CN114338167B - Communication encryption system, method, storage medium and electronic device - Google Patents
Communication encryption system, method, storage medium and electronic device Download PDFInfo
- Publication number
- CN114338167B CN114338167B CN202111636420.5A CN202111636420A CN114338167B CN 114338167 B CN114338167 B CN 114338167B CN 202111636420 A CN202111636420 A CN 202111636420A CN 114338167 B CN114338167 B CN 114338167B
- Authority
- CN
- China
- Prior art keywords
- information table
- switch
- data received
- internal network
- network equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000004891 communication Methods 0.000 title claims abstract description 91
- 238000000034 method Methods 0.000 title claims abstract description 41
- 230000003993 interaction Effects 0.000 claims abstract description 39
- 230000005540 biological transmission Effects 0.000 claims abstract description 29
- 238000004590 computer program Methods 0.000 claims description 7
- 238000010586 diagram Methods 0.000 description 9
- 230000009471 action Effects 0.000 description 4
- 238000012790 confirmation Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 230000005236 sound signal Effects 0.000 description 4
- 230000003068 static effect Effects 0.000 description 3
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- KLDZYURQCUYZBL-UHFFFAOYSA-N 2-[3-[(2-hydroxyphenyl)methylideneamino]propyliminomethyl]phenol Chemical compound OC1=CC=CC=C1C=NCCCN=CC1=CC=CC=C1O KLDZYURQCUYZBL-UHFFFAOYSA-N 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 201000001098 delayed sleep phase syndrome Diseases 0.000 description 1
- 208000033921 delayed sleep phase type circadian rhythm sleep disease Diseases 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
Abstract
The application relates to the technical field of communication encryption, in particular to a communication encryption system, a method, a storage medium and electronic equipment, comprising the following steps: a borrowing unit for setting the IP address of the communication encryption system as the IP address of the switch in the internal network; the transparent transmission unit is connected with the borrowing unit and is used for carrying out data interaction with the opposite-end network equipment through the router by using the IP address of the switch; and the key unit is connected with the transmission unit and used for encrypting the data received from the switch according to a preset encryption rule and decrypting the data received from the router. The application adds the communication encryption system between the switch and the router by means of borrowing the IP address, and realizes the encryption of data interaction under the condition of not changing the original network structure.
Description
Technical Field
The present application relates to the field of communications encryption technologies, and in particular, to a communications encryption system, a method, a storage medium, and an electronic device.
Background
In recent years, network security problems are the difficult problems that people have to face while network communication services are continuously developed along with the wide use of the internet. On the internet without safety protection in the early stage, hackers can easily acquire private information of people, constantly monitor, steal, disguise and tamper with important information, and bring great risks to life and property safety of people. The VPN devices such as the security gateway and the network encryptor are widely applied, and can encrypt and protect important information, so that the security of network interaction of people is greatly improved. However, in the early network, only the IP address of the existing network device is reserved in the network communication device nodes of the public network and the private network due to careful planning of the Ipv4 address and security, and the IP address is not reserved for the later network device, which increases difficulty in adding the network device.
The solutions currently existing include: the encryption device is deployed at the innermost layer of the protected network, and there is a problem in that the number of devices to be protected in the internal network is large and difficult to cover. And the encryption equipment is deployed on the outermost layer of the protected network, so that the whole address structure of the protected network needs to be changed, and the engineering quantity is huge.
Disclosure of Invention
In order to solve the problems, the application provides a communication encryption system, a method, a storage medium and electronic equipment, which solve the technical problems that in the related art, network equipment is difficult to increase due to the fact that a network communication equipment node does not add a reserved IP address to later-stage network equipment, and the engineering amount of changing an address structure is huge.
In a first aspect, the present application provides a communications encryption system, the system comprising:
a borrowing unit, configured to set an IP address of the communication encryption system as an IP address of a switch in an internal network;
The transparent transmission unit is connected with the borrowing unit and is used for carrying out data interaction with the opposite-end network equipment through the router by using the IP address of the switch;
and the key unit is connected with the transmission unit and used for encrypting the data received from the switch according to a preset encryption rule and decrypting the data received from the router.
In some embodiments, the borrowing unit comprises:
the borrowing subunit is used for acquiring the IP address of the switch in the internal network;
And the setting subunit is used for setting the IP address of the switch as the IP address of the communication encryption system.
In some embodiments, the transparent transmission unit is configured to send a data interaction protocol to an opposite end network device by using an IP address of the switch, receive a protocol feedback sent by the opposite end network device, and establish a data interaction protocol with the opposite end network device; and carrying out data interaction with the opposite-end network equipment through the data interaction protocol.
In some embodiments, the transparent unit is configured to send data received from the router to the switch; data received from the switch is sent to the router.
In some embodiments, the key unit is configured to determine, before the transparent unit sends the data received from the router to the switch, whether the data received from the router is encrypted; and if the data received from the router is judged to be encrypted, decrypting the data received from the router.
In some embodiments, the key unit is configured to determine, according to the preset encryption rule, whether the data received from the switch needs encryption before the transparent transmission unit sends the data received from the switch to the router; and if the data received from the switch is judged to need encryption, encrypting the data received from the switch.
In some embodiments, the system further comprises: an encryption rule setting unit configured to set the preset encryption rule;
wherein, the preset encryption rule comprises: the internal network equipment information which needs to be encrypted and is connected with the switch is stored in an encryption equipment information table in advance according to a five-tuple format; and the key unit acquires quintuple information from the data received by the switch, searches the encryption equipment information table according to the quintuple information, encrypts the data received by the switch if the corresponding internal network equipment information is found, and does not encrypt the data received by the switch if the corresponding internal network equipment information is not found.
In some embodiments, the encryption device information table includes a first information table and a second information table, where the first information table stores all internal network device information that needs to be encrypted and is connected to the switch, and the second information table stores internal network device information that is found in the first information table by the key unit;
The key unit obtains five-tuple information from data received from the switch, searches the second information table when searching the encryption equipment information table, and if the corresponding internal network equipment information is searched in the second information table, does not search the first information table any more, and sets a timer of the internal network equipment information searched in the second information table to zero, and encrypts the data received from the switch;
If the key unit does not find the corresponding internal network equipment information in the second information table, the first information table is found, the internal network equipment information found in the first information table is stored in the second information table, and the internal network equipment information found in the first information table is started to be timed in the second information table through a timer;
And each piece of internal network equipment information stored in the second information table starts timing when being stored in the second information table, and is automatically deleted from the second information table when the preset time is reached.
In a second aspect, a method of encrypting communications, the method comprising:
Setting an IP address of a communication encryption system as an IP address of a switch in an internal network;
using the IP address of the switch to perform data interaction with the opposite-end network equipment through the router;
Encrypting data received from the switch according to a preset encryption rule, and decrypting data received from the router.
In a third aspect, a storage medium stores a computer program executable by one or more processors for implementing a communication encryption method according to the second aspect.
In a fourth aspect, an electronic device includes a memory and a processor, where the memory stores a computer program, where the memory and the processor are communicatively connected to each other, and where the computer program, when executed by the processor, performs the communication encryption method according to the second aspect.
The application provides a communication encryption system, a method, a storage medium and electronic equipment, comprising the following steps: the borrowing unit is connected with the switch and is used for setting the IP address of the communication encryption system as the IP address of the switch in the internal network; the transparent transmission unit is respectively connected with the router, the switch and the borrowing unit and is used for carrying out data interaction with the opposite-end network equipment through the router by using the IP address of the switch; and the key unit is connected with the transmission unit and used for encrypting the data received from the switch according to a preset encryption rule and decrypting the data received from the router. The application adds the communication encryption system between the switch and the router by means of borrowing the IP address, and realizes the encryption of data interaction under the condition of not changing the original network structure.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present invention, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic structural diagram of a communication encryption system according to an embodiment of the present application;
fig. 2 is a schematic structural diagram of an original communication network according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of a communication encryption system according to an embodiment of the present application after the communication encryption system is connected to a communication network;
fig. 4 is a schematic flow chart of a communication encryption method according to an embodiment of the present application;
fig. 5 is a connection block diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The following will describe embodiments of the present application in detail with reference to the drawings and examples, thereby solving the technical problems by applying technical means to the present application, and realizing the corresponding technical effects can be fully understood and implemented accordingly. The embodiment of the application and the characteristics in the embodiment can be mutually combined on the premise of no conflict, and the formed technical scheme is within the protection scope of the application.
As known from the background art, aiming at the problem that the network communication device node does not add a reserved IP address to the later network device, the existing solutions include: the encryption device is deployed at the innermost layer of the protected network, and there is a problem in that the number of devices to be protected in the internal network is large and difficult to cover. And the encryption equipment is deployed on the outermost layer of the protected network, so that the whole address structure of the protected network needs to be changed, and the engineering quantity is huge.
In view of this, the present application provides a communication encryption system, a method, a storage medium, and an electronic device, which solve the technical problems in the related art that the network communication device node does not add a reserved IP address to the later network device, which causes the network device to be difficult to add, and the engineering amount of the address structure modification is huge.
Example 1
Fig. 1 is a schematic structural diagram of a communication encryption system according to an embodiment of the present application, where, as shown in fig. 1, the system includes:
a borrowing unit 101, configured to set an IP address of the communication encryption system as an IP address of a switch in an internal network;
The transmission unit 102 is connected with the borrowing unit and is used for carrying out data interaction with the opposite-end network equipment through a router by using the IP address of the switch;
And the key unit 103 is connected with the transmission unit and is used for encrypting the data received from the switch according to a preset encryption rule and decrypting the data received from the router.
It should be noted that, as shown in fig. 3, a schematic structural diagram of the communication encryption system of the present application after being connected to a communication network is shown; the communication encryption system can be seen to be connected between the switch and the router, and the communication encryption system at the position can acquire communication data of all internal network devices connected with the switch, can not change the network structure, and is convenient for safety protection when all internal network devices connected with the switch communicate with the outside. But with the following problems: because of the limitation of network planning and consideration of early network security, no redundant IP addresses are available between the switch and the router for other network devices, as shown in fig. 2, which is a schematic diagram of the original communication network structure, in the 192.168.0.0/30 network, only two addresses 192.168.0.1 and 192.168.0.2 are available, one being allocated to the router and the other being allocated to the switch. In order to solve the problem, the application realizes the addition of the communication encryption system by means of borrowing the IP address of the switch.
In some embodiments, the borrowing unit comprises:
the borrowing subunit is used for acquiring the IP address of the switch in the internal network;
And the setting subunit is used for setting the IP address of the switch as the IP address of the communication encryption system.
In some embodiments, the transparent transmission unit is configured to send a data interaction protocol to an opposite end network device by using an IP address of the switch, receive a protocol feedback sent by the opposite end network device, and establish a data interaction protocol with the opposite end network device; and carrying out data interaction with the opposite-end network equipment through the data interaction protocol.
The transparent transmission unit of the communication encryption system uses ARP address binding, ARP transparent transmission and other methods, and uses the IP address 192.168.0.2 of the switch to carry out key negotiation and encryption communication with the communication encryption system of the opposite terminal network equipment; when the encryption system uses the IP address 192.168.0.2 of the internal device to send the negotiation data packet to the opposite-end encryption system, when the opposite-end encryption system returns the negotiation data packet, the destination address of the data packet is still 192.168.0.2 of the IP address of the internal device, when the data packet arrives at the encryption system, the encryption system carries out negotiation processing on the data packet locally, and the key negotiation is completed in a plurality of interactions in an interaction mode.
In some embodiments, the transparent unit is configured to send data received from the router to the switch; data received from the switch is sent to the router.
It should be noted that, in order to prevent the data transmission from being affected by the addition of a communication encryption system between the switch and the router, the transparent unit "passes through" the service communication data sent out by all the network devices itself by the APR transparent transmission method; when the external network device needs to make ARP address confirmation (the internal network device can directly access to the network device with the borrowed address), the encryption system forwards the ARP data packet with the address confirmation to the network device with the borrowed address, and the ARP request of the external network device is replied by the network device.
In some embodiments, the key unit is configured to determine, before the transparent unit sends the data received from the router to the switch, whether the data received from the router is encrypted; and if the data received from the router is judged to be encrypted, decrypting the data received from the router.
In some embodiments, the key unit is configured to determine, according to the preset encryption rule, whether the data received from the switch needs encryption before the transparent transmission unit sends the data received from the switch to the router; and if the data received from the switch is judged to need encryption, encrypting the data received from the switch.
In some embodiments, the system further comprises: an encryption rule setting unit configured to set the preset encryption rule;
wherein, the preset encryption rule comprises: the internal network equipment information which needs to be encrypted and is connected with the switch is stored in an encryption equipment information table in advance according to a five-tuple format; and the key unit acquires quintuple information from the data received by the switch, searches the encryption equipment information table according to the quintuple information, encrypts the data received by the switch if the corresponding internal network equipment information is found, and does not encrypt the data received by the switch if the corresponding internal network equipment information is not found.
In some embodiments, the encryption device information table includes a first information table and a second information table, where the first information table stores all internal network device information that needs to be encrypted and is connected to the switch, and the second information table stores internal network device information that is found in the first information table by the key unit;
The key unit obtains five-tuple information from data received from the switch, searches the second information table when searching the encryption equipment information table, and if the corresponding internal network equipment information is searched in the second information table, does not search the first information table any more, and sets a timer of the internal network equipment information searched in the second information table to zero, and encrypts the data received from the switch;
If the key unit does not find the corresponding internal network equipment information in the second information table, the first information table is found, the internal network equipment information found in the first information table is stored in the second information table, and the internal network equipment information found in the first information table is started to be timed in the second information table through a timer;
And each piece of internal network equipment information stored in the second information table starts timing when being stored in the second information table, and is automatically deleted from the second information table when the preset time is reached.
It should be noted that, the first information table in the encryption device information table is a policy summary table, and the user manually adds, modifies and deletes: the strategy in the table uses five-tuple feature to generate strategy ID, and the strategy ID is sorted and stored for efficient table lookup by a binary table lookup method
The second information table is a strategy hash table, and is automatically generated when the first information table is searched for the first time according to the five-tuple information in the communication data, and the second information table is directly called for when the same five-tuple data is searched for the next time; resetting the timer of the searched internal network equipment information by 0 every time the data is searched, starting timing when each internal network equipment information stored in the second information table is stored in the second information table, and automatically deleting from the second information table when the preset time is reached.
The first information table includes: policy ID, source address range, destination address range, port range, destination port range, protocol, action, algorithm ID, key, priority.
The second information table includes: hash value, priority, action.
In summary, an embodiment of the present application provides a communication encryption system, including: the borrowing unit is connected with the switch and is used for setting the IP address of the communication encryption system as the IP address of the switch in the internal network; the transparent transmission unit is respectively connected with the router, the switch and the borrowing unit and is used for carrying out data interaction with the opposite-end network equipment through the router by using the IP address of the switch; and the key unit is connected with the transmission unit and used for encrypting the data received from the switch according to a preset encryption rule and decrypting the data received from the router. The application adds the communication encryption system between the switch and the router by means of borrowing the IP address, and realizes the encryption of data interaction under the condition of not changing the original network structure.
Example two
Based on the communication encryption system disclosed in the above embodiment of the present invention, fig. 4 specifically discloses a communication encryption method using the communication encryption system.
As shown in fig. 4, an embodiment of the present invention discloses a communication encryption method, which includes:
S301, setting an IP address of a communication encryption system as an IP address of a switch in an internal network;
s302, using the IP address of the switch to perform data interaction with the opposite-end network equipment through the router;
S303, encrypting the data received from the switch according to a preset encryption rule, and decrypting the data received from the router.
It should be noted that, as shown in fig. 3, the communication encryption system can be seen between the switch and the router, and the encryption system at this location can obtain the communication data of all the internal network devices connected to the switch, and the network structure is not changed, so that the security protection is facilitated when all the internal network devices connected to the switch communicate with the outside. But with the following problems: because of the limitation of network planning and consideration of early network security, no redundant IP addresses are available between the switch and the router for other network devices, as shown in fig. 2, which is a schematic diagram of the original communication network structure, in the 192.168.0.0/30 network, only two addresses 192.168.0.1 and 192.168.0.2 are available, one being allocated to the router and the other being allocated to the switch. In order to solve the problem, the application realizes the addition of the communication encryption system by means of borrowing the IP address of the switch.
In some embodiments, the setting the IP address of the communication encryption system to be the IP address of the switch in the internal network includes:
Acquiring an IP address of a switch in an internal network;
And setting the IP address of the switch as the IP address of the communication encryption system.
In some embodiments, the data interaction with the peer network device through the router using the IP address of the switch includes:
Transmitting a data interaction protocol to opposite-end network equipment by using the IP address of the switch, receiving protocol feedback transmitted by the opposite-end network equipment, and establishing the data interaction protocol with the opposite-end network equipment; and carrying out data interaction with the opposite-end network equipment through the data interaction protocol.
The transparent transmission unit of the communication encryption system uses ARP address binding, ARP transparent transmission and other methods, and uses the IP address 192.168.0.2 of the switch to carry out key negotiation and encryption communication with the communication encryption system of the opposite terminal network equipment; when the encryption system uses the IP address 192.168.0.2 of the internal device to send the negotiation data packet to the opposite-end encryption system, when the opposite-end encryption system returns the negotiation data packet, the destination address of the data packet is still 192.168.0.2 of the IP address of the internal device, when the data packet arrives at the encryption system, the encryption system carries out negotiation processing on the data packet locally, and the key negotiation is completed in a plurality of interactions in an interaction mode.
In some embodiments, the data interaction with the peer network device through the router using the IP address of the switch includes:
transmitting data received from the router to the switch; data received from the switch is sent to the router.
It should be noted that, in order to prevent the data transmission from being affected by the addition of a communication encryption system between the switch and the router, the transparent unit "passes through" the service communication data sent out by all the network devices itself by the APR transparent transmission method; when the external network device needs to make ARP address confirmation (the internal network device can directly access to the network device with the borrowed address), the encryption system forwards the ARP data packet with the address confirmation to the network device with the borrowed address, and the ARP request of the external network device is replied by the network device.
In some embodiments, encrypting the data received from the switch and decrypting the data received from the router according to the preset encryption rule includes:
before the transparent transmission unit sends the data received from the router to the switch, judging whether the data received from the router is encrypted or not; and if the data received from the router is judged to be encrypted, decrypting the data received from the router.
In some embodiments, encrypting the data received from the switch and decrypting the data received from the router according to the preset encryption rule includes:
Before the transparent transmission unit sends the data received from the switch to the router, judging whether the data received from the switch needs to be encrypted or not according to the preset encryption rule; and if the data received from the switch is judged to need encryption, encrypting the data received from the switch.
In some embodiments, the preset encryption rule includes:
The internal network equipment information which needs to be encrypted and is connected with the switch is stored in an encryption equipment information table in advance according to a five-tuple format; and the key unit acquires quintuple information from the data received by the switch, searches the encryption equipment information table according to the quintuple information, encrypts the data received by the switch if the corresponding internal network equipment information is found, and does not encrypt the data received by the switch if the corresponding internal network equipment information is not found.
In some embodiments, the encryption device information table includes a first information table and a second information table, where the first information table stores all internal network device information that needs to be encrypted and is connected to the switch, and the second information table stores internal network device information that is found in the first information table by the key unit;
The key unit obtains five-tuple information from data received from the switch, searches the second information table when searching the encryption equipment information table, and if the corresponding internal network equipment information is searched in the second information table, does not search the first information table any more, and sets a timer of the internal network equipment information searched in the second information table to zero, and encrypts the data received from the switch;
If the key unit does not find the corresponding internal network equipment information in the second information table, the first information table is found, the internal network equipment information found in the first information table is stored in the second information table, and the internal network equipment information found in the first information table is started to be timed in the second information table through a timer;
And each piece of internal network equipment information stored in the second information table starts timing when being stored in the second information table, and is automatically deleted from the second information table when the preset time is reached.
It should be noted that, the first information table in the encryption device information table is a policy summary table, and the user manually adds, modifies and deletes: the strategy in the table uses five-tuple feature to generate strategy ID, and the strategy ID is sorted and stored for efficient table lookup by a binary table lookup method
The second information table is a strategy hash table, and is automatically generated when the first information table is searched for the first time according to the five-tuple information in the communication data, and the second information table is directly called for when the same five-tuple data is searched for the next time; resetting the timer of the searched internal network equipment information by 0 every time the data is searched, starting timing when each internal network equipment information stored in the second information table is stored in the second information table, and automatically deleting from the second information table when the preset time is reached.
The first information table includes: policy ID, source address range, destination address range, port range, destination port range, protocol, action, algorithm ID, key, priority.
The second information table includes: hash value, priority, action.
The specific working process in the communication encryption method disclosed in the above embodiment of the present invention may refer to the corresponding content in the communication encryption system disclosed in the above embodiment of the present invention, and will not be described herein again.
In summary, the embodiment of the present application provides a communication encryption method, including: setting an IP address of a communication encryption system as an IP address of a switch in an internal network; using the IP address of the switch to perform data interaction with the opposite-end network equipment through the router; encrypting data received from the switch according to a preset encryption rule, and decrypting data received from the router. The application adds the communication encryption system between the switch and the router by means of borrowing the IP address, and realizes the encryption of data interaction under the condition of not changing the original network structure.
Example III
The present embodiment also provides a computer readable storage medium, such as a flash memory, a hard disk, a multimedia card, a card memory (e.g., SD or DX memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a read-only memory (ROM), an electrically erasable programmable read-only memory (EEPROM), a programmable read-only memory (PROM), a magnetic memory, a magnetic disk, an optical disk, a server, an App application store, etc., on which a computer program is stored, which when executed by a processor, can implement the method steps as in the first embodiment, and the present embodiment will not be repeated here.
Example IV
Fig. 5 is a connection block diagram of an electronic device 500 according to an embodiment of the present application, as shown in fig. 5, the electronic device 500 may include: a processor 501, a memory 502, a multimedia component 503, an input/output (I/O) interface 504, and a communication component 505.
Wherein the processor 501 is configured to perform all or part of the steps in the communication encryption method as in the first embodiment. The memory 502 is used to store various types of data, which may include, for example, instructions for any application or method in the electronic device, as well as application-related data.
The Processor 501 may be an Application SPECIFIC INTEGRATED Circuit (ASIC), a digital signal Processor (DIGITAL SIGNAL Processor, DSP), a digital signal processing device (DIGITAL SIGNAL Processing Device, DSPD), a programmable logic device (Programmable Logic Device, PLD), a field programmable gate array (Field Programmable GATE ARRAY, FPGA), a controller, a microcontroller, a microprocessor, or other electronic component for implementing the communication encryption method in the above embodiment.
The Memory 502 may be implemented by any type of volatile or non-volatile Memory device or combination thereof, such as static random access Memory (Static Random Access Memory, SRAM for short), electrically erasable programmable Read-Only Memory (ELECTRICALLY ERASABLE PROGRAMMABLE READ-Only Memory, EEPROM for short), erasable programmable Read-Only Memory (Erasable Programmable Read-Only Memory, EPROM for short), programmable Read-Only Memory (Programmable Read-Only Memory, PROM for short), read-Only Memory (ROM for short), magnetic Memory, flash Memory, magnetic disk, or optical disk.
The multimedia component 503 may include a screen, which may be a touch screen, and an audio component for outputting and/or inputting audio signals. For example, the audio component may include a microphone for receiving external audio signals. The received audio signal may be further stored in a memory or transmitted through a communication component. The audio assembly further comprises at least one speaker for outputting audio signals.
The I/O interface 504 provides an interface between the processor 501 and other interface modules, which may be a keyboard, mouse, buttons, etc. These buttons may be virtual buttons or physical buttons.
The communication component 505 is used for wired or wireless communication between the electronic device 500 and other devices. Wireless Communication, such as Wi-Fi, bluetooth, near field Communication (NFC for short), 2G, 3G, or 4G, or a combination of one or more thereof, the corresponding Communication component 505 may therefore comprise: wi-Fi module, bluetooth module, NFC module.
In summary, the present application provides a communication encryption system, a method, a storage medium and an electronic device, where the method includes: the borrowing unit is connected with the switch and is used for setting the IP address of the communication encryption system as the IP address of the switch in the internal network; the transparent transmission unit is respectively connected with the router, the switch and the borrowing unit and is used for carrying out data interaction with the opposite-end network equipment through the router by using the IP address of the switch; and the key unit is connected with the transmission unit and used for encrypting the data received from the switch according to a preset encryption rule and decrypting the data received from the router. The application adds the communication encryption system between the switch and the router by means of borrowing the IP address, and realizes the encryption of data interaction under the condition of not changing the original network structure.
In the embodiments provided in the present application, it should be understood that the disclosed method may be implemented in other manners. The method embodiments described above are merely illustrative.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises an element.
Although the embodiments of the present application are described above, the above description is only for the convenience of understanding the present application, and is not intended to limit the present application. Any person skilled in the art can make any modification and variation in form and detail without departing from the spirit and scope of the present disclosure, but the scope of the present disclosure is still subject to the scope of the appended claims.
Claims (9)
1. A communication encryption system, the system comprising:
a borrowing unit, configured to set an IP address of the communication encryption system as an IP address of a switch in an internal network;
The transparent transmission unit is connected with the borrowing unit and is used for carrying out data interaction with the opposite-end network equipment through the router by using the IP address of the switch;
The key unit is connected with the transmission unit and used for encrypting the data received from the switch according to a preset encryption rule and decrypting the data received from the router;
An encryption rule setting unit configured to set the preset encryption rule;
wherein, the preset encryption rule comprises: the internal network equipment information which needs to be encrypted and is connected with the switch is stored in an encryption equipment information table in advance according to a five-tuple format; the key unit acquires quintuple information from the data received from the switch, searches the encryption equipment information table according to the quintuple information, encrypts the data received from the switch if corresponding internal network equipment information is searched, and does not encrypt the data received from the switch if corresponding internal network equipment information is not searched;
The encryption equipment information table comprises a first information table and a second information table, wherein the first information table stores all internal network equipment information which needs to be encrypted and is connected with the switch, and the second information table stores the internal network equipment information searched in the first information table by the key unit;
The key unit obtains quintuple information from the data received from the switch, searches the second information table when searching the encryption equipment information table, and if the corresponding internal network equipment information is searched in the second information table, does not search the first information table any more, and sets a timer of the internal network equipment information searched in the second information table to zero, and encrypts the data received from the switch;
If the key unit does not find the corresponding internal network equipment information in the second information table, the first information table is found, the internal network equipment information found in the first information table is stored in the second information table, and the internal network equipment information found in the first information table is started to be timed in the second information table through a timer;
And each piece of internal network equipment information stored in the second information table starts timing when being stored in the second information table, and is automatically deleted from the second information table when the preset time is reached.
2. The system of claim 1, wherein the borrowing unit comprises:
the borrowing subunit is used for acquiring the IP address of the switch in the internal network;
And the setting subunit is used for setting the IP address of the switch as the IP address of the communication encryption system.
3. The system according to claim 1, wherein the transparent transmission unit is configured to send a data interaction protocol to the peer network device using an IP address of the switch, and receive a protocol feedback sent by the peer network device, and establish a data interaction protocol with the peer network device; and carrying out data interaction with the opposite-end network equipment through the data interaction protocol.
4. A system according to claim 3, wherein the pass-through unit is configured to send data received from the router to the switch; data received from the switch is sent to the router.
5. The system of claim 4, wherein the key unit is configured to determine whether the data received from the router is encrypted before the transparent unit transmits the data received from the router to the switch; and if the data received from the router is judged to be encrypted, decrypting the data received from the router.
6. The system of claim 4, wherein the key unit is configured to determine, according to the preset encryption rule, whether the data received from the switch needs encryption before the transparent unit sends the data received from the switch to the router; and if the data received from the switch is judged to need to be encrypted, encrypting the data received from the switch.
7. A method of encrypting communications, the method comprising:
Setting an IP address of a communication encryption system as an IP address of a switch in an internal network;
using the IP address of the switch to perform data interaction with the opposite-end network equipment through the router;
encrypting the data received from the switch according to a preset encryption rule, and decrypting the data received from the router;
Setting the preset encryption rule;
Wherein, the preset encryption rule comprises: the internal network equipment information which needs to be encrypted and is connected with the switch is stored in an encryption equipment information table in advance according to a five-tuple format; the key unit acquires quintuple information from the data received from the switch, searches the encryption equipment information table according to the quintuple information, encrypts the data received from the switch if the corresponding internal network equipment information is found, and does not encrypt the data received from the switch if the corresponding internal network equipment information is not found;
The encryption equipment information table comprises a first information table and a second information table, wherein the first information table stores all internal network equipment information which needs to be encrypted and is connected with the switch, and the second information table stores the internal network equipment information searched in the first information table by the key unit;
The key unit obtains quintuple information from the data received from the switch, searches the second information table when searching the encryption equipment information table, and if the corresponding internal network equipment information is searched in the second information table, does not search the first information table any more, and sets a timer of the internal network equipment information searched in the second information table to zero, and encrypts the data received from the switch;
If the key unit does not find the corresponding internal network equipment information in the second information table, the first information table is found, the internal network equipment information found in the first information table is stored in the second information table, and the internal network equipment information found in the first information table is started to be timed in the second information table through a timer;
And each piece of internal network equipment information stored in the second information table starts timing when being stored in the second information table, and is automatically deleted from the second information table when the preset time is reached.
8. A storage medium storing a computer program executable by one or more processors for implementing the communications encryption method of claim 7.
9. An electronic device comprising a memory and a processor, wherein the memory has stored thereon a computer program, the memory and the processor being communicatively coupled to each other, the computer program, when executed by the processor, performing the communication encryption method of claim 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111636420.5A CN114338167B (en) | 2021-12-29 | 2021-12-29 | Communication encryption system, method, storage medium and electronic device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111636420.5A CN114338167B (en) | 2021-12-29 | 2021-12-29 | Communication encryption system, method, storage medium and electronic device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114338167A CN114338167A (en) | 2022-04-12 |
| CN114338167B true CN114338167B (en) | 2024-04-30 |
Family
ID=81017399
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111636420.5A Active CN114338167B (en) | 2021-12-29 | 2021-12-29 | Communication encryption system, method, storage medium and electronic device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114338167B (en) |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7099325B1 (en) * | 2001-05-10 | 2006-08-29 | Advanced Micro Devices, Inc. | Alternately accessed parallel lookup tables for locating information in a packet switched network |
| US8387110B1 (en) * | 2010-02-10 | 2013-02-26 | Socialware, Inc. | Method, system and computer program product for tagging content on uncontrolled web application |
| CN105610863A (en) * | 2016-02-04 | 2016-05-25 | 上海信昊信息科技有限公司 | IP network communication encryption method without IP addresses |
| CN107342926A (en) * | 2017-06-13 | 2017-11-10 | 国家计算机网络与信息安全管理中心 | A kind of method of multi-service Rapid matching distribution |
| CN108989325A (en) * | 2018-08-03 | 2018-12-11 | 华数传媒网络有限公司 | Encryption communication method, apparatus and system |
| CN109756326A (en) * | 2017-11-07 | 2019-05-14 | 中兴通讯股份有限公司 | Quantum encryption communication method, equipment and computer readable storage medium |
| CN110912875A (en) * | 2019-11-08 | 2020-03-24 | 中国电子科技集团公司第三十研究所 | Network encryption method, system, medium and equipment based on southbound interface |
| CN111800436A (en) * | 2020-07-29 | 2020-10-20 | 郑州信大捷安信息技术股份有限公司 | IPSec isolation network card equipment and secure communication method |
| CN112313910A (en) * | 2018-06-13 | 2021-02-02 | 华为技术有限公司 | Multi-path selection system and method for data center centric metropolitan area networks |
| RU2757297C1 (en) * | 2021-04-19 | 2021-10-13 | Акционерное Общество "Информационные Технологии И Коммуникационные Системы" | Method for security gateway cluster operation |
| CN113691486A (en) * | 2020-05-19 | 2021-11-23 | 中移(成都)信息通信科技有限公司 | Message modification method, device, equipment and storage medium |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8266431B2 (en) * | 2005-10-31 | 2012-09-11 | Cisco Technology, Inc. | Method and apparatus for performing encryption of data at rest at a port of a network device |
| JPWO2009110055A1 (en) * | 2008-03-03 | 2011-07-14 | 株式会社Pfu | Image processing system, method and program |
| US9106513B2 (en) * | 2012-03-23 | 2015-08-11 | Microsoft Technology Licensing, Llc | Unified communication aware networks |
-
2021
- 2021-12-29 CN CN202111636420.5A patent/CN114338167B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7099325B1 (en) * | 2001-05-10 | 2006-08-29 | Advanced Micro Devices, Inc. | Alternately accessed parallel lookup tables for locating information in a packet switched network |
| US8387110B1 (en) * | 2010-02-10 | 2013-02-26 | Socialware, Inc. | Method, system and computer program product for tagging content on uncontrolled web application |
| CN105610863A (en) * | 2016-02-04 | 2016-05-25 | 上海信昊信息科技有限公司 | IP network communication encryption method without IP addresses |
| CN107342926A (en) * | 2017-06-13 | 2017-11-10 | 国家计算机网络与信息安全管理中心 | A kind of method of multi-service Rapid matching distribution |
| CN109756326A (en) * | 2017-11-07 | 2019-05-14 | 中兴通讯股份有限公司 | Quantum encryption communication method, equipment and computer readable storage medium |
| CN112313910A (en) * | 2018-06-13 | 2021-02-02 | 华为技术有限公司 | Multi-path selection system and method for data center centric metropolitan area networks |
| CN108989325A (en) * | 2018-08-03 | 2018-12-11 | 华数传媒网络有限公司 | Encryption communication method, apparatus and system |
| CN110912875A (en) * | 2019-11-08 | 2020-03-24 | 中国电子科技集团公司第三十研究所 | Network encryption method, system, medium and equipment based on southbound interface |
| CN113691486A (en) * | 2020-05-19 | 2021-11-23 | 中移(成都)信息通信科技有限公司 | Message modification method, device, equipment and storage medium |
| CN111800436A (en) * | 2020-07-29 | 2020-10-20 | 郑州信大捷安信息技术股份有限公司 | IPSec isolation network card equipment and secure communication method |
| RU2757297C1 (en) * | 2021-04-19 | 2021-10-13 | Акционерное Общество "Информационные Технологии И Коммуникационные Системы" | Method for security gateway cluster operation |
Non-Patent Citations (4)
| Title |
|---|
| A Dynamic Secret-Based Encryption Scheme for Smart Grid Wireless Communication;Ting Liu; Yang Liu; Yashan Mao; Yao Sun; Xiaohong Guan; Weibo Gong; Sheng Xiao;IEEE Transactions on Smart Grid;20130822;第5卷(第3期);1175-1182, * |
| Ping Zhang ; Zeguo Wei.Application of intelligent transparent encryption model on Intranet security.2010 IEEE International Conference on Information Theory and Information Security.2011,268-270. * |
| 一种基于DES加密的FC交换机端口登录方法;张成;李斌;赵琳;史亭文;;航空计算技术;20180925(05);239-242 * |
| 解决IP地址冲突的路由器控制方案;王宏林;;计算机安全;20071205(12);22-25 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114338167A (en) | 2022-04-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11165604B2 (en) | Method and system used by terminal to connect to virtual private network, and related device | |
| KR100758733B1 (en) | System and method for managing a proxy request over a secure network using inherited security attributes | |
| CN103067158B (en) | Encrypting and decrypting method, encrypting and decrypting device and key management system | |
| US9674142B2 (en) | Monitoring network traffic | |
| KR20160122992A (en) | Integrative Network Management Method and Apparatus for Supplying Connection between Networks Based on Policy | |
| CN105791451B (en) | Message response method and device | |
| CN111726366A (en) | Device communication method, device, system, medium and electronic device | |
| JP2008160851A (en) | Network-implemented method using client's geographic location to determine protection suite | |
| EP2993852A1 (en) | Method, equipment and system for forwarding packets in information centric network (icn) | |
| CN109981820B (en) | Message forwarding method and device | |
| US9954825B2 (en) | Secure virtual machine | |
| US11088996B1 (en) | Secure network protocol and transit system to protect communications deliverability and attribution | |
| JP2017098949A (en) | Transparent encryption in content oriented network | |
| CN101510889A (en) | Method and equipment for obtaining dynamic route | |
| JP2008228273A (en) | Method for securing security of data stream | |
| US20170269953A1 (en) | Virtual machine safehold | |
| Kantola | Trust networking for beyond 5G and 6G | |
| CN110266674B (en) | Intranet access method and related device | |
| Richardson et al. | Opportunistic encryption using the internet key exchange (ike) | |
| CN109450849B (en) | Cloud server networking method based on block chain | |
| CN106559779B (en) | Data transmission method, device and system | |
| CN110336793B (en) | Intranet access method and related device | |
| CN114338167B (en) | Communication encryption system, method, storage medium and electronic device | |
| CA3149880A1 (en) | Systems and methods for network privacy | |
| CN110324318B (en) | Intranet access method and related device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |