CN115622781A - SDN-based data security transmission method, device, equipment and storage medium - Google Patents
SDN-based data security transmission method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN115622781A CN115622781A CN202211278866.XA CN202211278866A CN115622781A CN 115622781 A CN115622781 A CN 115622781A CN 202211278866 A CN202211278866 A CN 202211278866A CN 115622781 A CN115622781 A CN 115622781A
- Authority
- CN
- China
- Prior art keywords
- network access
- data
- network
- sdn
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000005540 biological transmission Effects 0.000 title claims abstract description 54
- 238000000034 method Methods 0.000 title claims abstract description 45
- 238000012795 verification Methods 0.000 claims abstract description 45
- 238000004590 computer program Methods 0.000 claims description 16
- 238000006243 chemical reaction Methods 0.000 claims description 10
- 238000013475 authorization Methods 0.000 claims 1
- 230000006854 communication Effects 0.000 description 17
- 238000004891 communication Methods 0.000 description 14
- 238000012545 processing Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 239000003795 chemical substances by application Substances 0.000 description 2
- 238000013478 data encryption standard Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 239000011521 glass Substances 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a data security transmission method, a device, equipment and a storage medium based on an SDN network. The method comprises the following steps: acquiring a network access request sent by a network access requester; the network access request is a request for entering a Software Defined Network (SDN) network cluster; according to the network access request, performing identity verification and authority verification on the network access requester; if the identity authentication and the authority authentication pass, acquiring message data of the network access requester; and encrypting the message data, and transmitting the encrypted message data to a data receiver based on the SDN cluster network. The embodiment of the invention improves the data transmission safety based on the SDN network.
Description
Technical Field
The present invention relates to the field of data processing, and in particular, to a data security transmission method, device, and apparatus based on an SDN network, and a storage medium.
Background
With the increasing access demand of the internet of things devices based on SDN (Software Defined Network) technology, the corresponding potential safety hazard is also getting worse. There are many kinds of threats during the operation of the data distribution service, such as the existence of unauthorized subscribers, unauthorized publishers, and unauthorized data access, which results in low security when data is transmitted in the SDN network-based cluster.
Disclosure of Invention
The invention provides a data security transmission method, a device, equipment and a storage medium based on an SDN (software defined network) network, which are used for improving the data transmission security based on the SDN network.
According to an aspect of the present invention, a data secure transmission method based on an SDN network is provided, the method including:
acquiring a network access request sent by a network access requester; the network access request is a request for entering a Software Defined Network (SDN) network cluster;
according to the network access request, performing identity verification and authority verification on the network access requester;
if the identity authentication and the authority authentication pass, acquiring message data of the network access requester;
and encrypting the message data, and transmitting the encrypted message data to a data receiver based on the SDN cluster network.
According to another aspect of the present invention, there is provided a data security transmission apparatus based on an SDN network, the apparatus including:
the network access request acquisition module is used for acquiring a network access request sent by a network access requester; the network access request is a request for entering a Software Defined Network (SDN) network cluster;
the verification module is used for performing identity verification and authority verification on the network access requester according to the network access request;
the message data acquisition module is used for acquiring the message data of the network access requester if the identity authentication and the permission authentication pass;
and the data transmission module is used for encrypting the message data and transmitting the encrypted message data to a data receiver based on the SDN cluster network.
According to another aspect of the present invention, there is provided an electronic apparatus including:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores a computer program executable by the at least one processor, the computer program being executed by the at least one processor to enable the at least one processor to perform the SDN network based secure data transmission method according to any embodiment of the present invention.
According to another aspect of the present invention, a computer-readable storage medium is provided, which stores computer instructions for causing a processor to implement the SDN network-based data secure transmission method according to any embodiment of the present invention when executed.
According to the scheme of the embodiment of the invention, identity verification and authority verification are carried out on the network access requester according to the network access request; if the identity authentication and the authority authentication pass, acquiring message data of a network access requester; message data are encrypted, and the encrypted message data are transmitted to a data receiver based on an SDN cluster network, so that data safety transmission based on an SDN publish-subscribe network is realized, and data transmission safety based on the SDN network is improved. A real-time stable publish-subscribe network is constructed based on a SDN-based data security transmission scheme of an Internet of things communication facility boundary, so that the identity security and the data security of a publisher or a subscriber in a communication process are effectively guaranteed, and the confidentiality and the security of data are guaranteed.
It should be understood that the statements in this section do not necessarily identify key or critical features of the embodiments of the present invention, nor do they necessarily limit the scope of the invention. Other features of the present invention will become apparent from the following description.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a flowchart of a data secure transmission method based on an SDN network according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a data security transmission apparatus based on an SDN network according to a second embodiment of the present invention;
fig. 3 is a schematic structural diagram of an electronic device implementing the SDN network-based data secure transmission method according to an embodiment of the present invention.
Detailed Description
In order to make those skilled in the art better understand the technical solutions of the present invention, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Moreover, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example one
Fig. 1 is a flowchart of a data security transmission method based on an SDN network according to an embodiment of the present invention, where the embodiment is applicable to a case of data security transmission in an SDN internet-of-things network cluster, and the method may be executed by a data security transmission apparatus based on an SDN network, where the data security transmission apparatus based on an SDN network may be implemented in hardware and/or software, and the data security transmission apparatus based on an SDN network may be configured in an electronic device. As shown in fig. 1, the method includes:
s110, acquiring a network access request sent by a network access requester; the network access request is a request for entering a Software Defined Network (SDN) cluster.
The network access request may be a request for entering an SDN internet of things communication facility. The SDN internet of things communication facility may be an SDN-based publish-subscribe cluster network. The clusters can be formed by a group of SDN switches and clients, each cluster can be managed by a cluster controller, and the clusters can be connected through SDN boundary switches. Optionally, when data communication is performed in the SDN publish-subscribe cluster network, a data request event may be formed in a topic subscription manner, so as to perform event processing in the SDN publish-subscribe cluster network.
For example, the network access request sent by the network access requester can be obtained by the client proxy server. The network access requester can be a data subscriber or a data publisher based on the data transmission requirements of the SDN network cluster. At least one client may exist in the SDN network, and each client corresponds to a data subscriber or a data publisher respectively.
And S120, performing identity verification and authority verification on the network access requester according to the network access request.
It should be noted that, as proposed in the DDS (Data Distribution Service) security specification, in the conventional Data Distribution Service, there is a problem that the identity of the other party cannot be confirmed between the Data publisher and the Data subscriber, that is, the Data subscriber cannot determine the source of the topic message or event and the identity of the Data publisher. In order to ensure the security of the data distribution service, network access requests such as identity verification and authority verification can be sent to a data publisher and a data subscriber, so that the security of transmission of the two parties in the SDN cluster network is ensured.
In an optional embodiment, the identity verification and the authority verification are performed on the network access requester according to the network access request, and the method includes: according to the network access request, carrying out identity authentication on the network access requester; if the identity authentication of the network access requester is passed, judging whether the network access requester has read-write permission according to the network access request; and determining the verification result of the authority verification of the network access requester according to the judgment result of the read-write authority.
For example, the client proxy server may perform authentication on a network access requester initiating a data transmission request, specifically, verify whether the network access requester performs identity registration in the server and is an authorized user; if yes, the authentication of the network access requester is passed; if not, the authentication of the network access requester is failed, and the network access request of the network access requester is rejected. To further improve the security of the identity authentication of the network access requester, the authentication may be performed in the following manner.
In an optional embodiment, the authenticating the network access requester according to the network access request includes: if the corresponding token information exists in the network access request, judging whether the token information is in an accessible white list; and if so, determining that the identity authentication of the network access requester is passed.
For example, the client proxy server may extract Token information from the network access request party, specifically, determine whether the network access request carries Token (Token) information sent by the network access request; if yes, further verifying the token information; if not, the network access requester has no network access authority, and the network access request is prohibited from being sent to the network.
Optionally, if the corresponding token information is not extracted from the network access request of the network access requester, a request for providing a valid credential may be further initiated to the network access requester, so as to further determine whether the network access requester has a network access right according to the obtained result.
If the verification of the token information of the network access request party is passed, further judging whether the token information is in an accessible white list; if so, determining that the identity authentication of the network access requester is passed; if not, determining that the identity authentication of the network access requester fails.
In order to further improve the accuracy of the authentication of the network access requester, the token information of the network access requester can also be authenticated in the following manner.
In an optional embodiment, after determining whether the token information is in the accessible whitelist, the method further comprises: if the token information is not in the accessible white list, judging whether an access certificate exists in the network access request or not; if yes, judging whether the access certificate is valid; and if so, determining that the identity authentication of the network access request party is passed, and adding the token information corresponding to the network access request party into the accessible white list.
For example, if the token information is not in the accessible white list, it may be further determined whether a network access credential of the network access requester exists in the network access request; if the network access certificate of the network access requester exists, further judging whether the access certificate is valid; if the network access certificate of the network access requester does not exist, the identity authentication of the network access requester is not passed. If the access certificate is valid, the identity authentication of the network access requester is passed; and if the access certificate is invalid, the authentication of the network access requester is not passed.
It should be noted that, in the conventional data distribution service, there is no judgment on whether a data publisher or a data subscriber has read-write permission for a subject message event, that is, message data. In a publish-subscribe network based on SDN, verifying whether a publisher or a subscriber has a right to read and write a certain subject message event can improve the security of a data transmission process.
In the security management system of the third party, the read-write permission can be allocated to the publisher or the subscriber in advance. If the publisher P has a write right to the topic message event T, the subscriber S has a read right to the topic message event T, and so on. When a publisher or a subscriber operates on a client, the client represents the user behavior by a triple group, accesses a client proxy server, and judges whether the network access requester has read-write operation permission in the client proxy server. And according to the judgment result, the client proxy server releases or intercepts the data acquisition or release behavior of the publisher or the subscriber. The client proxy server performs authority distribution and execution on behalf of the publisher or the subscriber, so that the security of SDN publish-subscribe network resources and theme message events is effectively protected.
And S130, if the authentication of the identity authentication and the authority authentication is passed, acquiring the message data of the network access request party.
Illustratively, if the client proxy server passes both the authentication of the network access requester and the authentication of the authority verification, the message data of the network access requester is obtained. If the network access requester is a data subscriber, the message data may be subscription message data that the network access requester wants to subscribe; if the network access requester is a data publisher, the message data may be published message data that the network access requester wants to publish.
S140, encrypting the message data, and transmitting the encrypted message data to a data receiver based on the SDN cluster network.
In order to ensure the security of the message data in the transmission process based on the SDN cluster network and avoid the situation that the data security is insufficient due to malicious tampering by a third party, the message data can be encrypted, so that the encrypted data is transmitted safely in the SDN cluster network.
In an optional embodiment, encrypting the message data and transmitting the encrypted message data to a data receiver based on the SDN cluster network includes: determining a data receiver receiving the message data; homomorphic encryption is carried out on message data by adopting a first private key of a network access requester to obtain message ciphertext data; and transmitting the message ciphertext data to a data receiver based on the SDN cluster network.
The public key of the network access requester can be pre-stored in the client proxy server, and the public keys of all authorized network access requesters with access authority are mutually stored.
For example, the network access requester may perform homomorphic confidentiality on the message data by using a first private key of the network access requester, and send the encrypted message data to the client proxy server. Or if the client proxy server is a trusted device, the client proxy server may perform homomorphic encryption on the message data by using the first private key of the network access requester to obtain message ciphertext data, and transmit the message ciphertext data to the data receiver based on the SDN cluster network.
It should be noted that, in order to further improve the security of encrypting the message data, the following method may be further used to encrypt the message data.
It should be noted that, for a publish-subscribe network based on SDN, on one hand, confidentiality and integrity of Data can be guaranteed by applying a homomorphic Encryption technology, and on the other hand, the homomorphic Encryption technology is different from a traditional Data distribution service that uses a DES (Data Encryption Standard) or AES (Advanced Encryption Standard) Encryption and decryption manner, and has a feature of directly performing addition, subtraction and multiplication operations on encrypted Data, so that it is possible to directly perform operations on routing Data in an encrypted state and implement transparent routing operations.
In an optional embodiment, after homomorphic encrypting the message data by using the first private key of the network access requester to obtain message ciphertext data, the method further includes: generating a conversion key according to the first private key and a second public key of the data receiver; encrypting the message ciphertext data by adopting the conversion key to obtain message re-encryption data; correspondingly, the transmitting the message ciphertext data to the data receiver based on the SDN cluster network includes: and transmitting the message re-encryption data to the data receiver based on the SDN cluster network.
In a specific implementation manner, in a publish-subscribe network of an SDN, a homomorphic encryption process may assume that an authorized publisher P and an authorized subscriber S have a public key and a private key respectively, and the publisher encrypts message data tx using its own public key P _ PK to obtain message ciphertext data C, and the message ciphertext data C is transmitted in the publish-subscribe network of the SDN. When the message ciphertext data C reaches the message forwarding agent, the client agent server performs key conversion, a public key s _ PK of a subscriber and a private key p _ SK of a publisher are used for generating a conversion key, and the conversion key is used for re-encrypting the message ciphertext data C to obtain message re-encrypted data C 'and forwarding the message re-encrypted data C'; and after receiving the message re-encryption data C ', the subscriber S decrypts the message re-encryption data C' by using the private key S _ SK of the subscriber S to obtain the message data tx of the plaintext.
According to the scheme of the embodiment of the invention, identity verification and authority verification are carried out on a network access requester according to a network access request; if the authentication of the identity authentication and the authentication of the authority authentication pass, acquiring message data of a network access requester; message data are encrypted, and the encrypted message data are transmitted to a data receiver based on an SDN cluster network, so that data security transmission based on an SDN publish-subscribe network is realized, and data transmission security based on the SDN network is improved. A real-time stable publish-subscribe network is constructed based on a SDN-based data security transmission scheme of an Internet of things communication facility boundary, so that the identity security and the data security of a publisher or a subscriber in a communication process are effectively guaranteed, and the confidentiality and the security of data are guaranteed.
It should be noted that the acquisition, storage, usage, and processing of data such as token information and valid credentials related to the present embodiment all comply with relevant regulations of national laws and regulations.
Example two
Fig. 2 is a schematic structural diagram of a data security transmission device based on an SDN network according to a second embodiment of the present invention. The data security transmission device based on the SDN network provided by the embodiment of the present invention may be applied to data security transmission in an SDN internet of things cluster, and may be implemented in the form of hardware and/or software, as shown in fig. 2, the device specifically includes: a network access request acquisition module 201, a verification module 202, a message data acquisition module 203 and a data transmission module 204. Wherein,
a network access request obtaining module 201, configured to obtain a network access request sent by a network access requester; the network access request is a request for entering a Software Defined Network (SDN) network cluster;
the verification module 202 is configured to perform identity verification and permission verification on the network access requester according to the network access request;
a message data obtaining module 203, configured to obtain message data of the network access requester if the authentication of the identity authentication and the authentication of the permission authentication pass;
a data transmission module 204, configured to encrypt the message data, and transmit the encrypted message data to a data receiver based on the SDN trunking network.
According to the scheme of the embodiment of the invention, identity verification and authority verification are carried out on the network access requester according to the network access request; if the authentication of the identity authentication and the authentication of the authority authentication pass, acquiring message data of a network access requester; message data are encrypted, and the encrypted message data are transmitted to a data receiver based on an SDN cluster network, so that data safety transmission based on an SDN publish-subscribe network is realized, and data transmission safety based on the SDN network is improved. A real-time stable publish-subscribe network is constructed based on a SDN-based data security transmission scheme of an Internet of things communication facility boundary, so that the identity security and the data security of a publisher or a subscriber in a communication process are effectively guaranteed, and the confidentiality and the security of data are guaranteed.
Optionally, the verification module includes:
the identity authentication unit is used for authenticating the identity of the network access requester according to the network access request;
the read-write permission judging unit is used for judging whether the network access requester has read-write permission or not according to the network access request if the identity authentication of the network access requester passes;
and the verification result determining unit is used for determining the verification result of the authority verification of the network access requester according to the judgment result of the read-write authority.
Optionally, the identity authentication unit includes:
a white list judging subunit, configured to judge whether the token information is in an accessible white list if corresponding token information exists in the network access request;
and the identity authentication subunit is used for determining that the identity authentication of the network access requester is passed if the token information is in the accessible white list.
Optionally, the identity authentication unit further includes:
an access credential judging subunit, configured to, if the token information is not in the accessible white list, judge whether an access credential exists in the network access request;
the certificate validity judging subunit is used for judging whether the access certificate is valid or not if the access certificate exists in the network access request;
and the token information adding subunit is configured to determine that the identity authentication of the network access requester is passed if the access credential is valid, and add token information corresponding to the network access requester to the accessible white list.
Optionally, the data transmission module 204 includes:
a data receiver determining unit, configured to determine a data receiver that receives the message data;
the homomorphic encryption unit is used for homomorphic encrypting the message data by adopting a first private key of the network access requester to obtain message ciphertext data;
and the encrypted data transmission unit is used for transmitting the message ciphertext data to a data receiver based on the SDN cluster network.
Optionally, the data transmission module 204 further includes:
the conversion key generation unit is used for generating a conversion key according to the first private key and a second public key of the data receiving party;
the message re-encryption data determining unit is used for encrypting the message ciphertext data by adopting the conversion key to obtain message re-encryption data;
correspondingly, the data transmission module 204 includes:
a re-encryption data sending unit, configured to transmit the message re-encryption data to the data receiver based on the SDN cluster network.
The SDN network-based data security transmission device provided by the embodiment of the invention can execute the SDN network-based data security transmission method provided by any embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method.
EXAMPLE III
FIG. 3 shows a schematic block diagram of an electronic device 30 that may be used to implement an embodiment of the invention. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital assistants, cellular phones, smart phones, wearable devices (e.g., helmets, glasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.
As shown in fig. 3, the electronic device 30 includes at least one processor 31, and a memory communicatively connected to the at least one processor 31, such as a Read Only Memory (ROM) 32, a Random Access Memory (RAM) 33, and the like, wherein the memory stores a computer program executable by the at least one processor, and the processor 31 may perform various suitable actions and processes according to the computer program stored in the Read Only Memory (ROM) 32 or the computer program loaded from the storage unit 38 into the Random Access Memory (RAM) 33. In the RAM 33, various programs and data necessary for the operation of the electronic apparatus 30 can also be stored. The processor 31, the ROM 32, and the RAM 33 are connected to each other via a bus 34. An input/output (I/O) interface 35 is also connected to bus 34.
A plurality of components in the electronic device 30 are connected to the I/O interface 35, including: an input unit 36 such as a keyboard, a mouse, etc.; an output unit 37 such as various types of displays, speakers, and the like; a storage unit 38 such as a magnetic disk, an optical disk, or the like; and a communication unit 39 such as a network card, modem, wireless communication transceiver, etc. The communication unit 39 allows the electronic device 30 to exchange information/data with other devices via a computer network such as the internet and/or various telecommunication networks.
The processor 31 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of processor 31 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various processors running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, or the like. The processor 31 performs the various methods and processes described above, such as a SDN network-based data secure transmission method.
In some embodiments, the SDN network-based data secure transmission method may be implemented as a computer program tangibly embodied in a computer-readable storage medium, such as storage unit 38. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 30 via the ROM 32 and/or the communication unit 39. When the computer program is loaded into the RAM 33 and executed by the processor 31, one or more steps of the SDN network based data secure transmission method described above may be performed. Alternatively, in other embodiments, the processor 31 may be configured by any other suitable means (e.g., by means of firmware) to perform a SDN network based data secure transmission method.
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuitry, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), system on a chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.
A computer program for implementing the methods of the present invention may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be performed. A computer program can execute entirely on a machine, partly on a machine, as a stand-alone software package partly on a machine and partly on a remote machine or entirely on a remote machine or server.
In the context of the present invention, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. A computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) by which a user can provide input to the electronic device. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic, speech, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), blockchain networks, and the internet.
The computing system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical host and VPS service are overcome.
It should be understood that various forms of the flows shown above, reordering, adding or deleting steps, may be used. For example, the steps described in the present invention may be executed in parallel, sequentially, or in different orders, and are not limited herein as long as the desired results of the technical solution of the present invention can be achieved.
The above-described embodiments should not be construed as limiting the scope of the invention. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made, depending on design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. A data security transmission method based on an SDN network is characterized by comprising the following steps:
acquiring a network access request sent by a network access requester; the network access request is a request for entering a Software Defined Network (SDN) network cluster;
according to the network access request, performing identity verification and authority verification on the network access requester;
if the identity authentication and the authority authentication pass, acquiring message data of the network access requester;
and encrypting the message data, and transmitting the encrypted message data to a data receiver based on the SDN cluster network.
2. The method according to claim 1, wherein the performing authentication and authorization verification on the network access requester according to the network access request comprises:
according to the network access request, carrying out identity authentication on the network access requester;
if the identity authentication of the network access requester is passed, judging whether the network access requester has read-write permission according to the network access request;
and determining the verification result of the authority verification of the network access requester according to the judgment result of the read-write authority.
3. The method of claim 2, wherein the authenticating the network entry requester according to the network entry request comprises:
if the corresponding token information exists in the network access request, judging whether the token information is in an accessible white list or not;
and if so, determining that the identity authentication of the network access requester is passed.
4. The method of claim 3, further comprising, after said determining whether the token information is in an accessible whitelist:
if the token information is not in the accessible white list, judging whether an access certificate exists in the network access request or not;
if yes, judging whether the access certificate is valid;
and if so, determining that the identity authentication of the network access request party passes, and adding token information corresponding to the network access request party to the accessible white list.
5. The method according to any one of claims 1-4, wherein encrypting the message data and transmitting the encrypted message data to a data receiver based on an SDN cluster network comprises:
determining a data receiver receiving the message data;
homomorphic encryption is carried out on the message data by adopting a first private key of the network access requester to obtain message ciphertext data;
and transmitting the message ciphertext data to a data receiver based on the SDN cluster network.
6. The method according to claim 5, wherein after said homomorphic encrypting the message data by using the first private key of the network access requester to obtain message cipher text data, further comprising:
generating a conversion key according to the first private key and a second public key of the data receiver;
encrypting the message ciphertext data by using the conversion key to obtain message re-encryption data;
correspondingly, the transmitting the message ciphertext data to a data receiver based on the SDN cluster network includes:
transmitting the message re-encryption data to the data receiver based on the SDN cluster network.
7. A data security transmission device based on an SDN network is characterized by comprising:
the network access request acquisition module is used for acquiring a network access request sent by a network access requester; the network access request is a request for entering a Software Defined Network (SDN) network cluster;
the verification module is used for performing identity verification and authority verification on the network access requester according to the network access request;
the message data acquisition module is used for acquiring the message data of the network access requester if the identity verification and the authority verification pass;
and the data transmission module is used for encrypting the message data and transmitting the encrypted message data to a data receiver based on the SDN cluster network.
8. The apparatus of claim 7, wherein the verification module comprises:
the identity authentication unit is used for authenticating the identity of the network access requester according to the network access request;
the read-write permission judging unit is used for judging whether the network access requester has read-write permission or not according to the network access request if the identity authentication of the network access requester passes;
and the verification result determining unit is used for determining the verification result of the authority verification of the network access requester according to the judgment result of the read-write authority.
9. An electronic device, characterized in that the electronic device comprises:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the SDN network based data secure transmission method of any one of claims 1-6.
10. A computer-readable storage medium, wherein the computer-readable storage medium stores computer instructions for causing a processor to implement the SDN network-based data secure transmission method according to any one of claims 1 to 6 when executed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211278866.XA CN115622781A (en) | 2022-10-19 | 2022-10-19 | SDN-based data security transmission method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211278866.XA CN115622781A (en) | 2022-10-19 | 2022-10-19 | SDN-based data security transmission method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115622781A true CN115622781A (en) | 2023-01-17 |
Family
ID=84864316
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211278866.XA Pending CN115622781A (en) | 2022-10-19 | 2022-10-19 | SDN-based data security transmission method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115622781A (en) |
-
2022
- 2022-10-19 CN CN202211278866.XA patent/CN115622781A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111708991B (en) | Service authorization method, device, computer equipment and storage medium | |
| CN111737366B (en) | Private data processing method, device, equipment and storage medium of block chain | |
| US11102191B2 (en) | Enabling single sign-on authentication for accessing protected network services | |
| CN114024710B (en) | Data transmission method, device, system and equipment | |
| WO2022199290A1 (en) | Secure multi-party computation | |
| US9673979B1 (en) | Hierarchical, deterministic, one-time login tokens | |
| US9749130B2 (en) | Distributing keys for decrypting client data | |
| US11626976B2 (en) | Information processing system, information processing device, information processing method and information processing program | |
| CN113849847B (en) | Method, apparatus and medium for encrypting and decrypting sensitive data | |
| KR20220160549A (en) | Cluster access method, apparatus, electronic equipment and media | |
| US11411719B2 (en) | Security system and method thereof using both KMS and HSM | |
| CN113674456B (en) | Unlocking method, unlocking device, electronic equipment and storage medium | |
| CN110708291B (en) | Data authorization access method, device, medium and electronic equipment in distributed network | |
| US11288381B2 (en) | Calculation device, calculation method, calculation program and calculation system | |
| Chinnasamy et al. | A scalable multilabel‐based access control as a service for the cloud (SMBACaaS) | |
| CN106992978B (en) | Network security management method and server | |
| CN113630412B (en) | Resource downloading method, resource downloading device, electronic equipment and storage medium | |
| CN109711178B (en) | Key value pair storage method, device, equipment and storage medium | |
| WO2021170049A1 (en) | Method and apparatus for recording access behavior | |
| CN112261015A (en) | Block chain based information sharing method, platform, system and electronic equipment | |
| CN112565156A (en) | Information registration method, device and system | |
| CN110602075A (en) | File stream processing method, device and system for encryption access control | |
| CN116011590A (en) | Federal learning method, device and system | |
| CN115442037A (en) | Account management method, device, equipment and storage medium | |
| CN115622781A (en) | SDN-based data security transmission method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |