CN115225311B - Pseudo bracket ciphertext proxy method and system based on openSSL transformation - Google Patents

Pseudo bracket ciphertext proxy method and system based on openSSL transformation Download PDF

Info

Publication number
CN115225311B
CN115225311B CN202210551739.6A CN202210551739A CN115225311B CN 115225311 B CN115225311 B CN 115225311B CN 202210551739 A CN202210551739 A CN 202210551739A CN 115225311 B CN115225311 B CN 115225311B
Authority
CN
China
Prior art keywords
data
service agent
online
handshake
ciphertext
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210551739.6A
Other languages
Chinese (zh)
Other versions
CN115225311A (en
Inventor
程国振
刘文彦
刘付哲
周大成
范学云
何威振
王亚文
商珂
冯志峰
郭义伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information Engineering University of PLA Strategic Support Force
Original Assignee
Information Engineering University of PLA Strategic Support Force
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information Engineering University of PLA Strategic Support Force filed Critical Information Engineering University of PLA Strategic Support Force
Priority to CN202210551739.6A priority Critical patent/CN115225311B/en
Publication of CN115225311A publication Critical patent/CN115225311A/en
Application granted granted Critical
Publication of CN115225311B publication Critical patent/CN115225311B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/06Notations for structuring of protocol data, e.g. abstract syntax notation one [ASN.1]
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Abstract

The invention belongs to the technical field of network security, and particularly relates to a simulated bracket ciphertext proxy method and a simulated bracket ciphertext proxy system based on openSSL transformation, wherein a service proxy adds session negotiation identification for ensuring the consistency of handshake parameters between a user terminal and the service proxy and between the service proxy and an online executive body in a protocol field of a network request aiming at the network request of a client terminal; the service agent encrypts the related data of the network request by utilizing an encryption algorithm and sends the encrypted data to at least three online executors; each online executive body respectively analyzes the network request related data and acquires encryption related parameters, encrypts the network request related data by utilizing the acquired related parameters, and feeds back the processed data to the service agent; the service agent arbitrates the response of each on-line execution body feedback, and confirms the response data finally sent to the user terminal according to the arbitrated result. The invention utilizes the input agent and the multimode voter in the mimicry defense to realize network security, thereby being convenient for practical application.

Description

Pseudo bracket ciphertext proxy method and system based on openSSL transformation
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a simulated bracket ciphertext proxy method and system based on openSSL transformation.
Background
At present, the time of networking, informatization and digitalization is one, network information plays a role as strategic materials, network space becomes the fourth largest space after the territory, the territory and the territory of China, and network space safety becomes an important component of national safety of various countries. To reduce the development effort, many base components, such as the openSSL library used for encryption, log4j used for journaling, are often selected, and once they have a fatal vulnerability, they are faced with devastating network security events, which may lead to significant economic loss and national security damage.
Disclosure of Invention
The invention provides a simulated bracket ciphertext proxy method and a system based on openSSL transformation, which utilize a simulated bracket in simulated defense as a key component for user input distribution and output judgment, and ensure network security in the use process of a basic component through an input proxy and a multimode voter.
According to the design scheme provided by the invention, the simulated bracket ciphertext proxy method based on openSSL transformation comprises the following contents:
step 1, adding session negotiation identification for ensuring the consistency of handshake parameters between a user terminal and a service agent and between the service agent and each online executive body in a protocol field of a network request by the service agent aiming at the network request of the client terminal, wherein the session negotiation identification at least comprises: a data transmission coding mark;
step 2, the service agent encrypts the related data of the network request by utilizing an encryption algorithm and sends the encrypted data to at least three online executors;
step 3, each online executive body respectively analyzes the network request related data and acquires encryption related parameters, and encrypts the network request related data by utilizing the acquired related parameters, and feeds back the processed data to the service agent;
and 4, the service agent arbitrates the response of each online execution body feedback, and confirms the response data finally sent to the user terminal according to the arbitrated result.
As the simulated bracket ciphertext proxy method based on openSSL transformation, the method further comprises the following steps before the step 1 is executed: aiming at a user side handshake request, a service agent analyzes and screens handshake information, encrypts the handshake information and sends the handshake information to an online executor, wherein the online executor is a heterogeneous executor selected from a heterogeneous executor pool by the service agent; the online executive uses the private key to decrypt and negotiate the handshake information.
As the simulated bracket ciphertext proxy method based on openSSL transformation, the invention screens out handshake protocol information in a network request aiming at a client network request, and adds handshake identification in a handshake protocol field.
As the simulated bracket ciphertext proxy method based on openSSL transformation, the service proxy further encrypts the related data of the network request by using an asymmetric encryption algorithm; and the executive body performs encryption flow processing on the network request related data according to the transmission coding identifier obtained by analysis.
As the simulated bracket ciphertext proxy method based on openSSL transformation, the heterogeneous redundant execution body pool stores N execution bodies which are composed of different processors and/or different operating systems and/or different execution algorithms and realize the same function, wherein N is an integer greater than 3.
In the invention, in the analysis and encryption processing of network protocol request data by each online executive body, firstly, the related data of the network request is analyzed through a private key, the network response data is extracted, the network response data is divided, then, the header field of the message in the response data is sent in the clear text, and the data field of the message in the response data is encrypted according to the transmission coding identifier.
As the simulated bracket ciphertext proxy method based on openSSL transformation, further, in the process that the online executor analyzes the saved protocol request data, firstly, the transmission code identification in the analyzed data is extracted, and then, the extracted transmission code identification is assigned to the corresponding structure of each online executor for caching.
As the simulated bracket ciphertext proxy method based on openSSL transformation, further, in the encryption processing of the data field by the online executive body according to the transmission coding identifier, if the content_length transmission coding format is adopted, the value of the content_length of the HTTP header field is modified, and if the content_length is the chunked block transmission coding format, the adding and/or deleting of the chunked tag value tag is carried out on the ciphertext.
As the simulated bracket ciphertext proxy method based on openSSL transformation, the service proxy further adopts a few majority decision principles obeying most to decide the response of the online execution body feedback.
Further, the invention also provides a simulated bracket ciphertext proxy system based on openSSL transformation, which is used for a forwarding proxy in data interaction between a user side and a data side, and comprises the following steps: the service agent unit is used for forwarding the interactive data, and is connected with the service agent unit and used for selecting a heterogeneous redundant execution body pool of an online execution body by the service agent unit so as to realize mimicry safety protection on the interactive data by utilizing the online execution body, wherein the service agent unit comprises: the system comprises a message transceiver module for receiving a user terminal request and distributing request related data to an online executive body, a handshake protocol processing module for modifying handshake protocol fields to ensure consistency of encryption related parameters between the user terminal and a service agent and between the service agent and each online executive body, an identification processing module for adding handshake identification in a network request field to ensure consistency of handshake parameters between the user terminal and the service agent and between the service agent and each online executive body, and a long connection processing module for caching the encryption related parameters and handshake parameters under a keep-alive mechanism to ensure normal operation of a communication link when one of the user terminal, the service agent and the online executive body is disconnected.
The invention has the beneficial effects that:
aiming at the possible loopholes of the basic components in the development process, in the data interaction, the mimicry brackets are introduced into the service agent unit, the input agents and the multimode voter in the mimicry defense architecture are used as key components for user-oriented input distribution and output arbitration, the OpenSSl library is modified to ensure the resolution of the mimicry brackets based on ciphertext, the ciphertext agents are utilized to execute the service agent services of the user side and the server side, the state abnormality of the basic components in the data interaction is detected in the ciphertext agents through the heterogeneous execution bodies, the safety of network data is improved, and the method has good application prospect.
Description of the drawings:
FIG. 1 is a schematic diagram of a network model in an embodiment;
FIG. 2 is one of the ciphertext proxy flow schematic in an embodiment;
FIG. 3 is a second exemplary ciphertext proxy flow diagram in accordance with one embodiment;
FIG. 4 is a schematic block diagram of a ciphertext proxy system in an embodiment;
FIG. 5 is one of the session flow schematic in the data interaction process in the embodiment;
fig. 6 is a second illustration of a session flow in the data interaction process in an embodiment.
The specific embodiment is as follows:
the present invention will be described in further detail with reference to the drawings and the technical scheme, in order to make the objects, technical schemes and advantages of the present invention more apparent.
The network model shown with reference to fig. 1 mainly comprises: an IP protocol layer, a TCP protocol layer, an SSL recording protocol layer and an application layer for processing network data segments. When transmitting data, the transmitting end divides the data segment into data packets, and then divides each data packet into frames, and transmits the frames to the opposite side; combining the data frames into a data packet oppositely, and analyzing the data packet to form a data section for use by an upper layer; wherein the IP protocol is capable of ensuring that data frames can be transferred from a source host to a target host. Because unknown vulnerabilities and the like may exist in the development process of each network base component, potential safety hazards are caused to data in network transmission. For this reason, referring to fig. 2, the embodiment of the present invention provides a simulated bracket ciphertext proxy method based on openSSL transformation, which includes the following contents:
step 1, adding session negotiation identification for ensuring the consistency of handshake parameters between a user terminal and a service agent and between the service agent and each online executive body in a protocol field of a network request by the service agent aiming at the network request of the client terminal, wherein the session negotiation identification at least comprises: a data transmission coding mark;
step 2, the service agent encrypts the related data of the network request by utilizing an encryption algorithm and sends the encrypted data to at least three online executors;
step 3, each online executive body respectively analyzes the network request related data and acquires encryption related parameters, and encrypts the network request related data by utilizing the acquired related parameters, and feeds back the processed data to the service agent;
and 4, the service agent arbitrates the response of each online execution body feedback, and confirms the response data finally sent to the user terminal according to the arbitrated result.
The mimicry defense technology is used for coping with known and unknown loopholes and backdoor threats in network space, and based on diversified technologies, the characteristics of dynamics, isomerism, randomness and the like are used in the system architecture of dynamic isomerism redundancy (Dynamic Heterogeneous Redundancy, DHR) so that the system has an endogenous safety mechanism to improve the safety of the system. In the embodiment of the present disclosure, for the security of the vulnerability possibly existing in the basic component, the brackets in the mimicry defense (referring to the input agent and the multimode voter in the DHR architecture) are used as key components for user-oriented input distribution and output arbitration, so as to solve the security problem of interaction data between brackets, and effectively prevent the occurrence of unknown vulnerabilities of the basic component.
Further, the heterogeneous redundant execution body pool stores N execution bodies, and the N execution bodies are composed of different processors and/or different operating systems and/or different execution algorithms and realize the same function, wherein N is an integer greater than 3. For each request, the heterogeneous executable implements the functionality corresponding to the service request through a respective processor and/or embedded algorithm. In this embodiment, the isomerism of the executable may be divided into: hardware isomerism, operating system isomerism, software isomerism, etc.; the hardware isomerism is formed by adopting different hardware; operating system heterogeneous refers to different operating systems; software heterogeneous refers to different algorithms implementing the same logic. For example, for a web page access request of Zhang three, the execution body 1 interacting with the client through the service agent may be a java program executed by the linux system, the execution body 2 may be a c program executed by the kylin system, the execution body 3 may be a python program of the window system, and the three heterogeneous online execution bodies are utilized to respectively respond to the request forwarded by the service agent.
Further, before the step 1 is performed, the following steps are further performed: aiming at a user side handshake request, a service agent analyzes and screens handshake information, encrypts the handshake information and sends the handshake information to an online executor, wherein the online executor is a heterogeneous executor selected from a heterogeneous executor pool by the service agent; the online executive uses the private key to decrypt and negotiate the handshake information. And further, screening out handshake protocol information in the network request aiming at the client network request, and adding handshake identification in a handshake protocol field. The service agent may encrypt the network request related data using an asymmetric encryption algorithm; and the executive body performs encryption flow processing on the network request related data according to the transmission coding identifier obtained by analysis. In the analysis encryption processing of network protocol request data, each online executive body firstly analyzes the related data of the network request through a private key, extracts network response data in the data, partitions the network response data, then sends a header field of a message in the response data in a clear text mode, and encrypts a data field of the message in the response data according to a transmission coding identifier. Further, in the process that the online executor analyzes the saved protocol request data, firstly, the transmission code identification in the analyzed data is extracted, and then, the extracted transmission code identification is assigned to the corresponding structure of each online executor for caching. Further, in the encryption processing of the data field by the online executor according to the transmission coding identifier, if the transmission coding format is the content_length transmission coding format, the value of the content_length of the HTTP header field is modified, and if the transmission coding format is the blocked transmission coding format of the blocked, the encrypted tag value tag is added and/or deleted to the ciphertext. Further, the service agent arbitrates the response of the online execution of the body feedback using a minority-subject majority arbitration principle. The service agent implementation process may be as shown in fig. 3:
s501: the service agent unit receives the handshake request sent by the user terminal, screens out the information related to the handshake in the handshake stage after analysis, and encrypts and sends the information to at least three executive body units through an asymmetric algorithm.
S502: the executive body uses the private key to decrypt to obtain the related information of the handshake, thereby ensuring the consistency of the handshake information on the user side, the service agent unit and the executive body unit;
s503: the service agent unit receives the request from the user end, adds the mark value and the related parameters after the BASE64 coding in the header of the HTTP, and then uses the session key encryption to send to the executive body unit.
S504: the executive body unit receives the request sent by the service agent, firstly analyzes the mark value in the header, takes out the data and assigns the data to the corresponding structure, and ensures that the ciphertext cannot be untied due to the disconnection of a certain section in the long connection.
S505: the executive body unit returns response data, the header of the HTTP is not encrypted, only relevant parameters are modified, and corresponding operation processing is carried out on the body according to the coding format of data transmission at the openSSL layer.
S506: the service agent unit receives the response data of the executive body, the header part is directly thrown to the upper layer for processing, and the body part carries out corresponding processing according to the transmission coding format and then is delivered to the judging module for processing.
S507: after the service agent decides, the response data is returned to the user end, the header part carries out independent encryption transmission, and the body part carries out one-to-one transmission according to the ciphertext blocks according to the principle that the ciphertext blocks cannot be divided.
