finds that the internal session unit does not exist by searching the flag information of the internal session unit, an alarm will be given, and at the same time, all communications in the second password reverse firewall will be blocked. If it is found that the internal unit exists, then run the internal session unit.

进一步地,如图8所示,密码反向防火墙的安全防御方法,还包括:Further, as shown in Figure 8, the security defense method of password reverse firewall also includes:

S501,第一密码反向防火墙在接收到第二公钥后,生成内部会话单元,并对该内部会话单元进行标记,其中标记信息包括协议种类标识、会话标识和消息发送实体标识。S501. After receiving the second public key, the first cryptographic reverse firewall generates an internal session unit, and marks the internal session unit, where the tag information includes a protocol type identifier, a session identifier, and a message sending entity identifier.

可以理解的是,可通过协议种类标识、会话标识和消息发送实体标识确定第一密码反向防火墙中对应的内部会话单元。It can be understood that the corresponding internal session unit in the first password reverse firewall can be determined through the protocol type identifier, the session identifier and the message sending entity identifier.

S502,第一密码反向防火墙在接收到第一密文后,还查找内部会话单元是否存在,如果不存在,则进行报警提醒;如果存在,则运行该内部会话单元。S502. After receiving the first ciphertext, the first password reverse firewall also checks whether the internal session unit exists, and if not, sends an alarm; if it exists, runs the internal session unit.

应理解的是,若第一密码反向防火墙通过查找内部会话单元的标记信息后发现,该内部会话单元不存在,则进行报警提醒,同时,阻断第一密码反向防火墙中的所有通信,若发现该内部单元存在,则运行该内部会话单元。It should be understood that if the first password reverse firewall finds that the internal session unit does not exist by searching the tag information of the internal session unit, then an alarm will be issued, and at the same time, all communications in the first password reverse firewall will be blocked. If it is found that the internal unit exists, then run the internal session unit.

综上,根据本发明实施例的密码反向防火墙的安全防御方法,首先,第二密码反向防火墙的第一端口接收来自消息接收实体发送的第一公钥,利用内部会话单元对第一公钥进行随机数提取以获得第一随机数,并根据第一随机数对第一公钥进行公钥再随机化处理以获得第二公钥,以及将第二公钥通过相应的第二端口向外部信道发送,然后,第一密码反向防火墙的第二端口接收来自外部信道的第二公钥,利用内部会话单元将第二公钥通过相应的第一端口向消息发送实体透传,并对第二公钥进行记录,进而,第一密码反向防火墙的第一端口接收来自消息发送实体发送的第一密文,利用内部会话单元对第一密文进行随机数提取以获得第二随机数,并根据第二随机数对第一密文进行密文再随机化处理以获得第二密文,以及将第二密文通过相应的第二端口向外部信道发送,最后,第二密码反向防火墙的第二端口接收来自外部信道的第二密文,利用内部会话单元根据第一随机数对第二密文进行处理以获得第三密文,并将第三密文通过相应的第一端口向消息接收实体透传。由此,有效减少密码反向防火墙在运行过程中产生的随机数数量,降低对可信随机源的依赖程度,提高可实现性。In summary, according to the security defense method of the password reverse firewall in the embodiment of the present invention, first, the first port of the second password reverse firewall receives the first public key sent from the message receiving entity, and uses the internal session unit to exchange the first public key with the first public key. Extract random numbers from the key to obtain the first random number, perform public key re-randomization on the first public key according to the first random number to obtain the second public key, and send the second public key to the The external channel sends, and then, the second port of the first password reverse firewall receives the second public key from the external channel, uses the internal session unit to transparently transmit the second public key to the message sending entity through the corresponding first port, and The second public key is recorded, and then, the first port of the reverse firewall with the first password receives the first ciphertext sent by the message sending entity, and uses the internal session unit to extract the random number from the first ciphertext to obtain the second random number , and perform ciphertext re-randomization on the first ciphertext according to the second random number to obtain the second ciphertext, and send the second ciphertext to the external channel through the corresponding second port, and finally, the second ciphertext reverses The second port of the firewall receives the second ciphertext from the external channel, uses the internal session unit to process the second ciphertext according to the first random number to obtain the third ciphertext, and passes the third ciphertext through the corresponding first port Transparently transmit to the message receiving entity. As a result, the number of random numbers generated during the operation of the password reverse firewall is effectively reduced, the degree of dependence on trusted random sources is reduced, and the realizability is improved.

进一步地,基于上述本发明实施例的密码反向防火墙的安全防御方法,本发明实施例还提出了一种密码反向防火墙,其包括如上述发明实施例所述的密码反向防火墙的安全防御方法。Further, based on the security defense method of the password reverse firewall in the above-mentioned embodiment of the present invention, the embodiment of the present invention also proposes a password reverse firewall, which includes the security defense of the password reverse firewall described in the above-mentioned embodiment of the invention method.

需要说明的是,本发明实施例的密码反向防火墙的具体实施方式与前述本发明实施例的密码反向防火墙的安全防御方法的具体实施方式一一对应,因此,在此不再赘述。It should be noted that the specific implementation manners of the encryption reverse firewall in the embodiment of the present invention correspond to the specific implementation manners of the security defense method of the encryption reverse firewall in the embodiment of the present invention, so details are not repeated here.

综上,根据本发明实施例的密码反向防火墙,应用上述密码反向防火墙的安全防御方法,能够有效减少密码反向防火墙在运行过程中产生的随机数数量,降低对可信随机源的依赖程度,提高可实现性。To sum up, according to the password reverse firewall of the embodiment of the present invention, the security defense method of the above password reverse firewall can effectively reduce the number of random numbers generated by the password reverse firewall during operation, and reduce the dependence on trusted random sources. degree, to improve realizability.

需要说明的是,在流程图中表示或在此以其他方式描述的逻辑和/或步骤,例如,可以被认为是用于实现逻辑功能的可执行指令的定序列表,可以具体实现在任何计算机可读介质中,以供指令执行系统、装置或设备(如基于计算机的系统、包括处理器的系统或其他可以从指令执行系统、装置或设备取指令并执行指令的系统)使用,或结合这些指令执行系统、装置或设备而使用。就本说明书而言,"计算机可读介质"可以是任何可以包含、存储、通信、传播或传输程序以供指令执行系统、装置或设备或结合这些指令执行系统、装置或设备而使用的装置。计算机可读介质的更具体的示例(非穷尽性列表)包括以下:具有一个或多个布线的电连接部(电子装置),便携式计算机盘盒(磁装置),随机存取存储器(RAM),只读存储器(ROM),可擦除可编辑只读存储器(EPROM或闪速存储器),光纤装置,以及便携式光盘只读存储器(CDROM)。另外,计算机可读介质甚至可以是可在其上打印所述程序的纸或其他合适的介质,因为可以例如通过对纸或其他介质进行光学扫描,接着进行编辑、解译或必要时以其他合适方式进行处理来以电子方式获得所述程序,然后将其存储在计算机存储器中。It should be noted that the logic and/or steps shown in the flowchart or otherwise described herein, for example, can be considered as a sequenced list of executable instructions for implementing logical functions, and can be embodied in any computer readable medium for use by an instruction execution system, apparatus, or device (such as a computer-based system, a system including a processor, or other system that can fetch instructions from an instruction execution system, apparatus, or device and execute instructions), or in combination with these Instructions are used to execute systems, devices, or equipment. For the purposes of this specification, a "computer-readable medium" may be any device that can contain, store, communicate, propagate or transmit a program for use in or in conjunction with an instruction execution system, device or device. More specific examples (non-exhaustive list) of computer-readable media include the following: electrical connection with one or more wires (electronic device), portable computer disk case (magnetic device), random access memory (RAM), Read Only Memory (ROM), Erasable and Editable Read Only Memory (EPROM or Flash Memory), Fiber Optic Devices, and Portable Compact Disc Read Only Memory (CDROM). In addition, the computer-readable medium may even be paper or other suitable medium on which the program can be printed, since the program can be read, for example, by optically scanning the paper or other medium, followed by editing, interpretation or other suitable processing if necessary. The program is processed electronically and stored in computer memory.

应当理解,本发明的各部分可以用硬件、软件、固件或它们的组合来实现。在上述实施方式中,多个步骤或方法可以用存储在存储器中且由合适的指令执行系统执行的软件或固件来实现。例如,如果用硬件来实现,和在另一实施方式中一样,可用本领域公知的下列技术中的任一项或他们的组合来实现:具有用于对数据信号实现逻辑功能的逻辑门电路的离散逻辑电路,具有合适的组合逻辑门电路的专用集成电路,可编程门阵列(PGA),现场可编程门阵列(FPGA)等。It should be understood that various parts of the present invention can be realized by hardware, software, firmware or their combination. In the embodiments described above, various steps or methods may be implemented by software or firmware stored in memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, it can be implemented by any one or combination of the following techniques known in the art: Discrete logic circuits, ASICs with suitable combinational logic gates, programmable gate arrays (PGAs), field programmable gate arrays (FPGAs), etc.

在本说明书的描述中,参考术语“一个实施例”、“一些实施例”、“示例”、“具体示例”、或“一些示例”等的描述意指结合该实施例或示例描述的具体特征、结构、材料或者特点包含于本发明的至少一个实施例或示例中。在本说明书中,对上述术语的示意性表述不一定指的是相同的实施例或示例。而且,描述的具体特征、结构、材料或者特点可以在任何的一个或多个实施例或示例中以合适的方式结合。In the description of this specification, descriptions referring to the terms "one embodiment", "some embodiments", "example", "specific examples", or "some examples" mean that specific features described in connection with the embodiment or example , structure, material or feature is included in at least one embodiment or example of the present invention. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiment or example. Furthermore, the specific features, structures, materials or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.

在本发明的描述中,需要理解的是,术语“中心”、“纵向”、“横向”、“长度”、“宽度”、“厚度”、“上”、“下”、“前”、“后”、“左”、“右”、“竖直”、“水平”、“顶”、“底”“内”、“外”、“顺时针”、“逆时针”、“轴向”、“径向”、“周向”等指示的方位或位置关系为基于附图所示的方位或位置关系,仅是为了便于描述本发明和简化描述,而不是指示或暗示所指的装置或元件必须具有特定的方位、以特定的方位构造和操作,因此不能理解为对本发明的限制。In describing the present invention, it should be understood that the terms "center", "longitudinal", "transverse", "length", "width", "thickness", "upper", "lower", "front", " Back", "Left", "Right", "Vertical", "Horizontal", "Top", "Bottom", "Inner", "Outer", "Clockwise", "Counterclockwise", "Axial", The orientation or positional relationship indicated by "radial", "circumferential", etc. is based on the orientation or positional relationship shown in the drawings, and is only for the convenience of describing the present invention and simplifying the description, rather than indicating or implying the referred device or element Must be in a particular orientation, be constructed in a particular orientation, and operate in a particular orientation, and therefore should not be construed as limiting the invention.

此外,术语“第一”、“第二”仅用于描述目的,而不能理解为指示或暗示相对重要性或者隐含指明所指示的技术特征的数量。由此,限定有“第一”、“第二”的特征可以明示或者隐含地包括至少一个该特征。在本发明的描述中,“多个”的含义是至少两个,例如两个,三个等,除非另有明确具体的限定。In addition, the terms "first" and "second" are used for descriptive purposes only, and cannot be interpreted as indicating or implying relative importance or implicitly specifying the quantity of indicated technical features. Thus, the features defined as "first" and "second" may explicitly or implicitly include at least one of these features. In the description of the present invention, "plurality" means at least two, such as two, three, etc., unless otherwise specifically defined.

在本发明中,除非另有明确的规定和限定,术语“安装”、“相连”、“连接”、“固定”等术语应做广义理解,例如,可以是固定连接,也可以是可拆卸连接,或成一体;可以是机械连接,也可以是电连接;可以是直接相连,也可以通过中间媒介间接相连,可以是两个元件内部的连通或两个元件的相互作用关系,除非另有明确的限定。对于本领域的普通技术人员而言,可以根据具体情况理解上述术语在本发明中的具体含义。In the present invention, unless otherwise clearly specified and limited, terms such as "installation", "connection", "connection" and "fixation" should be understood in a broad sense, for example, it can be a fixed connection or a detachable connection , or integrated; it may be mechanically connected or electrically connected; it may be directly connected or indirectly connected through an intermediary, and it may be the internal communication of two components or the interaction relationship between two components, unless otherwise specified limit. Those of ordinary skill in the art can understand the specific meanings of the above terms in the present invention according to specific situations.

在本发明中,除非另有明确的规定和限定,第一特征在第二特征“上”或“下”可以是第一和第二特征直接接触,或第一和第二特征通过中间媒介间接接触。而且,第一特征在第二特征“之上”、“上方”和“上面”可是第一特征在第二特征正上方或斜上方,或仅仅表示第一特征水平高度高于第二特征。第一特征在第二特征“之下”、“下方”和“下面”可以是第一特征在第二特征正下方或斜下方,或仅仅表示第一特征水平高度小于第二特征。In the present invention, unless otherwise clearly specified and limited, the first feature may be in direct contact with the first feature or the first and second feature may be in direct contact with the second feature through an intermediary. touch. Moreover, "above", "above" and "above" the first feature on the second feature may mean that the first feature is directly above or obliquely above the second feature, or simply means that the first feature is higher in level than the second feature. "Below", "beneath" and "beneath" the first feature may mean that the first feature is directly below or obliquely below the second feature, or simply means that the first feature is less horizontally than the second feature.

尽管上面已经示出和描述了本发明的实施例,可以理解的是,上述实施例是示例性的,不能理解为对本发明的限制,本领域的普通技术人员在本发明的范围内可以对上述实施例进行变化、修改、替换和变型。Although the embodiments of the present invention have been shown and described above, it can be understood that the above embodiments are exemplary and should not be construed as limiting the present invention, those skilled in the art can make the above-mentioned The embodiments are subject to changes, modifications, substitutions and variations.

Claims (7)

1.一种密码反向防火墙的安全防御方法,其特征在于,所述密码反向防火墙包括第一密码反向防火墙和第二密码反向防火墙,所述第一密码反向防火墙对应消息发送实体设置,所述第二密码反向防火墙对应消息接收实体设置,每个所述密码反向防火墙均包括第一端口和第二端口,所述第一端口与所述实体相连,所述第二端口与外部信道相连,每个所述密码反向防火墙用于对所述实体与所述外部信息之间传输的消息进行处理,所述方法包括以下步骤:1. A security defense method for a password reverse firewall, characterized in that, the password reverse firewall comprises a first password reverse firewall and a second password reverse firewall, and the first password reverse firewall corresponds to a message sending entity Setting, the second password reverse firewall is set corresponding to the message receiving entity, each of the password reverse firewalls includes a first port and a second port, the first port is connected to the entity, and the second port Connected to an external channel, each of the password reverse firewalls is used to process messages transmitted between the entity and the external information, and the method includes the following steps: 所述第二密码反向防火墙的第一端口接收来自所述消息接收实体发送的第一公钥,利用内部会话单元对所述第一公钥进行随机数提取以获得第一随机数,并根据所述第一随机数对所述第一公钥进行公钥再随机化处理以获得第二公钥,以及将所述第二公钥通过相应的第二端口向所述外部信道发送;The first port of the second cryptographic reverse firewall receives the first public key sent by the message receiving entity, uses the internal session unit to extract a random number from the first public key to obtain a first random number, and according to performing public key re-randomization processing on the first public key with the first random number to obtain a second public key, and sending the second public key to the external channel through a corresponding second port; 所述第一密码反向防火墙的第二端口接收来自所述外部信道的所述第二公钥,利用内部会话单元将所述第二公钥通过相应的第一端口向所述消息发送实体透传,并对所述第二公钥进行记录;The second port of the first password reverse firewall receives the second public key from the external channel, and uses the internal session unit to transparently transmit the second public key to the message sending entity through the corresponding first port. pass, and record the second public key; 所述第一密码反向防火墙的第一端口接收来自所述消息发送实体发送的第一密文,利用内部会话单元对所述第一密文进行随机数提取以获得第二随机数,并根据所述第二随机数对所述第一密文进行密文再随机化处理以获得第二密文,以及将所述第二密文通过相应的第二端口向所述外部信道发送;The first port of the first password reverse firewall receives the first ciphertext sent by the message sending entity, uses the internal session unit to perform random number extraction on the first ciphertext to obtain a second random number, and according to performing ciphertext re-randomization processing on the first ciphertext by the second random number to obtain a second ciphertext, and sending the second ciphertext to the external channel through a corresponding second port; 所述第二密码反向防火墙的第二端口接收来自所述外部信道的所述第二密文,利用内部会话单元根据所述第一随机数对所述第二密文进行处理以获得第三密文,并将所述第三密文通过相应的第一端口向所述消息接收实体透传;The second port of the second password reverse firewall receives the second ciphertext from the external channel, and uses the internal session unit to process the second ciphertext according to the first random number to obtain the third ciphertext. ciphertext, and transparently transmit the third ciphertext to the message receiving entity through the corresponding first port; 所述对所述第一公钥进行随机数提取以获得第一随机数,包括:The extracting the random number from the first public key to obtain the first random number includes: 利用第一预设单射函数对所述第一公钥进行编码以将所述第一公钥映射至第一预设伪随机置换函数的输入空间并获得第一编码信息;Encoding the first public key by using a first preset injective function to map the first public key to an input space of a first preset pseudo-random permutation function and obtain first encoding information; 如果所述第一编码信息已经存在,则进行报警提醒,并阻断所有消息传输;If the first coded information already exists, perform an alarm reminder and block all message transmissions; 如果所述第一编码信息未存在,则记录所述第一编码信息,并利用所述第一预设伪随机置换函数和所述第一预设伪随机置换函数的密钥对所述第一编码信息进行置换以获得所述第一随机数,其中,所述第一预设伪随机置换函数的密钥在所述第二密码反向防火墙启动时由外部注入或自动生成;If the first encoding information does not exist, record the first encoding information, and use the first preset pseudo-random permutation function and the key of the first preset pseudo-random permutation function to pair the first The coded information is permuted to obtain the first random number, wherein the key of the first preset pseudo-random permutation function is externally injected or automatically generated when the second password reverse firewall is started; 所述对所述第一密文进行随机数提取以获得第二随机数,包括:The extracting the random number from the first ciphertext to obtain the second random number includes: 利用第二预设单射函数对所述第一密文进行编码以将所述第一密文映射至第二预设伪随机置换函数的输入空间并获得第二编码信息;encoding the first ciphertext by using a second preset injective function to map the first ciphertext to an input space of a second preset pseudo-random permutation function and obtain second encoding information; 如果所述第二编码信息已经存在,则进行报警提醒,并阻断所有消息传输;If the second coded information already exists, give an alarm reminder and block all message transmissions; 如果所述第二编码信息未存在,则记录所述第二编码信息,并利用所述第二预设伪随机置换函数和所述第二预设伪随机置换函数的密钥对所述第二编码信息进行置换以获得所述第二随机数,其中,所述第二预设伪随机置换函数的密钥在所述第一密码反向防火墙启动时由外部注入或自动生成。If the second encoding information does not exist, record the second encoding information, and use the second preset pseudo-random permutation function and the key of the second preset pseudo-random permutation function to pair the second The encoded information is substituted to obtain the second random number, wherein the key of the second preset pseudo-random permutation function is externally injected or automatically generated when the first password reverse firewall is started. 2.根据权利要求1所述的密码反向防火墙的安全防御方法,其特征在于,所述根据所述第一随机数对所述第一公钥进行公钥再随机化处理以获得第二公钥,包括:2. the security defense method of password reverse firewall according to claim 1, is characterized in that, described first public key is carried out public key randomization process again to obtain second public key according to described first random number keys, including: 利用预设公钥再随机化函数根据所述第一随机数对所述第一公钥进行公钥再随机化处理以获得所述第二公钥。performing public key re-randomization processing on the first public key according to the first random number by using a preset public key re-randomization function to obtain the second public key. 3.根据权利要求1所述的密码反向防火墙的安全防御方法,其特征在于,所述根据所述第二随机数对所述第一密文进行密文再随机化处理以获得第二密文,包括:3. the security defense method of password reverse firewall according to claim 1, is characterized in that, described first ciphertext is carried out ciphertext randomization process again to obtain second ciphertext according to described second random number. text, including: 利用预设密文再随机化函数根据所述第二随机数和所述第二公钥对所述第一密文进行密文再随机化处理以获得所述第二密文。performing ciphertext rerandomization processing on the first ciphertext according to the second random number and the second public key by using a preset ciphertext rerandomization function to obtain the second ciphertext. 4.根据权利要求1所述的密码反向防火墙的安全防御方法,其特征在于,所述根据所述第一随机数对所述第二密文进行处理以获得第三密文,包括:4. the security defense method of password reverse firewall according to claim 1, is characterized in that, described second ciphertext is processed according to described first random number to obtain the 3rd ciphertext, comprising: 利用预设密文恢复函数根据所述第一随机数对所述第二密文进行恢复以获得所述第三密文。Restoring the second ciphertext according to the first random number by using a preset ciphertext restoration function to obtain the third ciphertext. 5.根据权利要求1-4中任一项所述的密码反向防火墙的安全防御方法,其特征在于,所述第一密码反向防火墙和所述第二密码反向防火墙接收和发送的消息均满足六元组格式,如果不满足,则进行报警提醒,其中,所述六元组格式包括协议种类标识、会话标识、消息发送实体标识、消息接收实体标识、消息内容和消息的联合数据。5. according to the security defense method of the password reverse firewall described in any one in claim 1-4, it is characterized in that, the message that described first password reverse firewall and described second password reverse firewall receive and send All meet the six-tuple format, and if not, an alarm reminder is given, wherein the six-tuple format includes the protocol type identifier, session identifier, message sending entity identifier, message receiving entity identifier, message content and combined data of the message. 6.根据权利要求5所述的密码反向防火墙的安全防御方法,其特征在于,所述方法还包括:6. the security defense method of password reverse firewall according to claim 5, is characterized in that, described method also comprises: 所述第二密码反向防火墙在接收到所述第一公钥后,生成所述内部会话单元,并对该内部会话单元进行标记,其中标记信息包括所述协议种类标识、所述会话标识和所述消息接收实体标识;After receiving the first public key, the second password reverse firewall generates the internal session unit and marks the internal session unit, wherein the tag information includes the protocol type identifier, the session identifier and The message receiving entity identifier; 所述第二密码反向防火墙在接收到所述第二密文后,还查找所述内部会话单元是否存在,如果不存在,则进行报警提醒;如果存在,则运行该内部会话单元。After the second password reverse firewall receives the second ciphertext, it also checks whether the internal conversational unit exists, and if it does not exist, it will give an alarm; if it exists, it will run the internal conversational unit. 7.根据权利要求5所述的密码反向防火墙的安全防御方法,其特征在于,所述方法还包括:7. the security defense method of password reverse firewall according to claim 5, is characterized in that, described method also comprises: 所述第一密码反向防火墙在接收到所述第二公钥后,生成所述内部会话单元,并对该内部会话单元进行标记,其中标记信息包括所述协议种类标识、所述会话标识和所述消息发送实体标识;After receiving the second public key, the first password reverse firewall generates the internal session unit and marks the internal session unit, wherein the tag information includes the protocol type identifier, the session identifier and The message sending entity identifier; 所述第一密码反向防火墙在接收到所述第一密文后,还查找所述内部会话单元是否存在,如果不存在,则进行报警提醒;如果存在,则运行该内部会话单元。After the first password reverse firewall receives the first ciphertext, it also checks whether the internal conversational unit exists, and if it does not exist, it will give an alarm; if it exists, it will run the internal conversational unit.
CN202010978321.4A 2020-09-17 2020-09-17 Password Reverse Firewall and Its Security Defense Method Active CN114205073B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010978321.4A CN114205073B (en) 2020-09-17 2020-09-17 Password Reverse Firewall and Its Security Defense Method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010978321.4A CN114205073B (en) 2020-09-17 2020-09-17 Password Reverse Firewall and Its Security Defense Method

Publications (2)

Publication Number Publication Date
CN114205073A CN114205073A (en) 2022-03-18
CN114205073B true CN114205073B (en) 2023-01-17

Family

ID=80644644

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010978321.4A Active CN114205073B (en) 2020-09-17 2020-09-17 Password Reverse Firewall and Its Security Defense Method

Country Status (1)

Country Link
CN (1) CN114205073B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115134361B (en) * 2022-06-20 2024-04-26 中汽创智科技有限公司 Cross-platform communication method and device for automatic driving software platform

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060190998A1 (en) * 2005-02-17 2006-08-24 At&T Corp Determining firewall rules for reverse firewalls
CN111277413B (en) * 2020-03-06 2021-08-06 电子科技大学 A Password Reverse Firewall Method for Proxy Re-encryption

Also Published As

Publication number Publication date
CN114205073A (en) 2022-03-18

Similar Documents

Publication Publication Date Title
CN107070652B (en) A kind of car networking method for secret protection that the ciphertext based on CP-ABE is anti-tamper and system
US10205713B2 (en) Private and mutually authenticated key exchange
US8433066B2 (en) Method for generating an encryption/decryption key
WO2021109756A1 (en) Proxy anonymous communication method based on homomorphic encryption scheme
CN112737764B (en) Lightweight multi-user multi-data all-homomorphic data encryption packaging method
CN111431705B (en) A Password Reverse Firewall Approach for Searchable Encryption
del Moral et al. Cybersecurity in critical infrastructures: A post-quantum cryptography perspective
Rege et al. Bluetooth communication using hybrid encryption algorithm based on AES and RSA
CN114095170A (en) Data processing method, device, system and computer readable storage medium
Kwant et al. Lattice klepto: Turning post-quantum crypto against itself
CN111049738B (en) E-mail data security protection method based on hybrid encryption
CA2819211C (en) Data encryption
Wang et al. Sender-anamorphic encryption reformulated: Achieving robust and generic constructions
Susmitha et al. Hybrid cryptography for secure file storage
US8788817B1 (en) Methods and apparatus for secure and reliable transmission of messages over a silent alarm channel
AlJabri et al. [Retracted] A Comprehensive Review of Lightweight Authenticated Encryption for IoT Devices
CN114205073B (en) Password Reverse Firewall and Its Security Defense Method
Erondu et al. An encryption and decryption model for data security using vigenere with advanced encryption standard
Azaim et al. Design and implementation of encrypted SMS on Android smartphone combining ECDSA-ECDH and AES
CN110932863B (en) Generalized signcryption method based on coding
Kartalopoulos Security of information and communication networks
KR102400260B1 (en) In-vehicle communication system based on edge computing using attribute-based access control and method thereof
JP2003008564A (en) Key share system, public key encryption system, signature system, key share device, encryption device, decoder, signature device, authentication device, key share method, encryption method, decoding method, signature method, authentication method, program
Al-Humadi Cryptography in Cloud Computing for Data Security and Network Security
Radhi et al. Secure and fast remote application–based authentication dragonfly using an led algorithm in smart buildings

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant