CN114221801A - A network security communication method and device - Google Patents

A network security communication method and device Download PDF

Info

Publication number
CN114221801A
CN114221801A CN202111516317.7A CN202111516317A CN114221801A CN 114221801 A CN114221801 A CN 114221801A CN 202111516317 A CN202111516317 A CN 202111516317A CN 114221801 A CN114221801 A CN 114221801A
Authority
CN
China
Prior art keywords
node
nodes
network security
communication method
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111516317.7A
Other languages
Chinese (zh)
Inventor
刘亚雄
商广勇
李程
刘宁
马岩堂
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shandong Inspur Industrial Internet Industry Co Ltd
Original Assignee
Shandong Inspur Industrial Internet Industry Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shandong Inspur Industrial Internet Industry Co Ltd filed Critical Shandong Inspur Industrial Internet Industry Co Ltd
Priority to CN202111516317.7A priority Critical patent/CN114221801A/en
Publication of CN114221801A publication Critical patent/CN114221801A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/164Adaptation or special uses of UDP protocol
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/26Special purpose or proprietary protocols or architectures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明涉及通信协议技术领域,具体提供了一种网络安全通信方法,其特征在于,具有如下步骤:S1、启动节点,开放端口为节点间KCP协议通信端口,再开放节点发现机制端口;S2、通过节点发现机制,区块链中的节点获取网络中对等节点的IP、KCP协议监听端口;S3、节点之间建立基于UDP的KCP协议连接;S4、节点之间协商建立加密信道;S5、节点之间进行发送消息;S6、节点发送消息至区块链业务层处理;S7、节点之间依次断开KCP连接。与现有技术相比,本发明采用了加密信道,保证了数据通信的安全性,具有良好的推广价值。

Figure 202111516317

The invention relates to the technical field of communication protocols, and specifically provides a network security communication method. Through the node discovery mechanism, the nodes in the blockchain obtain the IP and KCP protocol listening ports of the peer nodes in the network; S3, establish a UDP-based KCP protocol connection between the nodes; S4, negotiate between the nodes to establish an encrypted channel; S5, Send messages between nodes; S6, nodes send messages to the blockchain business layer for processing; S7, KCP connections are disconnected between nodes in turn. Compared with the prior art, the present invention adopts an encrypted channel, ensures the security of data communication, and has good promotion value.

Figure 202111516317

Description

Network security communication method and device
Technical Field
The invention relates to the technical field of communication protocols, and particularly provides a network security communication method and device.
Background
TCP and UDP are two main transport protocols of a transport layer, TCP is a transport protocol oriented to a connection byte stream, and provides reliable service to an application layer, and UDP is a transport protocol oriented to Packet (as in IP Packet, when a peer-to-peer protocol stack communicates, a connection does not need to be established in advance), unreliable, and deliver best-effort (best-effort). In order to achieve the goal, the TCP designs modules of message numbering, confirmation, overtime retransmission, sliding windows, congestion control and the like, so that the TCP needs to pay a large cost in work.
Disclosure of Invention
Aiming at the defects of the prior art, the invention provides a network security communication method with strong practicability.
The invention further aims to provide a network security communication device which is reasonable in design, safe and applicable.
The technical scheme adopted by the invention for solving the technical problems is as follows:
a network security communication method comprises the following steps:
s1, starting the nodes, opening the ports as the KCP protocol communication ports among the nodes, and opening the ports of the node discovery mechanism;
s2, through node discovery mechanism, the node in block chain obtains IP, KCP protocol monitoring port of peer node in network;
s3, establishing a KCP protocol connection based on UDP between nodes;
s4, negotiating and establishing an encryption channel between nodes;
s5, sending messages between nodes;
s6, the node sends a message to the block chain service layer for processing;
s7, the KCP connection is disconnected between the nodes at one time.
Further, in step S2, the node discovery mechanism is completed by using kademlia algorithm, and when the node a is started for the first time, a unique node ID is generated and recorded as a node ID;
and the node A carries out ping-pong interaction with the public-related node through the hard-coded public-related node address, and if the public node survives, the public node is added into the K bucket.
Further, the NODE A initiates a FIND _ NODE request to the public gateway NODE, acquires the NODE closest to the NODE A, and adds the acquired NODE with the closest distance into the K bucket, the NODE A sends the FIND _ NODE request again to the NODE which is acquired just before, acquires the information of the NODE adjacent to the NODE A, and adds the information into the K bucket, and the steps are repeated to construct a routing table.
Preferably, the node a starts a timer and refreshes the K buckets at intervals.
Further, in step S3, data communication is established with the IP of the node in the blockchain network and the open port obtained in step S2.
Further, in step S4, the nodes use Diffie-Hellman algorithm to perform key exchange, the node a selects a large prime number p, a base number g, and a random number a, calculates a ═ g ^ amod p, and sends the values of p, g, and a to the node b;
b, after receiving, generating a random number B, calculating B ═ g ^ B mod p, and then calculating s ^ A bmod p; b sends B to A, and A calculates s1 ═ B ^ a mod p. Here s1 will equal s as the key for the two-party communication;
both parties start communication using a preset symmetric encryption algorithm and s as a key.
Further, in step S5, the node a encrypts the message using the key obtained in step S4 and sends the message to the node b via the network communication data link in step S3.
Further, in step S6, after receiving the message through the network communication data link in step S3, the node b decrypts the message by using the key generated in step S4, and then forwards the message to the blockchain service layer for processing.
A network security communication device, comprising: at least one memory and at least one processor;
the at least one memory to store a machine readable program;
the at least one processor is configured to invoke the machine readable program to perform a network security communication method.
Compared with the prior art, the network security communication method and the network security communication device have the following outstanding beneficial effects:
under the condition of network fluctuation, the block chain network using the KCP protocol can reduce the network delay by about 30% -40% compared with the block chain network using the TCP/IP protocol, namely, the number of the transmitted data packets in unit time is increased by 43% -67%, namely, the theoretical TPS on the network level is increased by 43% -67%. The penetrability of the network is enhanced, and the probability of intercepting network data by network equipment such as a firewall is reduced. And an encrypted channel is adopted, so that the safety of data communication is ensured.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a flow diagram of a network security communication method;
fig. 2 is a schematic architecture diagram of a network security communication method.
Detailed Description
The present invention will be described in further detail with reference to specific embodiments in order to better understand the technical solutions of the present invention. It is to be understood that the described embodiments are merely exemplary of the invention, and not restrictive of the full scope of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
A preferred embodiment is given below:
as shown in fig. 1-2, a network security communication method in this embodiment includes the following steps:
s1, starting the node, wherein the open 12345 port is a communication port of the KCP protocol between the nodes, and the open 12346 port is a port of a node discovery mechanism.
S2, through node discovery mechanism, the node in block chain obtains the IP and KCP protocol monitoring port of the peer node in the network.
Node discovery is completed by adopting a kademlia algorithm. When the node A is started for the first time, a unique node ID is generated and recorded as the node ID. And the node A carries out ping-pong interaction with the public node A through the hard-coded public node address, and if the public node survives, the public node is added into the K bucket. The NODE A initiates a FIND _ NODE request to the public NODE, acquires the NODEs closest to the NODE A, and adds the NODEs into the K bucket. NODE a sends the FIND _ NODE request again to the NODE that was just obtained, acquires information of NODEs adjacent to it and joins the K bucket. This is repeated until a sufficiently large routing table is constructed.
Wherein node a starts a timer, refreshing K buckets every several hours.
S3, establishing UDP-based KCP protocol connection between the nodes.
The node acquires the IP and open port of other nodes in the blockchain network, and establishes data communication therewith, through step S2. It should be noted that the communication protocol between the nodes is the KCP protocol carried over UDP.
And S4, negotiating and establishing the encrypted channel between the nodes.
First, key exchange is performed between nodes. The key exchange uses the Diffie-Hellman algorithm. The node A selects a large prime number p, a base number g and a random number a, calculates A ^ g ^ a mod p, and sends the values of p, g and A to the node B; b, generating a random number B after receiving B, calculating B ═ g ^ B mod p, and then calculating s ^ A ^ B mod p; b sends B to A, and A calculates s1 ═ B ^ a mod p. Here s1 will equal s as the key for the two-party communication.
Both parties start communication using a preset symmetric encryption algorithm and s as a key.
And S5, sending the message, wherein the node A encrypts the message by using the key obtained in the step S4 and then sends the message to the node B through the network communication data link in the step S3.
And S6, receiving the message, after the node B receives the message through the network communication data link in the step S3, decrypting the message by using the key generated in the step S4, and then transferring the message to a block chain service layer for processing.
And S7, disconnecting, and sequentially disconnecting KCP among the nodes.
A network security communication device, comprising: at least one memory and at least one processor;
the at least one memory to store a machine readable program;
the at least one processor is configured to invoke the machine readable program to perform a network security communication method.
The above embodiments are only specific cases of the present invention, and the protection scope of the present invention includes but is not limited to the above embodiments, and any suitable changes or substitutions that are consistent with the claims of a network security communication method and apparatus of the present invention and are made by those skilled in the art should fall within the protection scope of the present invention.
Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.

Claims (9)

1.一种网络安全通信方法,其特征在于,具有如下步骤:1. a network security communication method, is characterized in that, has the following steps: S1、启动节点,开放端口为节点间KCP协议通信端口,再开放节点发现机制端口;S1. Start the node, the open port is the KCP protocol communication port between the nodes, and then open the node discovery mechanism port; S2、通过节点发现机制,区块链中的节点获取网络中对等节点的IP、KCP协议监听端口;S2. Through the node discovery mechanism, the nodes in the blockchain obtain the IP and KCP protocol listening ports of the peer nodes in the network; S3、节点之间建立基于UDP的KCP协议连接;S3. A UDP-based KCP protocol connection is established between nodes; S4、节点之间协商建立加密信道;S4, the nodes negotiate to establish an encrypted channel; S5、节点之间进行发送消息;S5. Send messages between nodes; S6、节点发送消息至区块链业务层处理;S6. The node sends a message to the blockchain business layer for processing; S7、节点之间依次断开KCP连接。S7. Disconnect the KCP connection between the nodes in sequence. 2.根据权利要求1所述的一种网络安全通信方法,其特征在于,在步骤S2中,所述节点发现机制采用kademlia算法完成,节点A第一次启动时,生成一个唯一的节点ID,记作NodeID;2. a kind of network security communication method according to claim 1, is characterized in that, in step S2, described node discovery mechanism adopts kademlia algorithm to complete, when node A starts for the first time, generates a unique node ID, Denoted as NodeID; 节点A通过硬编码的公关节点地址,与之进行ping-pong交互,若公共节点存活,则将公共节点加入K桶。Node A performs ping-pong interaction with the hard-coded public node address. If the public node survives, the public node is added to the K bucket. 3.根据权利要求2所述的一种网络安全通信方法,其特征在于,节点A向公关节点发起FIND_NODE请求,获取与自己距离最近的节点,并将获取的距离近的节点加入K桶,节点A将刚才得到的节点再次发送FIND_NODE请求,获取与之邻近的节点的信息并加入K桶,如此反复,构建一个路由表。3. a kind of network security communication method according to claim 2, it is characterized in that, node A initiates FIND_NODE request to public joint node, obtains the node with the closest distance to oneself, and the node that the distance that obtains is close joins K bucket, node. A sends the FIND_NODE request to the node just obtained again, obtains the information of the adjacent nodes and adds it to the K bucket, and so on, to build a routing table. 4.根据权利要求3所述的一种网络安全通信方法,其特征在于,所述节点A开启定时器,每隔一段时间刷新所述K桶。4 . The network security communication method according to claim 3 , wherein the node A starts a timer and refreshes the K buckets at regular intervals. 5 . 5.根据权利要求4所述的一种网络安全通信方法,其特征在于,在步骤S3中,通过步骤S2中获得的区块链网络中的节点的IP和开放的的端口,与之建立数据通信。5. A network security communication method according to claim 4, characterized in that, in step S3, data is established with the IP of the node in the blockchain network and the open port obtained in step S2 communication. 6.根据权利要求5所述的一种网络安全通信方法,其特征在于,在步骤S4中,节点之间使用Diffie-Hellman算法进行密钥交换,节点甲选择一个大素数p,底数g,随机数a,计算A=g^a mod p,发送p,g,A值给节点乙;6. a kind of network security communication method according to claim 5 is characterized in that, in step S4, use Diffie-Hellman algorithm to carry out key exchange between nodes, node A selects a large prime number p, base g, random Count a, calculate A=g^a mod p, and send p, g, and A values to node B; 乙收到后,生成一个随机数b,计算B=g^b mod p,再计算s=A^bmod p;乙将B发送给甲,甲计算s1=B^a mod p。此处s1将等于s,作为双方通信的密钥;After receiving it, B generates a random number b, calculates B=g^b mod p, and then calculates s=A^bmod p; B sends B to A, and A calculates s1=B^a mod p. Here s1 will be equal to s, as the key for the communication between the two parties; 双方使用预置的对称加密算法,并使用s作为密钥,开始通信。The two parties use the preset symmetric encryption algorithm and use s as the key to start communication. 7.根据权利要求6所述的一种网络安全通信方法,其特征在于,在步骤S5中,所述节点甲使用步骤S4中得到的密钥加密消息,通过步骤S3中的网络通信数据链路发送消息给所述节点乙。7. A network security communication method according to claim 6, characterized in that, in step S5, the node A uses the key obtained in step S4 to encrypt the message, through the network communication data link in step S3 Send a message to the node B. 8.根据权利要求7所述的一种网络安全通信方法,其特征在于,在步骤S6中,所述节点乙通过步骤S3所述的网络通信数据链路收到消息后,使用步骤S4中生成的密钥,对消息进行解密,然后将消息转给区块链业务层处理。8. A network security communication method according to claim 7, characterized in that, in step S6, after the node B receives the message through the network communication data link described in step S3, it uses the generated message in step S4 key, decrypt the message, and then transfer the message to the blockchain business layer for processing. 9.一种网络安全通信装置,其特征在于,包括:至少一个存储器和至少一个处理器;9. A network security communication device, comprising: at least one memory and at least one processor; 所述至少一个存储器,用于存储机器可读程序;the at least one memory for storing a machine-readable program; 所述至少一个处理器,用于调用所述机器可读程序,执行权利要求1至9中任一所述的方法。The at least one processor is configured to invoke the machine-readable program to execute the method of any one of claims 1 to 9.
CN202111516317.7A 2021-12-08 2021-12-08 A network security communication method and device Pending CN114221801A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111516317.7A CN114221801A (en) 2021-12-08 2021-12-08 A network security communication method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111516317.7A CN114221801A (en) 2021-12-08 2021-12-08 A network security communication method and device

Publications (1)

Publication Number Publication Date
CN114221801A true CN114221801A (en) 2022-03-22

Family

ID=80701223

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111516317.7A Pending CN114221801A (en) 2021-12-08 2021-12-08 A network security communication method and device

Country Status (1)

Country Link
CN (1) CN114221801A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115190162A (en) * 2022-06-27 2022-10-14 杭州溪塔科技有限公司 Proxy service configuration method and proxy service system in block chain

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7181014B1 (en) * 1999-09-10 2007-02-20 Cisco Technology, Inc. Processing method for key exchange among broadcast or multicast groups that provides a more efficient substitute for Diffie-Hellman key exchange
CN109005194A (en) * 2018-09-04 2018-12-14 厦门安胜网络科技有限公司 Portless shadow communication means and computer storage medium based on KCP agreement
CN112104517A (en) * 2020-11-23 2020-12-18 腾讯科技(深圳)有限公司 Data processing method based on block chain network and related device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7181014B1 (en) * 1999-09-10 2007-02-20 Cisco Technology, Inc. Processing method for key exchange among broadcast or multicast groups that provides a more efficient substitute for Diffie-Hellman key exchange
CN109005194A (en) * 2018-09-04 2018-12-14 厦门安胜网络科技有限公司 Portless shadow communication means and computer storage medium based on KCP agreement
CN112104517A (en) * 2020-11-23 2020-12-18 腾讯科技(深圳)有限公司 Data processing method based on block chain network and related device
CN112737916A (en) * 2020-11-23 2021-04-30 腾讯科技(深圳)有限公司 Data processing method based on block chain network and related device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
任伟: "现代密码学第2版", 31 December 2014, 北京邮电大学出版社, pages: 140 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115190162A (en) * 2022-06-27 2022-10-14 杭州溪塔科技有限公司 Proxy service configuration method and proxy service system in block chain
CN115190162B (en) * 2022-06-27 2023-11-28 杭州溪塔科技有限公司 Proxy service configuration method and proxy service system in block chain

Similar Documents

Publication Publication Date Title
CN103684787B (en) The encrypting and decrypting method and terminal of packet based on network transmission
CN104394129B (en) The acquisition method and device of Secure Shell SSH2 protocol datas
WO2009082889A1 (en) A method for internet key exchange negotiation and device, system thereof
CN101442403B (en) Self-adapting method for exchanging composite cipher key and managing session cipher key
Lavanya et al. Lightweight key agreement protocol for IoT based on IKEv2
CN115567206B (en) Method and system for realizing encryption and decryption of network data messages by adopting quantum distribution secret key
CN113364811B (en) Network layer safety protection system and method based on IKE protocol
CN110784321B (en) Novel secure anonymous communication method based on public-private key cipher mechanism
CN115567205A (en) Method and system for implementing encryption and decryption of network session data streams by using quantum key distribution
CN101471772A (en) Communication method, device and system
US11637699B2 (en) Rollover of encryption keys in a packet-compatible network
CN101183935A (en) Key agreement method, device and system for RTP message
JP2011176395A (en) IPsec COMMUNICATION METHOD AND IPsec COMMUNICATION SYSTEM
CN115766172B (en) Message forwarding method, device, equipment and medium based on DPU and national cipher
CN108040071B (en) Dynamic switching method for VoIP audio and video encryption key
CN100452697C (en) Conversation key safety distributing method under wireless environment
CN114221801A (en) A network security communication method and device
Mosko et al. Mobile sessions in content-centric networks
JP2001177514A (en) Communication method and communication device
Hohendorf et al. Secure End-to-End Transport Over SCTP.
US12255996B2 (en) IPSec rekey
Burgstaller et al. Anonymous communication in the browser via onion-routing
Zhang et al. Research on the protocols of vpn
Callas et al. ZRTP: Media path key agreement for unicast secure RTP
Zimmermann et al. RFC 6189: ZRTP: Media Path Key Agreement for Unicast Secure RTP

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20220322

RJ01 Rejection of invention patent application after publication