CN115567208A

CN115567208A - Fine-grained transparent encryption and decryption method and system for network session data stream

Info

Publication number: CN115567208A
Application number: CN202211198397.0A
Authority: CN
Inventors: 罗俊
Original assignee: China Telecom Quantum Technology Co ltd
Current assignee: China Telecom Quantum Technology Co ltd
Priority date: 2022-09-29
Filing date: 2022-09-29
Publication date: 2023-01-03
Anticipated expiration: 2042-09-29
Also published as: CN115567208B

Abstract

The invention discloses a fine-grained transparent encryption and decryption method and a fine-grained transparent encryption and decryption system for a network session data flow, which comprises the steps of matching an outbound network session data message with a data flow table according to quintuple information of the outbound network session data message, and if the matching is successful, processing the network session data message based on the data flow table and then sending the network session data message to a receiver; if the matching is not successful, extracting quintuple information from the network session data message, generating a data flow table request message and sending the data flow table request message to the control platform, so that the control platform generates a data flow table distribution message and distributes each encryption gateway in the same security domain based on the data flow table request message and the security policy; distributing information based on the data flow table, and acquiring a newly-built data flow table to obtain new data flow table information; and processing the network session data message according to the new data flow table information and then sending the network session data message to a receiver. The invention realizes transparent encryption and decryption of data, and is suitable for scenes of centralized security policy management and key distribution of the encryption gateway and the network session data stream protected by the encryption gateway.

Description

Fine-grained transparent encryption and decryption method and system for network session data stream

Technical Field

The invention relates to the technical field of password application, in particular to a fine-grained transparent encryption and decryption method and system for a network session data stream.

Background

The concept of network session generally refers to a quintuple of a network data packet, i.e., a network connection uniquely determined by source and destination IP addresses, protocol numbers, and source and destination transport layer port numbers, and a network session data stream is a network data stream uniquely determined by the quintuple of the network session. The network session and the network session data stream have a certain life cycle, exist during the existence of the user network service associated with the session, and are closed or destroyed after the associated user network service is terminated.

At present, the local area network interconnection and intercommunication of each branch organization is carried out by establishing a secure encryption channel through encryption gateways such as VPN equipment, different encryption gateways in the same secure domain issue digital certificates from the same certificate authority, and then key exchange protocols such as IKE and the like can be adopted to automatically negotiate session keys used for data communication so as to carry out data encryption communication, and the mode has the following problems:

(1) The encryption gateways can independently perform key negotiation based on digital certificates, the central control force is low, communication control can be performed only through means such as access control strategy issuing, and forced access control cannot be achieved.

(3) A communication channel capable of directly performing key agreement is required, which makes it more difficult to implement complex network environments such as NAT, and particularly, in the case where gateways at both ends of communication need to perform NAT before surfing the internet.

(4) The negotiation process is complex and has certain calculation and communication cost, so the generated session key is generally used for a period of time, and cannot be one-time pad from the security aspect.

(5) The key negotiation process is based on the asymmetric key pair and the digital certificate, the public key used for encrypting and transmitting the session key material is public, and if the computing capability of the quantum computer is improved, the possibility of being decoded exists, so that the session key to be transmitted is decoded and stolen.

In the related art, chinese patent application publication No. CN114338019a describes a network communication method, system, apparatus and storage medium based on quantum key distribution, and the method includes: a terminal agent on user equipment sends a dynamic port request to a gateway; the gateway sends a quantum random number request to a quantum key distribution server based on the dynamic port request; the quantum key distribution server generates a pair of quantum random numbers based on the quantum random number request, and sends one quantum random number to the terminal agent and the other quantum random number to the gateway so as to trigger the terminal agent and the gateway to determine the same dynamic port number based on the quantum random numbers; and the terminal proxy and the gateway perform data communication on the port corresponding to the dynamic port number to acquire target data resources. The scheme is mainly characterized in that: (1) Generating a dynamic port of a user terminal access gateway based on the quantum random number; (2) And protecting the communication between the user terminal and the gateway based on the prestored quantum key and one-packet-one-secret encryption.

The chinese patent publication No. CN107566115a describes a key configuration method, where a session management network element receives a request for end-to-end communication and obtains a security policy, and the security policy is determined according to at least one of a user security requirement of the user equipment, a service security requirement from the user equipment, a security capability requirement supported by the user equipment, a security capability requirement from an operator network, and a security requirement of another end device of the end-to-end communication, which are preset in a home subscriber server. And the session management network element acquires a protection key for protecting the end-to-end communication, wherein the protection key is determined according to the security policy and a shared key between the user equipment and the operator network. The session management network element sends security policies and/or protection keys to devices at both ends of the end-to-end communication.

Disclosure of Invention

The technical problem to be solved by the invention is how to realize transparent encryption and decryption of the network session data stream.

The invention solves the technical problems through the following technical means:

in a first aspect, the present invention provides a fine-grained transparent encryption and decryption method for a network session data stream, where the method is applied to an encryption gateway, a master key pool is established in the encryption gateway, and a master key corresponding to a security domain where the encryption gateway is located is stored in the master key pool, and the method includes the following steps:

matching a data flow table to an outbound network session data message according to quintuple information of the outbound network session data message, wherein the structure of the data flow table comprises quintuple information, a processing strategy, an encryption offset, an encryption algorithm and a session key;

if the matching is successful, processing the network session data message based on a processing strategy corresponding to the data flow table and then sending the network session data message to a receiver;

if the matching is not successful, extracting quintuple information from the network session data message, and generating a data flow table request message based on the quintuple information, the ID of the master key randomly taken out from the master key pool and the ID of the security domain where the master key is located;

sending the data flow table request message to a control platform, so that the control platform generates a data flow table distribution message and distributes each encryption gateway in the same security domain based on the data flow table request message and a security policy;

acquiring a newly-built data flow table based on the data flow table distribution message, and filling the content of the newly-built data flow table into the data flow table of the equipment to obtain new data flow table information;

and processing the network session data message according to the new data flow table information and then sending the network session data message to the receiver.

According to a flow table generated by a management and control platform based on a security policy and actual quintuple information, an encryption gateway uses a session key distributed online in real time to encrypt and decrypt a data flow, and transparently encrypts and decrypts a unicast data message, so that no additional data and service data flow is increased, no message header is added, and good network adaptability is achieved; the method for distributing session keys on line in a centralized manner is combined with a fine-grained security policy to realize software-defined quantum key distribution, and is suitable for scenes of centralized security policy management and key distribution of encryption gateways in a security domain and network session data streams protected by the encryption gateways.

Further, the processing policy includes explicit, discard, and blind, and if the matching is successful, the processing policy corresponding to the data flow table is used to process the network session data packet and send the network session data packet to the receiving party, including:

if the processing strategy matched with the data flow table is secret communication, the part of the network session data message after the encryption offset is subjected to the transparent encryption processing with the unchanged length by adopting the session key and the encryption algorithm corresponding to the data flow table, and then the part is sent to the receiver;

if the processing strategy matched with the data flow table is clear, directly forwarding the network session data to the receiver;

and if the processing strategy matched with the data flow table is discarding, directly discarding the network session data message.

Further, after generating a data flow table request message based on the quintuple information, the master key ID randomly taken out from the master key pool, and the security domain ID where the master key ID is located, the method further includes:

and taking out the master key corresponding to the master key ID from the master key pool, performing HMAC operation on the quintuple information in the data flow table request message by using the master key, and then sending the result to the management and control platform.

Further, the obtaining of the new data flow table based on the data flow table distribution message includes:

selecting a master key corresponding to the ID of the master key from the master key pool, and decrypting and integrity checking the data flow table distribution message by using the master key;

and when the verification is passed, filling the newly-built data flow table obtained by decryption into the data flow table of the equipment.

Further, the method further comprises:

setting timeout time for the table entry in the data flow table;

and when the table entry in the data flow table is not accessed within the timeout time, deleting the table entry.

Further, before the processing policy corresponding to the data flow table is used for processing the network session data packet and then sending the processed network session data packet to a receiver, the method further includes:

judging whether the network session data message contains a dynamic port protocol message or not;

if not, executing the processing strategy corresponding to the data flow table to process the network session data message and then sending the processed network session data message to a receiver;

if yes, analyzing the dynamic port protocol message, and extracting quintuple information corresponding to the dynamic port protocol;

and establishing a data flow table corresponding to the dynamic port protocol data based on the quintuple information corresponding to the dynamic port protocol.

Further, the method further comprises:

sending a registration request to the management and control platform to bind to corresponding security domains, wherein the security domains are divided by the management and control platform;

sending a key charging request to the management and control platform so that the management and control platform forwards the key charging request to the quantum key distribution network, wherein the quantum key distribution network stores security domain division information and encryption gateway information in each security domain;

the master key is filled into the safe storage media connected with the encryption gateways in an off-line mode through a key agent or a quantum network node, and the ID identifications of the master keys filled into the safe storage media connected with the encryption gateways in the same safe domain are the same;

reading a master key from the connected secure storage medium, establishing the master key pool.

In a second aspect, the present invention provides a fine-grained transparent encryption and decryption method for a network session data stream, where the method is applied to a management and control platform, and includes the following steps:

receiving a data flow table request message sent by an encryption gateway, wherein the data flow table request message carries information including quintuple information, a master key ID and a security domain ID of the encryption gateway;

matching a security policy table corresponding to the security domain ID according to the quintuple information;

if the security policy table is successfully matched, applying a quantum key from a quantum key distribution network as a session key, and establishing a first data flow table for the data flow determined by the quintuple information by combining the session key and the matched security policy;

if the matching of the security policy table is unsuccessful, establishing a second data flow table for the data flow determined by the quintuple information based on a default security policy;

and generating a data flow table distribution message based on the first data flow table or the second data flow table, and distributing the data flow table distribution message to each encryption gateway in the same security domain.

Further, the structure of the first data flow table includes five-tuple information, an encryption offset, an encryption algorithm, a session key, and a processing policy, and the processing policy is secure.

Further, the structure of the second data flow table includes five tuple information, encryption offset, encryption algorithm, session key, and processing policy, where the processing policy is clear or discarded, and the five tuple information, encryption offset, encryption algorithm, and session key are null.

Further, the content of each entry in the security policy table includes a source IP address, a destination IP address, a corresponding subnet mask or address prefix, or a source and destination IP address range, an ID and an IP address of an encryption gateway device associated with the security policy table, a protocol number, a port range, a processing policy, an encryption offset, an encryption algorithm, and a session key.

Further, the generating a data flow table distribution message based on the first data flow table or the second data flow table, and distributing the data flow table distribution message to each encryption gateway in the same security domain includes:

combining the first data flow table or the second data flow table with a master key ID and a security domain ID to form the data flow table distribution message;

and acquiring the security domain ID and a main key corresponding to the security domain ID from a quantum key distribution network, encrypting the data flow table distribution message by using the main key, performing HMAC operation, and distributing the data flow table distribution message to each encryption gateway in the same security domain.

Further, the method further comprises:

receiving a registration request sent by the encryption gateway to bind the encryption gateway to a corresponding security domain, wherein the security domains are partitioned by the management and control platform;

and receiving a key charging request sent by the encryption gateway, and forwarding the key charging request to a quantum key distribution network, so that the quantum key distribution network charges the main key to a secure storage medium connected to the encryption gateway in an off-line manner, the ID identifications of the main key charged in the secure storage medium connected to each encryption gateway in the same secure domain are the same, and the quantum key distribution network stores secure domain division information and encrypted gateway information in each secure domain.

In a third aspect, the present invention provides a network session data stream fine-grained transparent encryption and decryption gateway, where the gateway includes a data encryption and decryption processing module, a stream table management module, a stream table application module, and a key injection module, where the key injection module is connected to a secure storage medium, and the secure storage medium stores a master key pre-charged by a quantum key distribution network, where:

the key injection module is used for reading a master key from the connected secure storage medium and establishing a master key pool;

the flow table management module is used for matching a data flow table with outbound network session data messages according to quintuple information of the outbound network session data messages, and the structure of the data flow table comprises quintuple information, a processing strategy, an encryption offset, an encryption algorithm and a session key;

the data encryption and decryption processing module is used for processing the network session data message based on the processing strategy corresponding to the data flow table and then sending the processed network session data message to a receiver when the matching is successful;

the flow table application module is used for extracting quintuple information from the network session data message when the matching is not successful, and generating a data flow table request message based on the quintuple information, the ID of the master key randomly taken out from the master key pool and the ID of the security domain where the master key is located; sending the data flow table request message to a control platform, so that the control platform generates a data flow table distribution message based on the data flow table request message and distributes each encryption gateway in the same security domain;

the flow table management module is also used for acquiring a newly-built data flow table based on the data flow table distribution message, and filling the content of the newly-built data flow table into the data flow table of the equipment to obtain new data flow table information;

and the data encryption and decryption processing module is also used for processing the network session data message according to the new data flow table information and then sending the network session data message to the receiver.

In a fourth aspect, the present invention provides a management and control platform, including:

the system comprises a flow table request information receiving module, a data flow table processing module and a data processing module, wherein the flow table request information receiving module is used for receiving a data flow table request message sent by an encryption gateway, and the data flow table request message carries information including quintuple information, a master key ID and a security domain ID of the encryption gateway;

the security policy matching module is used for matching the security policy table corresponding to the security domain ID according to the quintuple information;

the first data flow table establishing module is used for applying a quantum key from a quantum key distribution network as a session key when the security policy table is successfully matched, and establishing a first data flow table for the data flow determined by the quintuple information by combining the session key and the matched security policy;

a second data flow table establishing module, configured to establish a second data flow table for the data flow determined by the quintuple information based on a default security policy when the security policy table is not successfully matched;

and the distribution module is used for generating a data flow table distribution message based on the first data flow table or the second data flow table and distributing the data flow table distribution message to each encryption gateway in the same security domain.

In a fifth aspect, the present invention provides a fine-grained transparent encryption and decryption system for a network session data stream, where the system includes a first encryption gateway, a second encryption gateway, a control platform, and a quantum key distribution network, where the first encryption gateway, the second encryption gateway, and the quantum key distribution network are all connected to the control platform, and the first encryption gateway and the second encryption gateway are all connected to the quantum key distribution network, where the first encryption gateway and the second encryption gateway each include a data encryption and decryption processing module, a flow table management module, a flow table application module, and a key injection module, the key injection module is connected to a secure storage medium, and the secure storage medium stores a master key that is pre-charged by the quantum key distribution network, where:

the management and control platform is used for performing security domain division and performing registration and identity binding services on the first encryption gateway and the second encryption gateway;

the quantum key distribution network is used for pre-charging a master key to the secure storage medium;

the flow table management module is used for matching a data flow table with an outbound network session data message according to quintuple information of the outbound network session data message, and the structure of the data flow table comprises quintuple information, a processing strategy, an encryption offset, an encryption algorithm and a session key;

the flow table application module is used for extracting quintuple information from the network session data message when the matching is not successful, and generating a data flow table request message based on the quintuple information, the ID of the master key randomly taken out from the master key pool and the ID of the security domain where the master key is located; sending the data flow table request message to a control platform so that the control platform generates a data flow table distribution message based on the data flow table request message and distributes each encryption gateway in the same security domain;

and the data encryption and decryption processing module is also used for processing the network session data message according to the new data flow table information and then sending the processed network session data message to the receiver.

The invention has the advantages that:

(1) According to a flow table generated by a management and control platform based on a security policy and actual quintuple information, an encryption gateway uses a session key distributed online in real time to encrypt and decrypt a data flow, and transparently encrypts and decrypts a unicast data message, so that no additional data and service data flow is increased, no message header is added, and good network adaptability is achieved; the method for distributing session keys on line in a centralized manner is combined with a fine-grained security policy to realize software-defined quantum key distribution, and is suitable for scenes of centralized security policy management and key distribution of encryption gateways in a security domain and network session data streams protected by the encryption gateways.

(2) The security policy defines a kind of data flow, the data flow table describes a specific data flow, the flow table is dynamically generated based on the static security policy and in combination with the information of the actual data flow, the encryption communication and the centralized access control of a software definition mode are realized, and the security and the expansibility are higher.

(3) The invention is different from the technology of carrying out key agreement based on public key cryptography, constructs a network data encryption scheme for intensively distributing session keys based on a quantum key distribution network and a software defined security policy mode, and realizes centralized, unified and strong control of network data encryption communication.

(4) The method solves the problem of security intercommunication under the condition that the encryption gateway does not directly interact the secret key and the security policy information, realizes the handshake-free network communication transparent encryption and decryption scheme which cannot be solved by the traditional asymmetric cipher and IPSec protocol, avoids the security risk in the handshake process and the modification of the data message structure, can obviously reduce the related interaction information of secret key management related to the encryption and decryption of network data, and enhances the network adaptability.

Additional aspects and advantages of the invention will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the invention.

Drawings

Fig. 1 is a schematic flow chart of a fine-grained transparent encryption and decryption method for a network session data stream according to a first embodiment of the present invention;

fig. 2 is a schematic flow chart of a fine-grained transparent encryption and decryption method for a network session data stream according to a second embodiment of the present invention;

fig. 3 is a schematic structural diagram of a fine-grained transparent encryption and decryption gateway of a network session data stream according to a third embodiment of the present invention;

fig. 4 is a schematic structural diagram of a management and control platform according to a fourth embodiment of the present invention;

fig. 5 is a schematic structural diagram of a fine-grained transparent encryption and decryption system for network session data streams in a fifth embodiment of the present invention;

fig. 6 is a schematic workflow diagram of a fine-grained transparent encryption and decryption system for network session data flow in a sixth embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the embodiments of the present invention, and it is obvious that the described embodiments are some embodiments of the present invention, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

Example 1

As shown in fig. 1, a first embodiment of the present invention provides a fine-grained transparent encryption and decryption method for a network session data stream, where the method is applied to an encryption gateway, a master key pool is established in the encryption gateway, and a master key corresponding to a security domain where the encryption gateway is located is stored in the master key pool, and the method includes the following steps:

s101, matching a data flow table to an outbound network session data message according to quintuple information of the outbound network session data message, wherein the structure of the data flow table comprises quintuple information, a processing strategy, an encryption offset, an encryption algorithm and a session key, executing a step S102 when matching is successful, and executing a step S103 when matching is not successful;

s102, processing the network session data message based on a processing strategy corresponding to the data flow table and then sending the processed network session data message to a receiver;

s103, extracting quintuple information from the network session data message, and generating a data flow table request message based on the quintuple information, the ID of the master key randomly taken out from the master key pool and the ID of the security domain where the master key is located;

s104, sending the data flow table request message to a control platform so that the control platform generates a data flow table distribution message and distributes each encryption gateway in the same security domain based on the data flow table request message and a security policy;

s105, acquiring a newly-built data flow table based on the data flow table distribution message, and filling the content of the newly-built data flow table into the data flow table of the device to obtain new data flow table information;

and S106, processing the network session data message according to the new data flow table information and then sending the network session data message to the receiver.

In the embodiment, the encryption gateway uses the session key distributed online in real time to encrypt and decrypt the data stream according to the flow table generated by the management and control platform based on the security policy and the actual quintuple information, and transparently encrypts and decrypts the unicast data message, so that no additional data and service data flow is added, no message header is added, and good network adaptability is achieved; the method for distributing session keys on line in a centralized manner is combined with a fine-grained security policy to realize software-defined quantum key distribution, and is suitable for scenes of centralized security policy management and key distribution of encryption gateways in a security domain and network session data streams protected by the encryption gateways.

Compared with the scheme described in the publication number CN107566115a, the security policy actually used for encryption in this embodiment is dynamically generated based on the quintuple of the actual data stream in combination with the security policy of the management and control center, and the data stream determined by one quintuple has an encrypted security policy and a session key. The security policy of the management and control center aims at a type of data rather than a specific data flow; each security policy used to encrypt a particular data stream is shared among devices within the secure domain, without determining the destination device.

It should be noted that, in this embodiment, for general unicast data, a stream table entry is defined by using a quintuple, and the stream table entry is dynamically established based on a centralized security policy, where the combination of the stream table entry and the security policy is more complex than that of a multicast data policy.

In an embodiment, the processing policy includes explicit, discard and secret, and the step S102: processing the network session data message based on the processing strategy corresponding to the data flow table and then sending the network session data message to a receiver, wherein the method comprises the following steps:

if the processing strategy matched with the data flow table is secret communication, performing transparent encryption processing with a constant length on the part subjected to the network session data message encryption offset by adopting the session key and the encryption algorithm corresponding to the data flow table, and then sending the part to the receiver, wherein the encryption algorithm is CBC (integral multiple of algorithm packet) + CFB (remainder part except the integral multiple of algorithm packet);

Further, in step S103, generating a data flow table request message based on the quintuple information, the ID of the master key randomly taken out from the master key pool, and the ID of the security domain where the master key is located, specifically including: and caching the network session data message, extracting quintuple information (source and destination IP addresses, protocol numbers, source and destination transmission layer port numbers) of the network session data message, and combining randomly selected master key IDs and security domain IDs to form a flow table request message.

In an embodiment, in step S103, after generating a data flow table request message based on the five-tuple information, the ID of the master key randomly taken out from the master key pool, and the ID of the security domain where the master key is located, the method further includes the following steps:

In an embodiment, in the step S105, acquiring a new data flow table based on the data flow table distribution message includes:

It should be understood that if the check fails, the session is terminated.

In an embodiment, the method further comprises the steps of:

setting timeout time for the table entry in the data flow table;

In an embodiment, in step S102, before the network session data packet is processed based on the processing policy corresponding to the data flow table and then sent to the receiving party, the method further includes the following steps:

if not, executing the processing strategy corresponding to the data flow table to process the network session data message and then sending the network session data message to a receiver;

It should be noted that the content of the data flow table corresponding to the dynamic port protocol data, except for the quintuple, is the same as the flow entry corresponding to the control protocol packet, so that the same processing policy (blind or clear) as that of the control connection is executed on the data connection of such dynamic port protocol.

It should be noted that, in step S106, after the encryption gateway serving as the receiver receives the inbound network session data packet, the encryption gateway device node matches the flow table entry to the inbound data packet according to the five tuples (source and destination IP addresses, protocol numbers, source and destination transport layer port numbers) of the inbound data packet, and decrypts or explicitly turns on/discards the data stream matching the flow table entry according to the flow table information, or discards the data packet if there is no matched flow table entry.

In an embodiment, the method further comprises the steps of:

It should be noted that, unlike the technique of performing key agreement based on public key cryptography, the present embodiment constructs a network data encryption scheme for centrally distributing session keys based on a quantum key distribution network and a software defined security policy mode, and implements centralized, unified and strong management and control of network data encryption communication.

The problem of security intercommunication under the condition that the encryption gateway does not directly interact the secret key and the security policy information is solved, a handshake-free network communication transparent encryption and decryption scheme which cannot be solved by the traditional asymmetric cipher and IPSec protocol is realized, the security risk in a handshake process and the modification of a data message structure are avoided, the related interaction information of secret key management related to network data encryption and decryption can be obviously reduced, and the network adaptability is enhanced.

Example 2

As shown in fig. 2, a second embodiment of the present invention provides a fine-grained transparent encryption and decryption method for a network session data stream, where the method is applied to a management and control platform, and includes the following steps:

s201, receiving a data flow table request message sent by an encryption gateway, wherein the data flow table request message carries information including quintuple information, a master key ID and a security domain ID of the encryption gateway;

s202, matching a security policy table corresponding to the security domain ID according to the quintuple information, executing a step S203 when matching is successful, and executing a step S204 when matching is not successful;

s203, applying a quantum key from a quantum key distribution network as a session key, and establishing a first data flow table for the data flow determined by the quintuple information by combining the session key and the matched security strategy;

s204, establishing a second data flow table for the data flow determined by the quintuple information based on a default security policy;

and S205, generating a data flow table distribution message based on the first data flow table or the second data flow table, and distributing the data flow table distribution message to each encryption gateway in the same security domain.

In the embodiment, the management and control platform is used as a unique centralized controller of a full security domain, a security policy is customized, a session key is applied in real time and distributed online, and a data flow table and the session key of an intra-domain encryption gateway are managed and controlled uniformly; and the encryption gateway is only used as an execution point, and encryption and decryption processing is carried out on the data stream by using the session key distributed online in real time according to a flow table generated by the management and control platform based on the security policy and the actual quintuple information. The security policy defines a type of data flow, the data flow table describes a specific data flow, and the flow table is dynamically generated based on the static security policy and in combination with the information of the actual data flow, so that the encryption communication and the centralized access control in a software definition mode are realized, and the security and the expansibility are higher.

In one embodiment, in the step S201: after receiving the data flow table request message sent by the encryption gateway, the method further includes:

and acquiring a master key decryption message from the quantum key distribution network according to the security domain ID and the master key ID, performing integrity verification, and matching a security policy table corresponding to the security domain ID according to the quintuple information after the verification is passed.

In an embodiment, the management and control platform may set a security policy table for each security domain, and an administrator performs configuration management operations such as unified addition, deletion, modification and the like; the content of each entry in the security policy table includes a source IP address, a destination IP address, a corresponding subnet mask or address prefix, or a range of the source and destination IP addresses, an ID and an IP address of an encryption gateway device associated with the security policy table, a protocol number (may be ANY), a port range (may be ANY), a processing policy, an encryption offset, an encryption algorithm, a session key, and the like.

In an embodiment, the structure of the first data flow table includes five tuple information, an encryption offset, an encryption algorithm, a session key, and a processing policy, and the processing policy is closed.

In an embodiment, the structure of the second data flow table includes five tuple information, an encryption offset, an encryption algorithm, a session key, and a processing policy, where the processing policy is clear or discarded, and the five tuple information, the encryption offset, the encryption algorithm, and the session key are null.

In one embodiment, the step S205: generating a data flow table distribution message based on the first data flow table or the second data flow table, and distributing the data flow table distribution message to each encryption gateway in the same security domain, wherein the method comprises the following steps:

and acquiring the security domain ID and a main key corresponding to the security domain ID from a quantum key distribution network, encrypting the data flow table distribution message by using the main key, performing HMAC operation on the data flow table distribution message, and distributing the data flow table distribution message to each encryption gateway in the same security domain.

In an embodiment, the method further comprises the steps of:

The embodiment is different from the technology of carrying out key agreement based on public key cryptography, and constructs a network data encryption scheme for intensively distributing session keys based on a quantum key distribution network and a software defined security policy mode, so that centralized unified strong management and control of network data encryption communication are realized.

Example 3

As shown in fig. 3, a third embodiment of the present invention provides a fine-grained transparent encryption and decryption gateway for a network session data stream, where the gateway includes a data encryption and decryption processing module 11, a stream table management module 13, a stream table application module 14, and a key injection module 12, the key injection module 12 is connected to a secure storage medium, and the secure storage medium stores a master key pre-charged through a quantum key distribution network 4, where:

the key injection module 12 is configured to read a master key from a connected secure storage medium, and establish a master key pool;

the flow table management module 13 is configured to match a data flow table with an outbound network session data packet according to quintuple information of the outbound network session data packet, where the data flow table has a structure including quintuple information, a processing policy, an encryption offset, an encryption algorithm, and a session key;

the data encryption and decryption processing module 11 is configured to, when matching is successful, process the network session data packet based on a processing policy corresponding to the data flow table and then send the network session data packet to a receiving party;

the flow table application module 14 is configured to, when the matching is not successful, extract quintuple information from the network session data message, and generate a data flow table request message based on the quintuple information, the ID of the master key randomly taken out from the master key pool, and the ID of the security domain where the master key is located; sending the data flow table request message to a management and control platform 3, so that the management and control platform 3 generates a data flow table distribution message based on the data flow table request message and distributes each encryption gateway in the same security domain;

the flow table management module 13 is further configured to acquire a newly-built data flow table based on the data flow table distribution message, and fill the content of the newly-built data flow table into the data flow table of the device to obtain new data flow table information;

the data encryption and decryption processing module 11 is further configured to process the network session data packet according to the new data flow table information and send the network session data packet to the receiving party.

In the embodiment, the encryption gateway uses the session key distributed online in real time to encrypt and decrypt the data stream according to the flow table generated by the management and control platform 3 based on the security policy and the actual quintuple information, and transparently encrypts and decrypts the unicast data message, so that no extra data and service data flow is added, no message header is added, and good network adaptability is achieved; the method adopts a centralized online session key distribution mode, combines with a fine-grained security policy to realize software-defined quantum key distribution, and is suitable for a scene of centralized security policy management and key distribution on an encryption gateway in a security domain and a network session data stream protected by the encryption gateway.

In an embodiment, the processing policy includes clear, discard and encrypted, and the data encryption and decryption processing module 11 is configured to, when matching is successful, perform the following steps:

In an embodiment, the data encryption and decryption processing module 11 is further configured to:

and taking out the master key corresponding to the master key ID from the master key pool, performing HMAC operation on the quintuple information in the data flow table request message by using the master key, and then sending the result to the management and control platform 3.

In an embodiment, the flow table management module 13 is specifically configured to execute the following steps:

It should be understood that if the verification fails, the session is terminated.

In one embodiment, the encryption gateway further comprises:

the time setting module is used for setting timeout time for the table entry in the data flow table;

and the table entry deleting module is used for deleting the table entry when the table entry in the data flow table is not accessed within the overtime time.

In one embodiment, the encryption gateway further comprises:

the judging module is used for judging whether the network session data message contains a dynamic port protocol message or not;

the data encryption and decryption processing module 11 is configured to execute the processing policy corresponding to the data flow table to process the network session data packet and send the processed network session data packet to a receiving party when the output result of the judging module is negative;

the flow table management module 13 is configured to, when the output result of the determining module is yes, analyze the dynamic port protocol packet and extract quintuple information corresponding to the dynamic port protocol; and establishing a data flow table corresponding to the dynamic port protocol data based on the quintuple information corresponding to the dynamic port protocol.

In one embodiment, the encryption gateway further comprises:

a registration request module, configured to send a registration request to the management and control platform 3 to bind to corresponding security domains, where the security domains are partitioned by the management and control platform 3;

a key charging request module, configured to send a key charging request to the management and control platform 3, so that the management and control platform 3 forwards the key charging request to the quantum key distribution network 4, so that the quantum key distribution network 4 charges the master key to the secure storage medium connected to the encryption gateway in an offline manner through a key agent or a quantum network node, and ID identifiers of master keys charged in the secure storage media connected to each encryption gateway in the same secure domain are the same; the quantum key distribution network 4 stores security domain division information and encryption gateway information in each security domain;

the key injection module 12 is configured to read a master key from the connected secure storage medium, and establish the master key pool.

It should be noted that, other embodiments or implementation methods of the fine-grained transparent encryption/decryption gateway for network session data stream according to the present invention may refer to the above method embodiment 1, and no redundancy is provided here.

Example 4

As shown in fig. 4, a fourth embodiment of the present invention provides a management and control platform 3, where the management and control platform 3 includes:

a flow table request information receiving module 31, configured to receive a data flow table request message sent by an encryption gateway, where the data flow table request message carries information that includes quintuple information of a network session data packet, a master key ID, and an ID of a security domain where the encryption gateway is located;

a security policy matching module 32, configured to match, according to the quintuple information, a security policy table corresponding to the security domain ID;

a first data flow table establishing module 33, configured to apply for a quantum key from the quantum key distribution network 4 as a session key when the security policy table is successfully matched, and establish a first data flow table for the data flow determined by the quintuple information in combination with the session key and the matched security policy;

a second data flow table establishing module 34, configured to establish a second data flow table for the data flow determined by the five-tuple information based on a default security policy when the security policy table is not successfully matched;

and the distribution module 35 is configured to generate a data flow table distribution message based on the first data flow table or the second data flow table, and distribute the data flow table distribution message to each encryption gateway in the same security domain.

In the embodiment, the management and control platform 3 serves as a unique centralized controller of a full security domain, customizes a security policy, applies for and distributes a session key on line in real time, and performs unified management and control on a data flow table and the session key of an intra-domain encryption gateway; the encryption gateway is only used as an execution point, and encryption and decryption processing is performed on the data stream by using a session key distributed online in real time according to a flow table generated by the management and control platform 3 based on the security policy and the actual quintuple information. The security policy defines a type of data flow, the data flow table describes a specific data flow, and the flow table is dynamically generated based on the static security policy and in combination with the information of the actual data flow, so that the encryption communication and the centralized access control in a software definition mode are realized, and the security and the expansibility are higher.

In an embodiment, the management and control platform 3 further includes:

and the verification module is used for acquiring the master key decryption message from the quantum key distribution network 4 according to the security domain ID and the master key ID, performing integrity verification, and matching the security policy table corresponding to the security domain ID according to the quintuple information after the verification is passed.

It should be noted that the management and control platform 3 may set a security policy table for each security domain, and an administrator performs configuration management operations such as unified addition, deletion, modification, and the like; the content of each entry in the security policy table includes a source IP address, a destination IP address, a corresponding subnet mask or address prefix, or a range of the source and destination IP addresses, an ID and an IP address of an encryption gateway device associated with the security policy table, a protocol number (may be ANY), a port range (may be ANY), a processing policy, an encryption offset, an encryption algorithm, a session key, and the like.

In an embodiment, the structure of the first data flow table includes five-tuple information, an encryption offset, an encryption algorithm, a session key, and a processing policy, and the processing policy is secure.

In one embodiment, the distribution module 35 includes:

the data flow table distribution message generating unit is used for combining the first data flow table or the second data flow table with a master key ID and a security domain ID to form the data flow table distribution message;

and the distribution unit is used for acquiring the security domain ID and a main key corresponding to the security domain ID from the quantum key distribution network 4, encrypting the data flow table distribution message by using the main key, performing HMAC operation on the data flow table distribution message, and distributing the data flow table distribution message to each encryption gateway in the same security domain.

In an embodiment, the management and control platform 3 further includes:

the registration module is configured to accept a registration request sent by the encryption gateway, so as to bind the encryption gateway to corresponding security domains, where the security domains are partitioned by the management and control platform 3;

and the key charging request forwarding module is configured to receive a key charging request sent by the encryption gateway, and forward the key charging request to the quantum key distribution network 4, so that the quantum key distribution network 4 charges the master key to the secure storage medium connected to the encryption gateway in an offline manner, IDs of the master key charged in the secure storage medium connected to each encryption gateway in the same secure domain are the same, and the quantum key distribution network 4 stores security domain division information and information about the encryption gateways in each secure domain.

The embodiment is different from the technology of carrying out key agreement based on public key cryptography, and a network data encryption scheme for intensively distributing session keys based on a quantum key distribution network 4 and a software defined security policy mode is constructed, so that centralized unified strong management and control of network data encryption communication are realized.

It should be noted that, other embodiments or implementation methods of the fine-grained transparent encryption/decryption gateway for network session data stream according to the present invention may refer to the above method embodiment 2, and no redundancy is provided here.

Example 5

As shown in fig. 5, a fifth embodiment of the present invention provides a network session data stream fine-grained transparent encryption and decryption system, where the system includes a first encryption gateway 1, a second encryption gateway 2, a management and control platform 3, and a quantum key distribution network 4, where the first encryption gateway 1, the second encryption gateway 2, and the quantum key distribution network 4 are all connected to the management and control platform 3, and the first encryption gateway 1 and the second encryption gateway 2 are all connected to the quantum key distribution network 4, where the first encryption gateway 1 and the second encryption gateway 2 each include a data encryption and decryption processing module 11, a flow table management module 13, a flow table application module 14, and a key injection module 12, and the key injection module 12 is connected to a secure storage medium, and the secure storage medium stores a master key pre-filled via the quantum key distribution network 4, where:

the management and control platform 3 is configured to perform security domain division, and perform registration and identity binding services on the first encryption gateway 1 and the second encryption gateway 2;

the quantum key distribution network 4 is used for pre-charging a master key into the secure storage medium;

In the embodiment, the encryption gateway uses the session key distributed online in real time to encrypt and decrypt the data stream according to the flow table generated by the management and control platform 3 based on the security policy and the actual quintuple information, and transparently encrypts and decrypts the unicast data message, so that no extra data and service data flow is added, no message header is added, and good network adaptability is achieved; the method for distributing session keys on line in a centralized manner is combined with a fine-grained security policy to realize software-defined quantum key distribution, and is suitable for scenes of centralized security policy management and key distribution of encryption gateways in a security domain and network session data streams protected by the encryption gateways.

In this embodiment, the encryption gateway: the encryption and decryption processing module is used for encrypting and decrypting user network session data flow transmitted through a network and comprises a data encryption and decryption processing module, a flow table management module, a flow table application module, a key injection module and other functional modules;

the management and control platform 3: the system comprises a security domain, a registration domain, an identity binding service, a global fine-grained flow table and a session key, wherein the security domain is used for providing a corresponding relation among an encryption gateway, a key agent and a quantum network node, performing security domain division, providing the registration and identity binding service of the encryption gateway, maintaining the global fine-grained flow table and directly distributing a flow strategy and the session key to the encryption gateway;

and (3) key agent: a proxy function for providing key charging in case the encryption gateway cannot directly perform key charging at a node of the quantum key distribution network 4, and providing key distribution in case the encryption communication network cannot directly connect to the quantum key distribution network 4;

quantum key distribution network 4: the system comprises quantum network nodes and a quantum network link control center, and services such as quantum key generation, quantum key relay, quantum key provision and the like are realized;

quantum network node: the system is used for storing the generated quantum key, receiving a key application of a key agent or a management and control platform 3, and providing a key to the key agent or the management and control platform 3 or directly providing a key charging and key distribution service;

quantum network link control center: the method is used for establishing quantum key distribution and relay links among the nodes according to the quantum network node IDs.

It should be noted that the quantum key distribution device in this embodiment includes, but is not limited to, a QKD key distribution network, and the related key pre-charging and online key distribution functions may be implemented by using any symmetric key management system and device.

In one embodiment, the management and control platform 3 comprises:

a flow table request information receiving module 31, configured to receive a data flow table request message sent by an encryption gateway, where the data flow table request message carries information that includes quintuple information of a network session data packet, a master key ID, and a security domain ID where the encryption gateway is located;

As shown in fig. 6, the work flow of the fine-grained transparent encryption and decryption system for network session data flow according to the embodiment of the present invention is as follows:

(1) The management and control platform defines a security domain, a large number of main keys are pre-filled to nodes of each encryption gateway device in the domain in an off-line manner by using a large-capacity security storage medium such as a security TF card or a security U shield through a quantum key distribution network QKD, each device in the same security domain shares the same main key identified by the same key ID, and each security domain corresponds to a main key pool in the QKD and is indexed by the main key IDs with uniform numbers in the domain;

the key format is 2 byte domain ID +4 byte key ID + n byte key and n byte initialization vector, and the specific value of n is related to the encryption algorithm.

(2) And each encryption gateway in the security domain acquires a master key in a security storage medium connected with the encryption gateway and establishes a master key pool.

(3) The encryption gateway equipment node matches a flow table entry for the outbound network session data message according to the quintuple thereof: if the processing strategy matched with the flow table item is secret communication, performing the transparent encryption processing with the unchanged length on the part of the whole data message after encrypting the offset by adopting a session key and an encryption algorithm corresponding to the flow table item, wherein the encryption mode is CBC (integral multiple of algorithm packet) + CFB (remainder part except integral multiple of algorithm packet); the processing strategy is the direct forwarding of the data message if the processing strategy is the clear communication; if the processing strategy is discarding, discarding the data message;

the flow table entry comprises five tuples and corresponding processing strategies, encryption offset, encryption algorithm, session keys and other elements, wherein the processing strategies comprise three types of explicit communication, discarding and secret communication.

(4) If the flow table entry is not successfully matched in the previous step (3), caching the network session data message, extracting quintuple information of the network session data message, then combining randomly selected master key ID and security domain ID to form a flow table request message, taking out a master key corresponding to the master key ID from the master key pool, encrypting the quintuple information in the request message, performing HMAC operation on the whole message, and then sending the message to the control platform.

(5) And after receiving the flow table request message, the control platform acquires a main key decryption message from the QKD according to the security domain ID and the main key ID and performs integrity verification, directly terminates the session if the verification fails, and performs matching of the security policy table corresponding to the domain ID according to quintuple information after the verification passes. The management and control platform sets a security policy table for each security domain, the content of each table entry is composed of elements such as source and destination IP addresses and corresponding subnet masks or address prefixes, or source and destination IP address ranges, ID and IP addresses of encryption gateway equipment associated with the security policy, a protocol number (which can be ANY), a port range (which can be ANY), a processing policy, an encryption offset, an encryption algorithm, a session key and the like, and configuration management operations such as uniform addition, deletion, change and check are performed by an administrator.

If no matched security policy exists, a new first data flow table is established for the data flow uniquely determined by the quintuple information according to the default security policy, the table entry structure is the same as that of the data flow table of the encryption gateway, the contents of encryption offset, encryption algorithm, session key and the like are null, the processing policy is set to be open or discarded according to the default policy (the default policy can only be set to be open or discarded), and the first data flow table is distributed to all the encryption gateways in the domain.

And if the matched security policy exists, applying a quantum key from the QKD in real time as a session key of the data flow, establishing a new second data flow table for the data flow uniquely determined by the quintuple information by combining the security policy, wherein the table item structure of the second data flow table is the same as that of the data flow table of the gateway, the processing policy is set to be closed-circuit and comprises elements such as encryption offset, encryption algorithm, session key and the like, and the second data flow table is distributed to all encryption gateways associated with the security policy in the domain.

Further, when the management and control platform distributes and newly establishes the first data flow table or the second data flow table, the content of the first data flow table or the second data flow table, the randomly selected intra-domain master key ID and the security domain ID form flow table distribution message content, the main key corresponding to the master key ID in the security domain master key pool corresponding to the security domain ID is obtained from the QKD, the message content is encrypted, the whole message is subjected to HMAC, and then the message is sent to the encryption gateway device node associated with the security domain.

In this embodiment, a management and control platform is used to centrally manage and control a security policy, a session key is centrally distributed, the security policy defines a type of data flow, the flow table describes a specific data flow, the flow table is dynamically generated based on a static security policy, and a life cycle is synchronized with the data flow.

(6) And after receiving the flow table distribution message, the encryption gateway device node takes out the master key corresponding to the master key ID from the master key pool, decrypts the message and carries out integrity verification, and fills the flow table item content into the flow table of the device after the message passes the integrity verification.

(7) And the encryption gateway equipment node as a receiver matches the inbound network session data message with the data flow table entry according to the quintuple of the inbound network session data message, decrypts or explicitly communicates/discards the data flow matched with the flow table entry according to the flow table information, and discards the data message if no matched flow table entry exists.

Further, the encryption gateway may set a timeout time for the flow entry, and delete the flow entry from the flow table when none of the flow entries is hit within the timeout time.

Further, if the protocol analysis module is run on the encryption gateway device, dynamic port protocol messages such as FTP and the like, which contain data connection ports and IP address information in the control protocol, are analyzed, quintuple information such as ports of data connection, IP addresses and the like is extracted to create a flow entry, and the contents of the newly created flow entry except for the quintuple are the same as the flow entry corresponding to the control protocol message, so that the same processing strategy (closed or open) is executed and controlled for the data connection of the dynamic port protocol.

In this embodiment, based on a large-capacity symmetric pre-shared key provided by a quantum key distribution technology, a large-capacity master key generated by a quantum key distribution system is used in an encryption gateway, a security policy management and control center is used to distribute session keys in a centralized manner and associate security policies, so that the centralized distribution of session keys combined with fine-grained software defined security policies is realized, the problem that the encryption gateway cannot negotiate keys in complex network environments such as bidirectional NAT and the like and the key synchronization problem of a one-time pad encrypted data message are solved, and the centralized management and control strength of network session data stream encryption transmission during interconnection and intercommunication among a plurality of local area networks is enhanced.

It should be noted that the logic and/or steps represented in the flowcharts or otherwise described herein, such as an ordered listing of executable instructions that can be considered to implement logical functions, can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. For the purposes of this description, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: an electrical connection (electronic device) having one or more wires, a portable computer diskette (magnetic device), a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber device, and a portable compact disc read-only memory (CDROM). Additionally, the computer-readable medium could even be paper or another suitable medium upon which the program is printed, as the program can be electronically captured, via for instance optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner if necessary, and then stored in a computer memory.

It should be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, the various steps or methods may be implemented in software or firmware stored in memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, any one or combination of the following techniques, which are known in the art, may be used: a discrete logic circuit having a logic gate circuit for implementing a logic function on a data signal, an application specific integrated circuit having an appropriate combinational logic gate circuit, a Programmable Gate Array (PGA), a Field Programmable Gate Array (FPGA), or the like.

In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.

Furthermore, the terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In the description of the present invention, "a plurality" means at least two, e.g., two, three, etc., unless specifically limited otherwise.

Although embodiments of the present invention have been shown and described above, it will be understood that the above embodiments are exemplary and not to be construed as limiting the present invention, and that changes, modifications, substitutions and alterations can be made to the above embodiments by those of ordinary skill in the art within the scope of the present invention.

Claims

1. A fine-grained transparent encryption and decryption method for a network session data stream is characterized in that the method is applied to an encryption gateway, a master key pool is established in the encryption gateway, and a master key corresponding to a security domain where the encryption gateway is located is stored in the master key pool, and the method comprises the following steps:

sending the data flow table request message to a control platform, so that the control platform generates a data flow table distribution message and distributes each encryption gateway in the same security domain based on the data flow table request message and a security policy, wherein the data flow table distribution message carries a newly-built data flow table;

2. The fine-grained transparent encryption and decryption method for the network session data flow according to claim 1, wherein the processing policy includes clear connection, discard and secret connection, and if the matching is successful, the network session data packet is processed based on the processing policy corresponding to the data flow and then sent to the receiving party, including:

3. The method for fine-grained transparent encryption and decryption of network session data flow according to claim 1, wherein after the data flow table request message is generated based on the quintuple information, the master key ID randomly fetched from the master key pool and the security domain ID where the master key ID is located, the method further comprises:

4. The fine-grained transparent encryption and decryption method for network session data flow according to claim 1, wherein the obtaining of the newly-created data flow table based on the message distributed by the data flow table comprises:

5. The method for fine-grained transparent encryption and decryption of a network session data stream according to claim 1, wherein the method further comprises:

setting timeout time for the table entry in the data flow table;

6. The fine-grained transparent encryption and decryption method for network session data flow according to claim 1, wherein before the network session data packet is processed based on the processing policy corresponding to the data flow table and then sent to a receiver, the method further comprises:

7. The method for fine-grained transparent encryption and decryption of a network session data stream according to claim 1, wherein the method further comprises:

8. A fine-grained transparent encryption and decryption method for network session data streams is applied to a control platform and comprises the following steps:

9. The fine-grained transparent encryption and decryption method for network session data flow according to claim 8, wherein the structure of the first data flow table comprises five tuple information, encryption offset, encryption algorithm, session key and processing policy, and the processing policy is closed-end.

10. The fine-grained transparent encryption and decryption method for network session data streams according to claim 8, wherein the structure of the second data stream table includes five tuple information, encryption offset, encryption algorithm, session key and processing policy, the processing policy is clear or discard, and the five tuple information, encryption offset, encryption algorithm and session key are null.

11. The fine-grained transparent encryption and decryption method for network session data streams according to claim 8, wherein the contents of each entry in the security policy table include a source IP address, a destination IP address, a corresponding subnet mask or address prefix, or a source and destination IP address range, an ID and IP address of an encryption gateway device associated with the security policy table, a protocol number, a port range, a processing policy, an encryption offset, an encryption algorithm, and a session key.

12. The method for fine-grained transparent encryption and decryption of network session data flow according to claim 8, wherein the generating a data flow table distribution message based on the first data flow table or the second data flow table and distributing the data flow table distribution message to each encryption gateway in the same security domain comprises:

13. The method for fine-grained transparent encryption and decryption of a network session data stream according to claim 8, wherein the method further comprises:

14. The fine-grained transparent encryption and decryption gateway for the network session data stream is characterized by comprising a data encryption and decryption processing module, a flow table management module, a flow table application module and a key injection module, wherein the key injection module is connected with a secure storage medium, and a master key pre-filled by a quantum key distribution network is stored in the secure storage medium, wherein:

the flow table management module is further configured to acquire a newly-built data flow table based on the data flow table distribution message, and fill the content of the newly-built data flow table into the data flow table of the device to obtain new data flow table information;

15. The utility model provides a management and control platform which characterized in that, management and control platform includes:

the security policy matching module is used for matching a security policy table corresponding to the security domain ID according to the quintuple information;

16. The fine-grained transparent encryption and decryption system for the network session data stream is characterized by comprising a first encryption gateway, a second encryption gateway, a control platform and a quantum key distribution network, wherein the first encryption gateway, the second encryption gateway and the quantum key distribution network are all connected with the control platform, the first encryption gateway and the second encryption gateway are all connected with the quantum key distribution network, the first encryption gateway and the second encryption gateway respectively comprise a data encryption and decryption processing module, a flow table management module, a flow table application module and a key injection module, the key injection module is connected with a secure storage medium, and a master key pre-filled through the quantum key distribution network is stored in the secure storage medium, wherein:

the quantum key distribution network is used for pre-charging a master key into the secure storage medium;