After receiving the handshake request of the client (namely the user side), the service agent screens out the related information and encrypts and sends the information to the executive body unit through an asymmetric algorithm, so that the consistency of handshake information on the user side, the service agent unit and the executive body unit is ensured; secondly, adding a mark value and a parameter related to encryption in a header of the HTTP to a request message of a user by a service agent, and executing body end analysis to acquire the related parameter to ensure that ciphertext cannot be untied due to a certain section of disconnection under long connection; and finally, the executive body does not encrypt the header of the HTTP, only modifies relevant parameters, and carries out corresponding operation processing on the bodies according to the transmission format of response data at the OpenSSL layer, thereby ensuring that the ciphertext of a plurality of executive body parts is consistent and further conforming to the mimicry arbitration rule. In summary, according to the scheme in the embodiment of the present disclosure, through modifying the OpenSSl library, the decision of the brackets based on the ciphertext is ensured, and the security of the mimicry system and the basic components in the network is improved.
Further, based on the above method, the embodiment of the present invention further provides a simulated bracket ciphertext proxy system based on openSSL transformation, which is used for a forwarding proxy in data interaction between a user terminal and a data terminal, and includes: the service agent unit is used for forwarding the interactive data, and is connected with the service agent unit and used for selecting a heterogeneous redundant execution body pool of an online execution body by the service agent unit so as to realize mimicry safety protection on the interactive data by utilizing the online execution body, wherein the service agent unit comprises: the system comprises a message transceiver module for receiving a user terminal request and distributing request related data to an online executive body, a handshake protocol processing module for modifying handshake protocol fields to ensure consistency of encryption related parameters between the user terminal and a service agent and between the service agent and each online executive body, an identification processing module for adding handshake identification in a network request field to ensure consistency of handshake parameters between the user terminal and the service agent and between the service agent and each online executive body, and a long connection processing module for caching the encryption related parameters and handshake parameters under a keep-alive mechanism to ensure normal operation of a communication link when one of the user terminal, the service agent and the online executive body is disconnected.
Referring to fig. 4, the service proxy unit distributes the request sent by the user terminal to at least three executors, processes and arbitrates the response message of each executor, and sends the processed response message ciphertext to the user terminal. In the process of processing the transmitted data, each executing body also utilizes a message receiving and transmitting module, a handshake protocol processing module and an identification processing module of the executing body to receive and analyze the request forwarded by the service agent, and sends a header plaintext part of the response message and an encrypted response message body part to the service agent unit. The service agent unit, through reforming the handshake protocol, ensures that the encryption related information (session key, encryption algorithm, IV value and other information) calculated by the negotiation of the user side and the handshake of the service agent is forwarded to the upstream link, and ensures that the encryption related information on the user side, the service agent and the executing body keeps consistent. The executive body performs segmentation processing on the HTTP response data, directly sends plaintext to the header part, and performs corresponding encryption flow processing on the body part according to the transmission coding format. And (3) performing corresponding ciphertext processing according to the transmission coding format, then delivering the ciphertext to an mimicry judging module for judging, skipping the header part, modifying the value of the content_length of the HTTP header field under the content_length transmission coding format, and adding and deleting the hash mark value tag under the hash transmission coding format. After the judgment is completed, the service agent sends response data to the user terminal, encrypts the header of the plaintext, and directly sends the ciphertext block to the ciphertext part of the body according to the principle that the ciphertext block is not cut, so that encryption and decryption are not performed any more.
Referring to fig. 5, when a user accesses internet services, most of the users do not access to a server directly, but request to a reverse proxy first, and service access is realized by forwarding to the server through the reverse proxy, and existence and characteristics of an origin server can be hidden through the reverse proxy, so that the user can act as an intermediate layer between the user and a web server. And further according to application requirements, policies such as routing/load balancing and the like can be set in the reverse proxy. In view of safety, in this embodiment, referring to fig. 6, the online executor corresponds to a destination server in the illustration, and by modifying the handshake protocol, it is ensured that encryption related information (including parameters such as a session key, an encryption algorithm, an IV value, and the like) calculated by negotiation between the user side and the handshake agent is forwarded to the upstream link, so that consistency of encryption information among the user side, the service agent, and the executor can be ensured in the handshake and packet sending stages. Firstly, in a handshake stage, a client initiates a data interaction request containing a handshake request to a nginx reverse proxy service, and the reverse proxy service returns a response of a server for the handshake request and a server certificate; the client performs CA verification on the server certificate, generates a session key by using the pseudo-random number, encrypts the session key by using the public key in the certificate, and sends the public key and encrypted session key ciphertext to the reverse proxy service; the reverse proxy service decrypts the ciphertext by using the private key to obtain a session key plaintext, and returns the decrypted session key plaintext to the client; after the client verifies the correctness, the reverse proxy service sends the information such as a session key for encrypting the downstream handshake by using the asymmetric key, generates a ciphertext and sends the ciphertext to the destination server; the destination server returns the encrypted ciphertext of the session key, and performs correctness verification through the reverse proxy service so as to complete a handshake flow between the client and the destination server; then, after completing handshake, the client sends the encrypted packet sending request ciphertext to the service proxy service, the service proxy service transmits the HTTP request ciphertext to the destination server through decryption and re-encryption, and the destination server returns the HTTP header plaintext and the ciphertext generated after encrypting the body of the response data HTTP by using the session key to the service proxy service; and the service proxy service decrypts and returns a header part of response data HTTP and a body ciphertext encrypted at the upstream to the client by using the session key so as to complete data interaction between the client and the destination server.
The relative steps, numerical expressions and numerical values of the components and steps set forth in these embodiments do not limit the scope of the present invention unless it is specifically stated otherwise.
Any particular values in all examples shown and described herein are to be construed as merely illustrative and not a limitation, and thus other examples of exemplary embodiments may have different values.
It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.
Finally, it should be noted that: the above examples are only specific embodiments of the present invention, and are not intended to limit the scope of the present invention, but it should be understood by those skilled in the art that the present invention is not limited thereto, and that the present invention is described in detail with reference to the foregoing examples: any person skilled in the art may modify or easily conceive of the technical solution described in the foregoing embodiments, or perform equivalent substitution of some of the technical features, while remaining within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention, and are intended to be included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (6)

1. The simulated bracket ciphertext proxy method based on openSSL transformation is characterized by comprising the following steps of:
step 1, adding session negotiation identification for ensuring the consistency of handshake parameters between a user terminal and a service agent and between the service agent and each online executive body in a protocol field of a network request by the service agent aiming at the network request of the client terminal, wherein the session negotiation identification at least comprises: a data transmission coding mark; and before the step 1 is executed, the following steps are also executed: aiming at a user side handshake request, a service agent analyzes and screens handshake information, encrypts the handshake information and sends the handshake information to an online executor, wherein the online executor is a heterogeneous executor selected from a heterogeneous executor pool by the service agent; the online executive body uses the private key to decrypt and negotiate the handshake information;
step 2, the service agent encrypts the related data of the network request by utilizing an encryption algorithm and sends the encrypted data to at least three online executors; the service agent encrypts the related data of the network request by using an asymmetric encryption algorithm;
step 3, each online executive body respectively analyzes the network request related data and acquires encryption related parameters, and encrypts the network request related data by utilizing the acquired related parameters, and feeds back the processed data to the service agent; the executive body carries out encryption flow processing on the related data of the network request according to the transmission code identification obtained by analysis; in the analysis encryption processing of network protocol request data by each online executive body, firstly, analyzing the related data of the network request by a private key, extracting network response data in the data, dividing the network response data, then, carrying out clear text transmission on a header field of a message in the response data, and carrying out encryption processing on a data field of the message in the response data according to a transmission coding identifier; in the process of analyzing the network protocol request data by the online executor, the transmission coding identification in the analyzed data is extracted, and the extracted transmission coding identification is assigned to the corresponding structure of each online executor for caching;
and 4, the service agent arbitrates the response of each online execution body feedback, and confirms the response data finally sent to the user terminal according to the arbitrated result.
2. The method for proxy of pseudo-bracket ciphertext based on openSSL transformation according to claim 1, wherein handshake protocol information in a network request is screened out for a client network request, and handshake identification is added in a handshake protocol field.
3. The method for the simulated bracket ciphertext proxy based on the openSSL transformation according to claim 1 or 2, wherein N executors are stored in a heterogeneous redundant executor pool, the N executors are composed of different processors and/or different operating systems and/or different execution algorithms and realize the same function, and N is an integer greater than 3.
4. The method according to claim 1, wherein in the encryption processing of the data field by the online executor according to the transmission coding identifier, the value of the HTTP header field content_length is modified if the content_length transmission coding format is used, and the ciphertext is added and/or deleted by the hash tag value tag if the content_length transmission coding format is used.
5. The method for pseudo-bracket ciphertext proxy based on openSSL transformation of claim 1, wherein the service proxy arbitrates the response of the online execution of the body feedback using a majority arbitration rule that is minority compliant with majority.
6. A simulated bracket ciphertext proxy system based on openSSL transformation, for a forwarding proxy in data interaction between a user side and a data side, characterized in that the system is realized based on the method of claim 1, comprising: the service agent unit is used for forwarding the interactive data, and is connected with the service agent unit and used for selecting a heterogeneous redundant execution body pool of an online execution body by the service agent unit so as to realize mimicry safety protection on the interactive data by utilizing the online execution body, wherein the service agent unit comprises: the system comprises a message transceiver module for receiving a user terminal request and distributing request related data to an online executive body, a handshake protocol processing module for modifying handshake protocol fields to ensure consistency of encryption related parameters between the user terminal and a service agent and between the service agent and each online executive body, an identification processing module for adding handshake identification in a network request field to ensure consistency of handshake parameters between the user terminal and the service agent and between the service agent and each online executive body, and a long connection processing module for caching the encryption related parameters and handshake parameters under a keep-alive mechanism to ensure normal operation of a communication link when one of the user terminal, the service agent and the online executive body is disconnected.
CN202210551739.6A 2022-05-20 2022-05-20 Pseudo bracket ciphertext proxy method and system based on openSSL transformation Active CN115225311B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210551739.6A CN115225311B (en) 2022-05-20 2022-05-20 Pseudo bracket ciphertext proxy method and system based on openSSL transformation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210551739.6A CN115225311B (en) 2022-05-20 2022-05-20 Pseudo bracket ciphertext proxy method and system based on openSSL transformation

Publications (2)

Publication Number Publication Date
CN115225311A CN115225311A (en) 2022-10-21
CN115225311B true CN115225311B (en) 2023-07-21

Family

ID=83608557

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210551739.6A Active CN115225311B (en) 2022-05-20 2022-05-20 Pseudo bracket ciphertext proxy method and system based on openSSL transformation

Country Status (1)

Country Link
CN (1) CN115225311B (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9189627B1 (en) * 2013-11-21 2015-11-17 Fireeye, Inc. System, apparatus and method for conducting on-the-fly decryption of encrypted objects for malware detection
CN110750802A (en) * 2019-10-14 2020-02-04 创元网络技术股份有限公司 Framework for protecting key data based on mimicry defense
CN111740964A (en) * 2020-06-04 2020-10-02 河南信大网御科技有限公司 Remote synchronous communication method, mimicry virtual terminal, heterogeneous executive body and medium
CN112152799A (en) * 2020-08-31 2020-12-29 中国人民解放军战略支援部队信息工程大学 Secret source normalization mechanism for multimode executive encryption application
CN112702205A (en) * 2020-12-24 2021-04-23 中国人民解放军战略支援部队信息工程大学 Method and system for monitoring status of executive under mimicry DHR architecture
CN113285917A (en) * 2021-04-07 2021-08-20 中国人民解放军战略支援部队信息工程大学 Method, equipment and architecture for protecting endogenous security boundary of industrial network
WO2021169080A1 (en) * 2020-02-27 2021-09-02 南京红阵网络安全技术研究院有限公司 Mimicry defense decision method and system based on partial homomorphic encryption algorithm
WO2021248740A1 (en) * 2020-06-10 2021-12-16 网络通信与安全紫金山实验室 Mimic router execution entity scheduling method, and mimic router
CN113904805A (en) * 2021-09-06 2022-01-07 河南信大网御科技有限公司 Mimicry communication method and system based on authentication unloading

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9189627B1 (en) * 2013-11-21 2015-11-17 Fireeye, Inc. System, apparatus and method for conducting on-the-fly decryption of encrypted objects for malware detection
CN110750802A (en) * 2019-10-14 2020-02-04 创元网络技术股份有限公司 Framework for protecting key data based on mimicry defense
WO2021169080A1 (en) * 2020-02-27 2021-09-02 南京红阵网络安全技术研究院有限公司 Mimicry defense decision method and system based on partial homomorphic encryption algorithm
CN111740964A (en) * 2020-06-04 2020-10-02 河南信大网御科技有限公司 Remote synchronous communication method, mimicry virtual terminal, heterogeneous executive body and medium
WO2021248740A1 (en) * 2020-06-10 2021-12-16 网络通信与安全紫金山实验室 Mimic router execution entity scheduling method, and mimic router
CN112152799A (en) * 2020-08-31 2020-12-29 中国人民解放军战略支援部队信息工程大学 Secret source normalization mechanism for multimode executive encryption application
CN112702205A (en) * 2020-12-24 2021-04-23 中国人民解放军战略支援部队信息工程大学 Method and system for monitoring status of executive under mimicry DHR architecture
CN113285917A (en) * 2021-04-07 2021-08-20 中国人民解放军战略支援部队信息工程大学 Method, equipment and architecture for protecting endogenous security boundary of industrial network
CN113904805A (en) * 2021-09-06 2022-01-07 河南信大网御科技有限公司 Mimicry communication method and system based on authentication unloading

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Security Analysis of Dynamic SDN Architectures Based on Game Theory;Chao Qi ET AL;《WILEY》;全文 *
网络空间拟态防御研究;邬江兴;;信息安全学报(第04期);全文 *

Also Published As

Publication number Publication date
CN115225311A (en) 2022-10-21

Similar Documents

Publication Publication Date Title
US9838434B2 (en) Creating and managing a network security tag
CN106713320B (en) Terminal data transmission method and device
CN102291387B (en) The network traffic interception of encryption and inspection
US8555335B2 (en) Securing distributed application information delivery
US8732462B2 (en) Methods and apparatus for secure data sharing
US8843750B1 (en) Monitoring content transmitted through secured communication channels
CN109428867B (en) Message encryption and decryption method, network equipment and system
CN104662551A (en) Encrypted data inspection in a network environment
KR20100133448A (en) Secure communications in computer cluster systems
EP2974121A1 (en) Secure network communication
US11582211B1 (en) Transmitting content to promote privacy
Dahlmanns et al. Transparent end-to-end security for publish/subscribe communication in cyber-physical systems
Rani et al. Enhanced data storage security in cloud environment using encryption, compression and splitting technique
US10389532B2 (en) Secure message routing in multi-tenant system without content inspection
CN113630412B (en) Resource downloading method, resource downloading device, electronic equipment and storage medium
Tennekoon et al. Prototype implementation of fast and secure traceability service over public networks
Junghanns et al. Engineering of secure multi-cloud storage
Ghosh et al. A variable length key based cryptographic approach on cloud data
CN114499913B (en) Encrypted message detection method and protection equipment
US11265255B1 (en) Secure communication routing for remote devices
US11558362B2 (en) Secure communication for remote devices
CN115225311B (en) Pseudo bracket ciphertext proxy method and system based on openSSL transformation
KR20160123416A (en) Information security device, terminal, network having information security system and terminal
US11228607B2 (en) Graceful termination of security-violation client connections in a network protection system (NPS)
Epishkina et al. Covert channel limitation via special dummy traffic generating

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant