CN116248360A - T-Box transmission method and device based on STG server - Google Patents

T-Box transmission method and device based on STG server Download PDF

Info

Publication number
CN116248360A
CN116248360A CN202211740259.0A CN202211740259A CN116248360A CN 116248360 A CN116248360 A CN 116248360A CN 202211740259 A CN202211740259 A CN 202211740259A CN 116248360 A CN116248360 A CN 116248360A
Authority
CN
China
Prior art keywords
stg
server
cluster
data
tsp
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211740259.0A
Other languages
Chinese (zh)
Inventor
潘守华
郝宏基
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Dongfeng Commercial Vehicle Co Ltd
Original Assignee
Dongfeng Commercial Vehicle Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Dongfeng Commercial Vehicle Co Ltd filed Critical Dongfeng Commercial Vehicle Co Ltd
Priority to CN202211740259.0A priority Critical patent/CN116248360A/en
Publication of CN116248360A publication Critical patent/CN116248360A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application relates to a lane line matching optimization method and a lane line matching optimization device, which relate to the technical field of intelligent networking information security, and the method comprises the following steps: creating an STG cluster between a firewall and a TSP cluster of a server; the firewall forwards the ciphertext data sent by the terminal to the STG cluster; the STG cluster decrypts the ciphertext data, obtains plaintext data and forwards the plaintext data to a corresponding TSP server in the TSP cluster. According to the method and the device, the STG cluster is configured between the firewall and the TSP cluster at the server side, and the ciphertext data and the plaintext data are correspondingly forwarded, so that the safety and stability of data transmission are improved.

Description

T-Box transmission method and device based on STG server
Technical Field
The application relates to the technical field of intelligent networking information security, in particular to a T-Box transmission method and device based on an STG server.
Background
At present, in the field of intelligent networking information security, a safer information transmission technical scheme does not exist yet, and particularly in a public network transmission architecture, if attacks such as identity forging, data tampering and eavesdropping exist, the information security problems such as information leakage and data errors are easily caused.
Therefore, based on the security requirement of information transmission, a T-Box transmission technology based on an STG server is now provided to meet the communication requirement.
Disclosure of Invention
The application provides a T-Box transmission method and device based on an STG server, wherein an STG cluster is configured between a firewall and a TSP cluster at a server side, and ciphertext data and plaintext data are correspondingly forwarded, so that the safety and stability of data transmission are improved.
To achieve the above object, the present application provides the following aspects.
In a first aspect, the present application provides a T-Box transmission method based on an STG server, the method including the steps of:
creating an STG cluster between a firewall and a TSP cluster of a server;
the firewall forwards ciphertext data sent by the terminal to the STG cluster;
and the STG cluster decrypts the ciphertext data, obtains plaintext data and forwards the plaintext data to a corresponding TSP server in the TSP cluster.
Further, the firewall forwards ciphertext data sent by the terminal to the STG cluster, including the following steps:
and the firewall receives the ciphertext data sent by the terminal, and forwards the ciphertext data to a corresponding STG server in the STG cluster after load balancing processing.
Further, the obtaining plaintext data and forwarding the plaintext data to a corresponding TSP server in a TSP cluster includes the following steps:
after the STG cluster obtains the plaintext data, the plaintext data is forwarded to the corresponding TSP server through load balancing processing.
Further, the method comprises the following steps;
the server and the terminal perform bidirectional identity verification;
and allowing the server to receive the ciphertext data sent by the terminal after the bidirectional identity authentication is passed.
Further, the method comprises the following steps:
an encrypted data channel is configured between the server and the terminal; wherein,,
the ciphertext data is transmitted between the terminal and the server based on the encrypted data channel.
In a second aspect, the present application provides a T-Box transmission apparatus based on an STG server, the apparatus including:
an STG creation module for creating an STG cluster between the firewall and the TSP cluster at the server side;
the ciphertext forwarding module is used for forwarding ciphertext data sent by the terminal to the STG cluster based on the firewall;
and the decryption transmission module is used for decrypting the ciphertext data based on the STG cluster, obtaining plaintext data and forwarding the plaintext data to a corresponding TSP server in the TSP cluster.
Further, the ciphertext forwarding module is further configured to forward the ciphertext data to a corresponding STG server in the STG cluster after load balancing processing based on the ciphertext data sent by the terminal and received by the firewall.
Further, the decryption transmission module is further configured to forward the plaintext data to the corresponding TSP server after load balancing processing after the STG cluster obtains the plaintext data.
Further, the device further comprises:
the identity verification module is used for carrying out bidirectional identity verification on the server side and the terminal;
and the identity verification module is used for allowing the server to receive the ciphertext data sent by the terminal after the bidirectional identity verification is passed.
Further, the device further comprises:
the channel adding module is used for configuring an encrypted data channel between the service end and the terminal; wherein,,
the ciphertext data is transmitted between the terminal and the server based on the encrypted data channel.
The beneficial effects that technical scheme that this application provided brought include:
according to the method and the device, the STG cluster is configured between the firewall and the TSP cluster at the server side, and the ciphertext data and the plaintext data are correspondingly forwarded, so that the safety and stability of data transmission are improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a step flowchart of a T-Box transmission method based on an STG server provided in an embodiment of the present application;
fig. 2 is a system structural block diagram of a T-Box transmission method based on an STG server provided in an embodiment of the present application;
fig. 3 is a network deployment schematic diagram of a T-Box transmission method based on an STG server provided in an embodiment of the present application;
FIG. 4 is a schematic diagram of the overall structure of an STG-Server system in the STG Server-based T-Box transmission method according to the embodiment of the present application;
fig. 5 is a block diagram of a T-Box transmission device based on an STG server according to an embodiment of the present application.
Detailed Description
Term interpretation:
STG: secure Transmission Gateway, secure transport gateway;
TSP: telematics Service Provider, automotive remote service provider;
VIP, virtual IP Address, virtual IP address;
DIP, data Integration Point, data fusion point;
LVS: linux Virtual Server, linux virtual server;
TLS: transport Layer Security, secure transport layer protocol;
RA: routing Area, routing Area;
CA: certificattion Authority, digital certificate authentication center;
MAC: i.e. MAC address, media Access Control Address, physical address or hardware address.
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present application more clear, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present application based on the embodiments herein.
Embodiments of the present application are described in further detail below with reference to the accompanying drawings.
The embodiment of the application provides a T-Box transmission method and device based on an STG server, wherein an STG cluster is configured between a firewall and a TSP cluster at a server side, and ciphertext data and plaintext data are correspondingly forwarded, so that the safety and stability of data transmission are improved.
In order to achieve the technical effects, the general idea of the application is as follows:
a T-Box transmission method based on STG server includes the following steps:
s1, creating an STG cluster between a firewall and a TSP cluster of a server side;
s2, the firewall forwards the ciphertext data sent by the terminal to the STG cluster;
s3, the STG cluster decrypts the ciphertext data, obtains plaintext data and forwards the plaintext data to a corresponding TSP server in the TSP cluster.
Embodiments of the present application are described in further detail below with reference to the accompanying drawings.
In a first aspect, an embodiment of the present application provides a T-Box transmission method based on an STG server, including the steps of:
s1, creating an STG cluster between a firewall and a TSP cluster of a server side;
s2, the firewall forwards the ciphertext data sent by the terminal to the STG cluster;
s3, the STG cluster decrypts the ciphertext data, obtains plaintext data and forwards the plaintext data to a corresponding TSP server in the TSP cluster.
In the embodiment of the application, attacks such as identity forging, data tampering, eavesdropping and the like exist in a public network transmission architecture, and a secure transmission scheme is introduced according to the service requirements.
The technical scheme of the embodiment of the application is a C/S architecture in architecture, and is divided into a safe transmission gateway STG and a terminal STG-Client, wherein the STG-Client is deployed on an original vehicle-mounted terminal and is responsible for encryption and forwarding of transmission data;
on the basis of the original server, a deployment Security Transmission Gateway (STG) is added and is responsible for receiving encrypted data, decrypting the data and forwarding the decrypted data to an original background server;
in terms of safety performance: the tlsv1.2 secure transport protocol with outstanding security performance is used. Mutual authentication is adopted between the STG-Client and the STG;
in summary, according to the technical scheme of the embodiment of the application, an STG cluster is configured between the firewall and the TSP cluster at the server side, and ciphertext data and plaintext data are correspondingly forwarded, so that the safety and stability of data transmission are improved.
As shown in fig. 2 of the drawings of the specification, the system is a system structure block diagram of a T-Box transmission method based on an STG server, and based on the structure block diagram, the technical scheme of the application at least comprises the following technical key points:
1) At the server, STG needs to be deployed after firewall load balancing and before background TSP clusters.
2) The ciphertext reported by the terminal is firstly transmitted to the STG through firewall load balancing; wherein,,
the specific principle of load balancing is as follows: the server load balancing technology forms a plurality of servers into a server cluster, externally represents a logical server, ensures that traffic can be distributed on each server relatively evenly, and avoids the condition that one server runs at full load and the other server is idle.
3) Each STG is also provided with load balancing configuration, after ciphertext data sent by the firewall is decrypted into plaintext, the STG establishes connection with the background TSP, and the data is forwarded to an original background TSP server for business data processing, wherein the STG is connected with the background TSP server for business data processing;
in the encryption and decryption process, an encryption and decryption key used in the communication process is negotiated in the connection establishment process and is used for data encryption and integrity verification, so that the transmission safety is ensured.
4) Input: ciphertext reported by the vehicle-mounted terminal.
5) And (3) outputting: a plaintext reported by the vehicle-mounted terminal;
the secure transport gateway STG carries encrypted data streams from the terminal, requiring the STG to provide secure transport services and other services to the terminal.
In addition, in the technical solution of the embodiment of the present application, a secure transmission service is further included, where the secure transmission service includes:
1) Identity authentication: the identity authentication is bidirectional authentication, and the forged terminal identity cannot pass through the system authentication.
2) Establishing a secure transmission channel: the safe transmission channel is initiated by the vehicle-mounted terminal, the STG responds and establishes a safe connection, and confidentiality, integrity and non-repudiation support of data are provided for service data in the connection.
3) Digital certificate management: digital certificate issuance and periodic update mechanisms are provided.
4) The digital certificate and the secret key are stored securely.
5) A secure random number service is provided, the random number being unpredictable.
6) The transport protocol supports TLS1.2.
In addition, in the technical solution of the embodiment of the present application, other services are also included, such as: the STG provides load balancing services to the backend servers.
Further, the firewall forwards ciphertext data sent by the terminal to the STG cluster, including the following steps:
and the firewall receives the ciphertext data sent by the terminal, and forwards the ciphertext data to a corresponding STG server in the STG cluster after load balancing processing.
Further, the obtaining plaintext data and forwarding the plaintext data to a corresponding TSP server in a TSP cluster includes the following steps:
after the STG cluster obtains the plaintext data, the plaintext data is forwarded to the corresponding TSP server through load balancing processing.
Further, the method comprises the following steps;
the server and the terminal perform bidirectional identity verification;
and allowing the server to receive the ciphertext data sent by the terminal after the bidirectional identity authentication is passed.
Further, the method comprises the following steps:
an encrypted data channel is configured between the server and the terminal; wherein,,
the ciphertext data is transmitted between the terminal and the server based on the encrypted data channel.
As shown in fig. 3 of the drawings, which is a network deployment schematic diagram corresponding to the technical solution of the embodiments of the present application, the left half of the schematic diagram is an original network topology of a TSP, the right half of the schematic diagram is a newly added encrypted data link, and the specific network deployment includes the following technical details:
1) The original network topology is kept unchanged, an encrypted data channel is newly added, non-encrypted data is reported according to the original link, the encrypted data uses a new encrypted link, and the encrypted data is sent to the original TSP gateway after being decrypted by the STG.
2) The STG server front end requires a load balancing policy. On the premise of no F5 hardware load equipment, an LVS load balancing server used by the current TSP needs to be built, the LVS adopts a DR mode, and a load scheduling strategy is minimum connection, namely Least Connections;
minimum connection algorithm: the method and the device have the advantages that the service flow of the client is distributed to the server with the smallest concurrent connection number, namely the smallest load, the problem that the actual load capacity on each server is not considered by a polling algorithm is solved, the method and the device are suitable for the similar performance of the servers, the service load caused by each stream to the server is approximately equal, but the session survival time of each stream is different, such as an Http server.
In the lvs +keep environment, lvs mainly works to provide a scheduling algorithm, schedule a client request on a real server according to requirements, keep mainly works to provide a redundancy of the lvs controller, and make health check on the real server to check whether the real server can provide service or not, find unhealthy real server, reject the unhealthy real server from lvs clusters, and the real server is only responsible for providing service;
the specific operation is that the alive signals are usually sent out at a certain time interval, if one end does not receive a reply after the signals are sent out, the data link can be judged to be offline and the following data packet can be rerouted to other links until the old link is on line again. The survival signal may also indicate a reserved connection state. If there is no liveness signal, the router that enables network address translation will interrupt the connection after timeout.
3) The STG is used as a reverse proxy, and uses an ip_hash mode for gateway load according to the requirements of TSP team;
in ip_hash mode, the user is intended to be guaranteed access to a fixed server that can request to an upstream service, provided of course that no changes have been made to the user ip.
4) The STG uses RIP (real IP) to establish a socket connection with the gateway RIP. The gateway is required to monitor the connections of the RIP-specific ports and send feedback data to the STG.
5) In the encrypted link, a server located behind the STG server cannot acquire the real IP of the vehicle, and only the RIP of the STG is visible.
In addition, considering single-point fault prevention and dual-machine hot standby, at least two STGs need to be deployed in the STG cluster, and after one STG fails, the connection re-established by the terminal is ensured to be connected to the STG equipment which normally works.
According to the actual condition of the project, the STG can be deployed in a cloud environment and also can be deployed in a physical machine of a data center. When deployed in a data center, the independent server or the virtual machine can be used, and the STG is only required to be positioned at the front end of the background server in the network topology.
It should be noted that the STG-Server system is divided into two parts: a Transport Module and a certificate service Module, transport modules and Cert Service Module.
FIG. 4 of the drawings is a schematic diagram of the overall structure of an STG cluster, i.e., an STG-Server system; wherein,,
and a transmission module: an Nginx-TLS engine module and a data forwarding module (Stream) are used as core modules, and TLS transmission proxy service (TLS proxy service) is provided for the outside under the cooperation of other modules (including a configuration management module, an OS system resource module and the like);
the TLS transmission proxy service is a service provided by the STG-Server system externally, processes the TLS connection request of the STG-Client and the encryption, decryption and forwarding of data, and realizes the function of the safe transmission Server.
Certificate service module: and the Nginx module is used as a core, and a digital certificate issuing and updating mechanism is realized by relying on a TLS security protocol and a security algorithm. The system comprises an RA module (responsible for user identity information management and TLS key management) and a CA module (responsible for certificate issuing and updating), and externally provides a certificate service (Cert service);
the certificate service belongs to the service provided by the STG-Server system, and is used for receiving and processing the certificate request of the STG-Client, issuing the certificate and sending the certificate back to the STG-Client.
The STG-Server system relies on a TLS protocol module that contains a security protocol library, a security algorithm library.
The STG-Server system also needs to rely on databases, in this embodiment MariaDB database management system, to handle certificate issuing and updating services.
As shown in fig. 4 of the drawings, a DR mode is schematically illustrated.
The target MAC address of the request message is set as the selected MAC address of the RS, and after the RS receives the data packet, the source MAC is replaced by the own MAC, and the target MAC address is the client address.
(1) When a user request reaches a Director Server, the requested data message firstly reaches a pre-routing chain of the kernel space;
the source IP of the message is CIP, the target IP is VIP, and the MAC addresses are the respective MAC addresses at one time.
(2) The pre-routing check finds that the destination IP of the packet is native and sends the packet to the INPUT chain.
(3) The IPVS compares whether the service requested by the data packet is cluster service or not, if so, the source MAC address in the request message is modified to be the MAC address of the DIP, the target MAC address is modified to be the MAC address of the RIP, and then the data packet is sent to the POSTROUTING chain. At this time, both the source IP and the destination IP are not modified, only the MAC address of which the source MAC address is DIP is modified, and the destination MAC address is the MAC address of RIP.
(4) Since the DS and RS are in the same network, they are transmitted through two layers. The postcount chain checks that the destination MAC address is the MAC address of the RIP, and the packet is sent to the Real Server at this time.
(5) The RS discovers that the MAC address of the request message is its own MAC address, and receives the message. After the processing is completed, the response message is transmitted to the eth0 network card through the lo interface and then sent out. At this time, the source IP address is VIP, the target IP is CIP, and the source MAC address is changed to its own MAC, and the target MAC is changed to the client MAC.
(6) And finally, the response message is sent to the client.
It should be noted that, the specific case of the network topology in the technical solution of the present application is as follows:
according to the actual condition of the project, the STG and the background TSP are deployed in the same network environment, can be deployed in a cloud environment and can be deployed in a physical machine of a data center;
when deployed in a data center, the independent server or the virtual machine can only need to ensure that the STG is positioned behind a firewall and in front of a background TSP server in the network topology.
It should be noted that, the working environment and the corresponding situation of the STG number in the technical scheme of the present application are as follows:
4 STGs in total are distinguished from production environments and test environments by corresponding to TSP environments;
considering single-point fault prevention double-machine hot standby, at least 2 STGs are required to be deployed in a formal environment, and 2 STGs are applied for a test environment;
if the TSP has other environment requirements, it is necessary to propose and confirm whether to add an additional STG environment.
In addition, the specific conditions of the technical scheme of the application on the original environment are as follows:
in the case of simultaneous presence of plaintext and ciphertext vehicles:
first, the firewall end:
(1) A new open port is needed for the terminal to report ciphertext data;
(2) And (3) performing a load balancing strategy, and distributing the data connection of the ciphertext ports to the two STGs.
Second point, TSP end:
all IP and ports are provided to receive plain text service data from the STG.
In summary, the technical solutions of the embodiments of the present application have the following technical advantages:
the original network topology is kept unchanged, an encrypted data channel is newly added, non-encrypted data is reported according to the original link, and the encrypted data uses a new encrypted link, so that the simultaneous existence of clear and cipher text vehicles can be allowed;
the original link and the new link are transmitted separately, so that the fault detection is facilitated.
In a second aspect, based on the same inventive concept as the method embodiment, the present application provides a T-Box transmission device based on an STG server, including:
an STG creation module for creating an STG cluster between the firewall and the TSP cluster at the server side;
the ciphertext forwarding module is used for forwarding ciphertext data sent by the terminal to the STG cluster based on the firewall;
and the decryption transmission module is used for decrypting the ciphertext data based on the STG cluster, obtaining plaintext data and forwarding the plaintext data to a corresponding TSP server in the TSP cluster.
In the embodiment of the application, attacks such as identity forging, data tampering, eavesdropping and the like exist in a public network transmission architecture, and a secure transmission scheme is introduced according to the service requirements.
The technical scheme of the embodiment of the application is a C/S architecture in architecture, and is divided into a safe transmission gateway STG and a terminal STG-Client, wherein the STG-Client is deployed on an original vehicle-mounted terminal and is responsible for encryption and forwarding of transmission data;
on the basis of the original server, a deployment Security Transmission Gateway (STG) is added and is responsible for receiving encrypted data, decrypting the data and forwarding the decrypted data to an original background server;
in terms of safety performance: the tlsv1.2 secure transport protocol with outstanding security performance is used. Mutual authentication is adopted between the STG-Client and the STG;
in summary, according to the technical scheme of the embodiment of the application, an STG cluster is configured between the firewall and the TSP cluster at the server side, and ciphertext data and plaintext data are correspondingly forwarded, so that the safety and stability of data transmission are improved.
The technical scheme of the application at least comprises the following technical key points:
1) At the server, STG needs to be deployed after firewall load balancing and before background TSP clusters.
2) The ciphertext reported by the terminal is firstly transmitted to the STG through firewall load balancing; wherein,,
the specific principle of load balancing is as follows: the server load balancing technology forms a plurality of servers into a server cluster, externally represents a logical server, ensures that traffic can be distributed on each server relatively evenly, and avoids the condition that one server runs at full load and the other server is idle.
3) Each STG is also provided with load balancing configuration, after ciphertext data sent by the firewall is decrypted into plaintext, the STG establishes connection with the background TSP, and the data is forwarded to an original background TSP server for business data processing, wherein the STG is connected with the background TSP server for business data processing;
in the encryption and decryption process, an encryption and decryption key used in the communication process is negotiated in the connection establishment process and is used for data encryption and integrity verification, so that the transmission safety is ensured.
4) Input: ciphertext reported by the vehicle-mounted terminal.
5) And (3) outputting: a plaintext reported by the vehicle-mounted terminal;
the secure transport gateway STG carries encrypted data streams from the terminal, requiring the STG to provide secure transport services and other services to the terminal.
In addition, in the technical solution of the embodiment of the present application, a secure transmission service is further included, where the secure transmission service includes:
1) Identity authentication: the identity authentication is bidirectional authentication, and the forged terminal identity cannot pass through the system authentication.
2) Establishing a secure transmission channel: the safe transmission channel is initiated by the vehicle-mounted terminal, the STG responds and establishes a safe connection, and confidentiality, integrity and non-repudiation support of data are provided for service data in the connection.
3) Digital certificate management: digital certificate issuance and periodic update mechanisms are provided.
4) The digital certificate and the secret key are stored securely.
5) A secure random number service is provided, the random number being unpredictable.
6) The transport protocol supports TLS1.2.
In addition, in the technical solution of the embodiment of the present application, other services are also included, such as: the STG provides load balancing services to the backend servers.
Further, the ciphertext forwarding module is further configured to forward the ciphertext data to a corresponding STG server in the STG cluster after load balancing processing based on the ciphertext data sent by the terminal and received by the firewall.
Further, the decryption transmission module is further configured to forward the plaintext data to the corresponding TSP server after load balancing processing after the STG cluster obtains the plaintext data.
Further, the T-Box transmission device based on the STG server further includes:
the identity verification module is used for carrying out bidirectional identity verification on the server side and the terminal;
and the identity verification module is used for allowing the server to receive the ciphertext data sent by the terminal after the bidirectional identity verification is passed.
Further, the T-Box transmission device based on the STG server further includes:
the channel adding module is used for configuring an encrypted data channel between the service end and the terminal; wherein,,
the ciphertext data is transmitted between the terminal and the server based on the encrypted data channel.
As shown in fig. 3 of the drawings, which is a network deployment schematic diagram corresponding to the technical solution of the embodiments of the present application, the left half of the schematic diagram is an original network topology of a TSP, the right half of the schematic diagram is a newly added encrypted data link, and the specific network deployment includes the following technical details:
1) The original network topology is kept unchanged, an encrypted data channel is newly added, non-encrypted data is reported according to the original link, the encrypted data uses a new encrypted link, and the encrypted data is sent to the original TSP gateway after being decrypted by the STG.
2) The STG server front end requires a load balancing policy. On the premise of no F5 hardware load equipment, an LVS load balancing server used by the current TSP needs to be built, the LVS adopts a DR mode, and a load scheduling strategy is minimum connection, namely Least Connections;
minimum connection algorithm: the method and the device have the advantages that the service flow of the client is distributed to the server with the smallest concurrent connection number, namely the smallest load, the problem that the actual load capacity on each server is not considered by a polling algorithm is solved, the method and the device are suitable for the similar performance of the servers, the service load caused by each stream to the server is approximately equal, but the session survival time of each stream is different, such as an Http server.
In the lvs +keep environment, lvs mainly works to provide a scheduling algorithm, schedule a client request on a real server according to requirements, keep mainly works to provide a redundancy of the lvs controller, and make health check on the real server to check whether the real server can provide service or not, find unhealthy real server, reject the unhealthy real server from lvs clusters, and the real server is only responsible for providing service;
the specific operation is that the alive signals are usually sent out at a certain time interval, if one end does not receive a reply after the signals are sent out, the data link can be judged to be offline and the following data packet can be rerouted to other links until the old link is on line again. The survival signal may also indicate a reserved connection state. If there is no liveness signal, the router that enables network address translation will interrupt the connection after timeout.
3) The STG is used as a reverse proxy, and uses an ip_hash mode for gateway load according to the requirements of TSP team;
in ip_hash mode, the user is intended to be guaranteed access to a fixed server that can request to an upstream service, provided of course that no changes have been made to the user ip.
4) The STG uses RIP (real IP) to establish a socket connection with the gateway RIP. The gateway is required to monitor the connections of the RIP-specific ports and send feedback data to the STG.
5) In the encrypted link, a server located behind the STG server cannot acquire the real IP of the vehicle, and only the STG RIP is visible.
In addition, considering single-point fault prevention and dual-machine hot standby, at least two STGs need to be deployed in the STG cluster, and after one STG fails, the connection re-established by the terminal is ensured to be connected to the STG equipment which normally works.
According to the actual condition of the project, the STG can be deployed in a cloud environment and also can be deployed in a physical machine of a data center. When deployed in a data center, the independent server or the virtual machine can be used, and the STG is only required to be positioned at the front end of the background server in the network topology.
It should be noted that the STG-Server system is divided into two parts: a Transport Module and a certificate service Module, transport modules and Cert Service Module.
FIG. 4 of the drawings is a schematic diagram of the overall structure of an STG cluster, i.e., an STG-Server system; wherein,,
and a transmission module: an Nginx-TLS engine module and a data forwarding module (Stream) are used as core modules, and TLS transmission proxy service (TLS proxy service) is provided for the outside under the cooperation of other modules (including a configuration management module, an OS system resource module and the like);
the TLS transmission proxy service is a service provided by the STG-Server system externally, processes the TLS connection request of the STG-Client and the encryption, decryption and forwarding of data, and realizes the function of the safe transmission Server.
Certificate service module: and the Nginx module is used as a core, and a digital certificate issuing and updating mechanism is realized by relying on a TLS security protocol and a security algorithm. The system comprises an RA module (responsible for user identity information management and TLS key management) and a CA module (responsible for certificate issuing and updating), and externally provides a certificate service (Cert service);
the certificate service belongs to the service provided by the STG-Server system, and is used for receiving and processing the certificate request of the STG-Client, issuing the certificate and sending the certificate back to the STG-Client.
The STG-Server system relies on the TLS protocol module. The TLS module contains a security protocol library and a security algorithm library.
The STG-Server system also needs to rely on databases, in this embodiment MariaDB database management system, to handle certificate issuing and updating services.
As shown in fig. 4 of the drawings, a DR mode is schematically illustrated.
The target MAC address of the request message is set as the selected MAC address of the RS, and after the RS receives the data packet, the source MAC is replaced by the own MAC, and the target MAC address is the client address.
(1) When a user request reaches a Director Server, the requested data message firstly reaches a pre-routing chain of the kernel space;
the source IP of the message is CIP, the target IP is VIP, and the MAC addresses are the respective MAC addresses at one time.
(2) The pre-routing check finds that the destination IP of the packet is native and sends the packet to the INPUT chain.
(3) The IPVS compares whether the service requested by the data packet is cluster service or not, if so, the source MAC address in the request message is modified to be the MAC address of the DIP, the target MAC address is modified to be the MAC address of the RIP, and then the data packet is sent to the POSTROUTING chain. At this time, both the source IP and the destination IP are not modified, only the MAC address of which the source MAC address is DIP is modified, and the destination MAC address is the MAC address of RIP.
(4) Since the DS and RS are in the same network, they are transmitted through two layers. The postcount chain checks that the destination MAC address is the MAC address of the RIP, and the packet is sent to the Real Server at this time.
(5) The RS discovers that the MAC address of the request message is its own MAC address, and receives the message. After the processing is completed, the response message is transmitted to the eth0 network card through the lo interface and then sent out. At this time, the source IP address is VIP, the target IP is CIP, and the source MAC address is changed to its own MAC, and the target MAC is changed to the client MAC.
(6) And finally, the response message is sent to the client.
It should be noted that, the specific case of the network topology in the technical solution of the present application is as follows:
according to the actual condition of the project, the STG and the background TSP are deployed in the same network environment, can be deployed in a cloud environment and can be deployed in a physical machine of a data center;
when deployed in a data center, the independent server or the virtual machine can only need to ensure that the STG is positioned behind a firewall and in front of a background TSP server in the network topology.
It should be noted that, the working environment and the corresponding situation of the STG number in the technical scheme of the present application are as follows:
4 STGs in total are distinguished from production environments and test environments by corresponding to TSP environments;
considering single-point fault prevention double-machine hot standby, at least 2 STGs are required to be deployed in a formal environment, and 2 STGs are applied for a test environment;
if the TSP has other environment requirements, it is necessary to propose and confirm whether to add an additional STG environment.
In addition, the specific conditions of the technical scheme of the application on the original environment are as follows:
in the case of simultaneous presence of plaintext and ciphertext vehicles:
first, the firewall end:
(1) A new open port is needed for the terminal to report ciphertext data;
(2) And (3) performing a load balancing strategy, and distributing the data connection of the ciphertext ports to the two STGs.
Second point, TSP end:
all IP and ports are provided to receive plain text service data from the STG.
In summary, the technical solutions of the embodiments of the present application have the following technical advantages:
the original network topology is kept unchanged, an encrypted data channel is newly added, non-encrypted data is reported according to the original link, and the encrypted data uses a new encrypted link, so that the simultaneous existence of clear and cipher text vehicles can be allowed;
the original link and the new link are transmitted separately, so that the fault detection is facilitated.
It should be noted that, the T-Box transmission device based on the STG server provided in the embodiments of the present application has technical problems, technical means and technical effects corresponding to the same, and is similar to the T-Box transmission method based on the STG server in principle.
It should be noted that in this application, relational terms such as "first" and "second" and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises an element.
The foregoing is merely a specific embodiment of the application to enable one skilled in the art to understand or practice the application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

1. A T-Box transmission method based on an STG server, the method comprising the steps of:
creating an STG cluster between a firewall and a TSP cluster of a server;
the firewall forwards ciphertext data sent by the terminal to the STG cluster;
and the STG cluster decrypts the ciphertext data, obtains plaintext data and forwards the plaintext data to a corresponding TSP server in the TSP cluster.
2. The STG server-based T-Box transmission method of claim 1, wherein the firewall forwards ciphertext data sent by a terminal to the STG cluster, comprising the steps of:
and the firewall receives the ciphertext data sent by the terminal, and forwards the ciphertext data to a corresponding STG server in the STG cluster after load balancing processing.
3. The STG server-based T-Box transmission method as claimed in claim 1, wherein the obtaining and forwarding of plaintext data to a corresponding TSP server in the TSP cluster comprises the steps of:
after the STG cluster obtains the plaintext data, the plaintext data is forwarded to the corresponding TSP server through load balancing processing.
4. The STG server-based T-Box transmission method of claim 1, further comprising the steps of;
the server and the terminal perform bidirectional identity verification;
and allowing the server to receive the ciphertext data sent by the terminal after the bidirectional identity authentication is passed.
5. The STG server-based T-Box transmission method of claim 1, further comprising the steps of:
an encrypted data channel is configured between the server and the terminal; wherein,,
the ciphertext data is transmitted between the terminal and the server based on the encrypted data channel.
6. A T-Box transmission apparatus based on an STG server, the apparatus comprising:
an STG creation module for creating an STG cluster between the firewall and the TSP cluster at the server side;
the ciphertext forwarding module is used for forwarding ciphertext data sent by the terminal to the STG cluster based on the firewall;
and the decryption transmission module is used for decrypting the ciphertext data based on the STG cluster, obtaining plaintext data and forwarding the plaintext data to a corresponding TSP server in the TSP cluster.
7. The STG server-based T-Box transmission apparatus of claim 6, wherein:
the ciphertext forwarding module is further configured to forward the ciphertext data to a corresponding STG server in the STG cluster after load balancing processing based on the ciphertext data sent by the terminal and received by the firewall.
8. The STG server-based T-Box transmission apparatus of claim 6, wherein:
the decryption transmission module is further configured to forward the plaintext data to the corresponding TSP server after load balancing processing after the STG cluster obtains the plaintext data.
9. The STG server-based T-Box transmission apparatus of claim 6, further comprising:
the identity verification module is used for carrying out bidirectional identity verification on the server side and the terminal;
and the identity verification module is used for allowing the server to receive the ciphertext data sent by the terminal after the bidirectional identity verification is passed.
10. The STG server-based T-Box transmission apparatus of claim 6, further comprising:
the channel adding module is used for configuring an encrypted data channel between the service end and the terminal; wherein,,
the ciphertext data is transmitted between the terminal and the server based on the encrypted data channel.
CN202211740259.0A 2022-12-30 2022-12-30 T-Box transmission method and device based on STG server Pending CN116248360A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211740259.0A CN116248360A (en) 2022-12-30 2022-12-30 T-Box transmission method and device based on STG server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211740259.0A CN116248360A (en) 2022-12-30 2022-12-30 T-Box transmission method and device based on STG server

Publications (1)

Publication Number Publication Date
CN116248360A true CN116248360A (en) 2023-06-09

Family

ID=86635588

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211740259.0A Pending CN116248360A (en) 2022-12-30 2022-12-30 T-Box transmission method and device based on STG server

Country Status (1)

Country Link
CN (1) CN116248360A (en)

Similar Documents

Publication Publication Date Title
CN108551464B (en) Connection establishment and data transmission method, device and system of hybrid cloud
US11190491B1 (en) Method and apparatus for maintaining a resilient VPN connection
CN107018134B (en) Power distribution terminal safety access platform and implementation method thereof
US10097517B2 (en) Secure tunnels for the internet of things
CN106664311B (en) Supporting differentiated secure communications between heterogeneous electronic devices
EP1175061B1 (en) Computer systems, in particular virtual private networks
JP2022550356A (en) Methods, systems, and computer-readable media for providing multi-tenant software-defined wide area network (SD-WAN) nodes
CN106209897B (en) Agent-based secure communication method for distributed multi-granularity controller of software defined network
US8104082B2 (en) Virtual security interface
CN104780069B (en) A kind of key-course towards SDN and data Layer communication port self-configuration method and its system
US9948621B2 (en) Policy based cryptographic key distribution for network group encryption
US9787606B2 (en) Inline network switch having serial ports for out-of-band serial console access
US20220210130A1 (en) Method and apparatus for maintaining a resilient vpn connection
CN111612466A (en) Consensus and resource transmission method, device and storage medium
CN104023022A (en) Method and device of obtaining IPSec SA (Internet Protocol Security Association)
WO2015038234A1 (en) System for cryptographic key sharing among networked key servers
US20060143701A1 (en) Techniques for authenticating network protocol control messages while changing authentication secrets
WO2008042318A2 (en) Systems and methods for management of secured networks with distributed keys
Choi et al. MACsec extension over software-defined networks for in-vehicle secure communication
JP6453154B2 (en) Network management system and network management method
CN114186213B (en) Data transmission method, device, equipment and medium based on federal learning
Kwon et al. Mondrian: Comprehensive Inter-domain Network Zoning Architecture.
CN116248360A (en) T-Box transmission method and device based on STG server
CN100583891C (en) Communication encryption method and system
KR101239217B1 (en) High availability system, method for synchronizing devices in the same, and method for managing devices in the same

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination