CN116545706B - Data security transmission control system, method and device and electronic equipment - Google Patents
Data security transmission control system, method and device and electronic equipment Download PDFInfo
- Publication number
- CN116545706B CN116545706B CN202310542687.0A CN202310542687A CN116545706B CN 116545706 B CN116545706 B CN 116545706B CN 202310542687 A CN202310542687 A CN 202310542687A CN 116545706 B CN116545706 B CN 116545706B
- Authority
- CN
- China
- Prior art keywords
- data
- server
- keyword
- module
- target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000005540 biological transmission Effects 0.000 title claims abstract description 120
- 238000000034 method Methods 0.000 title claims abstract description 57
- 238000012545 processing Methods 0.000 claims abstract description 14
- 230000015654 memory Effects 0.000 claims description 27
- 238000012795 verification Methods 0.000 claims description 23
- 230000008569 process Effects 0.000 claims description 18
- 238000004140 cleaning Methods 0.000 claims description 15
- 238000004590 computer program Methods 0.000 claims description 8
- 238000013523 data management Methods 0.000 abstract description 4
- 230000006870 function Effects 0.000 description 10
- 238000010586 diagram Methods 0.000 description 5
- 230000000694 effects Effects 0.000 description 5
- 230000003993 interaction Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 239000007787 solid Substances 0.000 description 3
- 238000011161 development Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0884—Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Abstract
The invention discloses a data security transmission control system, a data security transmission control method, a data security transmission control device and electronic equipment. The invention eliminates the traditional firewall or VPN proposal, adopts the mode of processing the configuration, display and use data of the forwarding- > server by the client- > proxy node, and the intranet proxy node only needs one port to communicate with the external network server, thereby reducing the risk exposure surface, ensuring the security of intranet data export and ensuring the convenience of intranet data use; the three-level data management and control mode of the blacklist keyword data set, the whitelist keyword data set and the red list keyword data set is creatively used; the correctness and compliance of data export are ensured; the traditional AES encryption algorithm is abandoned, the encryption protection is carried out on the data by using the national encryption algorithm, potential safety hazards possibly existing in the AES are eliminated, and the complete autonomous and controllable data safety is realized.
Description
Technical Field
The present invention relates to the field of data security technologies, and in particular, to a data security transmission control system, method, device, and electronic equipment.
Background
With the rapid development of internet technology, the diversity and storage capacity of enterprise data centers are greatly increased, and meanwhile, more and more data security problems are faced.
The existing method for solving the security problem of the data center is divided into the following three types according to different security levels: 1. the data center network is divided into an inner network and an outer network, the inner network and the outer network are physically isolated, the inner network data cannot be sent to the outer network, the method is highest in safety, but the data use convenience is low, and the data cannot be exported, analyzed and reused. 2. By analyzing data through the firewall, illegal data streams are intercepted, and the method relies on hardware, so that the hardware investment is large, and the architecture is troublesome to adjust. 3. Network access is performed using a virtual private network (Virtual Private Network) VPN, but this approach exposes the data to the external network with less security. 4. The existing intranet data is sent to the extranet and is based on file data transmission, and the security risks of numerous ports, unencrypted data and the like of the existing intranet data transmission system and the existing extranet data transmission system are lacked in an intranet data transmission inspection system 5 which supports file transmission and real-time character string transmission and has unified web end management.
Therefore, it is needed to provide a new data security control system that ensures both data security and data diversity and convenience, and also takes into account the enterprise cost.
Disclosure of Invention
In view of the above, embodiments of the present invention provide a data security transmission control system, method, apparatus, and electronic device, so as to solve the technical problems in the prior art that with rapid development of internet technology, data diversity and data security of an enterprise data center are more and more, and the existing data security control system cannot guarantee data security, and also guarantees data diversity and convenience, and also considers enterprise cost.
The technical scheme provided by the invention is as follows:
in a first aspect, an embodiment of the present invention provides a data security transmission control system, including: the server comprises a client, the server and the proxy node are arranged in an intranet, the server is arranged in an extranet, one end of the proxy node is connected with the client, and the other end of the proxy node is connected with the server; the server is used for acquiring a user database, a blacklist keyword data set, a whitelist keyword data set and a red list keyword data set, and sending the blacklist keyword data set, the whitelist keyword data set and the red list keyword data set to the proxy node; the client is used for acquiring target user data and server data and sending the target user data to the server through the proxy node; the server is further configured to verify the target user data based on the user database, and send a verification result to the client through the proxy node; the client is further configured to encrypt the server data by using a cryptographic algorithm when the verification result is that the verification is passed, obtain server encrypted data, and send the server encrypted data to the proxy node; the proxy node is configured to obtain target server encrypted data based on the server encrypted data, and send the target server encrypted data to the server through a cryptographic algorithm, the blacklist keyword data set, the whitelist keyword data set and the blacklist keyword data set; the server is further configured to decrypt the encrypted data of the target server by using the cryptographic algorithm to obtain target server data, and send the target server data to a corresponding user.
With reference to the first aspect, in a possible implementation manner of the first aspect, the server includes: and the user module is used for creating the user database, configuring a blacklist keyword data set, a whitelist keyword data set and a red list keyword data set based on the user database, receiving an adjustment instruction sent by the client, and updating the red list keyword data set based on the adjustment instruction.
With reference to the first aspect, in another possible implementation manner of the first aspect, the client includes: the login module is used for acquiring the target user data; the first data transmission module is used for periodically checking file time stamps in file folders in the server, acquiring server update data when the file time stamps are changed, encrypting the server update data by utilizing the cryptographic algorithm, and transmitting the encrypted server update data to the server through the proxy node.
With reference to the first aspect, in a further possible implementation manner of the first aspect, the first data transmission module is further configured to obtain a file name of the folder by using a regular matching method, encrypt the file name by using the cryptographic algorithm, and send the encrypted file name to the server through the proxy node.
With reference to the first aspect, in a further possible implementation manner of the first aspect, the proxy node includes: the data cleaning module comprises a second national encryption and decryption module; the second cryptographic module is configured to decrypt the server encrypted data by using the cryptographic algorithm to obtain the server data, and send the server data to the data cleaning module; the data cleaning module is used for processing the server data by utilizing the blacklist keyword data set, the whitelist keyword data set and the red list keyword data set to obtain the target server data, and sending the server data to the second national encryption and decryption module; the second cryptographic module is configured to encrypt the server data by using the cryptographic algorithm to obtain the target server encrypted data, and send the target server encrypted data to the second data transmission module; and the second data transmission module is used for sending the encrypted data of the target server to the server.
With reference to the first aspect, in a further possible implementation manner of the first aspect, the server further includes: the third cryptographic module is used for decrypting the encrypted data of the target server by utilizing the cryptographic algorithm to obtain the data of the target server, and sending the data of the target server to the message pushing module and the alarm module; the message pushing module is used for sending the target server data to the user according to a preset pushing mode; and the alarm module is used for sending an alarm instruction to a corresponding administrator user when the target server data contains non-compliance data and the non-compliance data accords with a preset alarm requirement.
In a second aspect, an embodiment of the present invention provides a data security transmission control method, which is used in the data security transmission control system according to any one of the first aspect and the first aspect of the embodiment of the present invention; the data security transmission control method comprises the following steps: the client in the data security transmission control system acquires target user data and server data, sends the server data to an agent node in the data security transmission control system, and sends the target user data to a server in the data security transmission control system for verification through the agent node; after verification is passed, the client encrypts the server data by using a cryptographic algorithm to obtain server encrypted data, and sends the server encrypted data to the proxy node; the proxy node receives a blacklist keyword data set, a whitelist keyword data set and a red list keyword data set which are sent by the server, processes the blacklist keyword data set, the whitelist keyword data set and the red list keyword data set through a national encryption algorithm based on the server encryption data to obtain target server encryption data, and sends the target server encryption data to the server; and the server decrypts the encrypted data of the target server by using the cryptographic algorithm to obtain the data of the target server, and sends the data of the target server to the corresponding user.
In a third aspect, an embodiment of the present invention provides a data security transmission control device, configured to be used in the data security transmission control system according to any one of the first aspect and the first aspect of the embodiments of the present invention; the data security transmission control device comprises: the acquisition and transmission module is used for a client in the data security transmission control system to acquire target user data and server data, transmitting the server data to an agent node in the data security transmission control system, and transmitting the target user data to a server in the data security transmission control system for verification through the agent node; the encryption and transmission module is used for encrypting the server data by the client side through a national encryption algorithm after verification is passed, obtaining server encrypted data and sending the server encrypted data to the proxy node; the processing and transmitting module is used for receiving the blacklist keyword data set, the whitelist keyword data set and the red list keyword data set which are sent by the server side by the proxy node, processing the blacklist keyword data set, the whitelist keyword data set and the red list keyword data set based on the server encryption data through a national encryption algorithm to obtain target server encryption data, and sending the target server encryption data to the server side; and the decryption and transmission module is used for decrypting the encrypted data of the target server by the server side through the cryptographic algorithm to obtain the data of the target server, and sending the data of the target server to a corresponding user.
In a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium storing a computer program for causing the computer to execute the data security transmission control method according to the second aspect of the embodiment of the present invention.
In a fifth aspect, an embodiment of the present invention provides an electronic device, including: the system comprises a memory and a processor, wherein the memory and the processor are in communication connection, the memory stores a computer program, and the processor executes the computer program to execute the data security transmission control method according to the second aspect of the embodiment of the invention.
The technical scheme provided by the invention has the following effects:
the data security transmission control system provided by the embodiment of the invention eliminates the traditional firewall or VPN scheme, adopts the mode of processing and forwarding the configuration, display and use of data of the server side by the client side-proxy node, and the intranet proxy node only needs one port to communicate with the external network server side, so that the risk exposure surface is reduced, the security of intranet data export is ensured, and the convenience of intranet data use is also ensured; the three-level data management and control mode of the blacklist keyword data set, the whitelist keyword data set and the red list keyword data set is creatively used; the correctness and compliance of data export are ensured; the traditional AES encryption algorithm is abandoned, the encryption protection is carried out on the data by using the national encryption algorithm, potential safety hazards possibly existing in the AES are eliminated, and the complete autonomous and controllable data safety is realized.
The data safety transmission control method provided by the embodiment of the invention is used for carrying out safety transmission of data, ensures the correctness and compliance of the transmitted data, and realizes complete autonomous and controllable data safety transmission.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are needed in the description of the embodiments or the prior art will be briefly described, and it is obvious that the drawings in the description below are some embodiments of the present invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
Fig. 1 is a block diagram of a data security transmission control system according to an embodiment of the present invention;
fig. 2 is a block diagram of a security network data transmission control system based on a national secret according to an embodiment of the present invention;
fig. 3 is a flowchart of a data security transmission control method according to an embodiment of the present invention;
FIG. 4 is a flowchart of a secure network data transmission control system based on a cryptographic key according to an embodiment of the present invention;
Fig. 5 is a block diagram of a data security transmission control device according to an embodiment of the present invention;
FIG. 6 is a schematic diagram of a computer-readable storage medium provided according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The embodiment of the invention provides a data security transmission control system, as shown in fig. 1, the data security transmission control system 1 includes: server 11, proxy node 12, and server 13.
Wherein the server 11 and the proxy node 12 are arranged in an intranet; the service end 13 is provided in the external network.
It should be understood that the above system also includes other devices, apparatuses.
Specifically, the server 11 includes a client 111; one end of the proxy node 12 is connected to the client 111, and the other end is connected to the server 13.
Further, the client 111 includes a login module 1111 and a first data transmission module 1112;
the proxy node 12 includes a data cleansing module 121 and a second data transmission module 122, and further, the data cleansing module 121 includes a second cryptographic module 1211. The second cryptographic module 1211 is connected to the data cleansing module 121 and the second data transmission module 122, respectively.
The server 13 includes a user module 131, a third cryptographic module 132, a message pushing module 133, and an alarm module 134. The third encryption and decryption module 132 is connected to the message pushing module 133 and the alarm module 134, respectively.
Further, the functions of the respective devices in the above system are described.
The server 13 is configured to obtain a user database, a blacklist keyword data set, a whitelist keyword data set, and a red list keyword data set, and send the blacklist keyword data set, the whitelist keyword data set, and the red list keyword data set to the proxy node 12.
Specifically, the user module 131 in the server 13 creates a user database, and configures a blacklist keyword data set, a whitelist keyword data set, and a red list keyword data set based on the user database. The user database may include a plurality of user data, and further, the user data may be a user name+a password or a token key, etc.
The client 111 is configured to obtain target user data and server data, and send the target user data to the server 13 through the proxy node 12.
Specifically, the login module 1111 in the client 111 obtains target user data, such as a user name+password or token key.
Further, the client 111 transmits the target user data to the server 13 for authentication.
Further, after receiving the target user data, the server 13 compares the target user data with the user database and completes verification, and then sends the verification result to the client 111 through the proxy node 12.
When the verification result is that the verification passes, the client 111 has authority to send data to the server.
Specifically, the client 111 encrypts the acquired server data of the server 11 by using a cryptographic algorithm to obtain server encrypted data, and sends the server encrypted data to the server 13 after processing the server encrypted data by the proxy node 12.
First, the client 111 transmits the server encrypted data to the proxy node 12;
then, the proxy node 12 processes the received server encrypted data using the cryptographic algorithm, the blacklist keyword data group, the whitelist keyword data group, and the red list keyword data group to obtain target server encrypted data, and transmits the target server encrypted data to the server terminal 13.
Specifically, the second cryptographic module 1211 in the proxy node 12 decrypts the received server encrypted data by using a cryptographic algorithm to obtain corresponding server data, and processes the server data in the data cleansing module 121 by using the blacklist keyword data set, the whitelist keyword data set, and obtains target server data.
The keywords in the blacklist keyword data set are effective for all users, that is, if the server data includes the keywords in the blacklist keyword data set, the server data is cleaned by the data cleaning module 121 and cannot be sent to the server 13;
Further, each user may configure an independent red list keyword data set, and the character strings in the keyword string set may configure the effective time or permanently take effect, when the server data includes keywords in the red list keyword data set, the server data may be cleaned by the data cleaning module 121, and cannot be sent to the server 13, but may apply for adjusting the content of the keyword set to the admin user at any time, add the keyword character string or perform temporary or permanent release of a certain keyword string, that is, the user module 131 in the server 13 may update the red list keyword data set according to the adjustment instruction sent by the client 111.
Further, the strings in the white list key string group are configured by the user himself, i.e. each row of data in the server data must include a string in the string group.
Therefore, the data cleansing module 121 may remove the character strings of the keywords in the blacklist keyword data set and the blacklist keyword data set, and only retain the character strings of the keywords in the whitelist keyword data set, so as to obtain server data, i.e. target server data, which may be sent to the server 13 after cleansing.
Finally, the data cleaning module 121 sends the target server data to the second cryptographic module 1211, encrypts the target server data in the second cryptographic module 1211 by using a cryptographic algorithm, obtains target server encrypted data, and sends the target server encrypted data to the server 13.
After receiving the encrypted data of the target server, the server 13 decrypts the encrypted data of the target server and sends the decrypted data to the corresponding user.
Specifically, the third cryptographic module 132 decrypts the target server encrypted data by using a cryptographic algorithm to obtain target server data, and sends the target server data to the message pushing module 133.
After receiving the target server data, the message pushing module 133 sends the target server data to the user through a preset pushing mode, such as mail or nails, for the user to use.
Further, the third cryptographic module 132 is further configured to send the target server data to the alert module 134.
After receiving the target server data, the alarm module 134 determines whether there is non-compliance data in the target server data, and when there is non-compliance data, determines whether the existing non-compliance data meets a preset alarm requirement, and if yes, sends an alarm to a corresponding administrator user.
The preset alarm requirement is preset, and an alarm can be triggered for each piece of non-compliance data or N pieces of non-compliance data are sent for a period of time to trigger the alarm.
Further, the first data transmission module 1112 in the client 111 is configured to periodically check the file timestamp in the file folder in the server 11, and when the file timestamp changes, it indicates that the current server data is updated, and at this time, the current line number m of the file is checked according to the line number n of the last file read, and m-n is the data that needs to be sent at this time, that is, the server update data.
Then, after encrypting the server update data by using the cryptographic algorithm, the encrypted server update data is transmitted to the server 13 through the proxy node 12. The specific transmission process refers to the encryption process and the transmission process of the server data, and will not be described herein.
Further, the first data transmission module 1112 is further configured to obtain a file name of a folder in the server 11 by using a regular matching method, encrypt the file name by using a cryptographic algorithm, and send the encrypted file name to the server 13 through the proxy node 12. The specific transmission process refers to the encryption process and the transmission process of the server data, and will not be described herein.
The data security transmission control system provided by the embodiment of the invention eliminates the traditional firewall or VPN scheme, adopts the mode of processing and forwarding the configuration, display and use of data of the server side by the client side-proxy node, and the intranet proxy node only needs one port to communicate with the external network server side, so that the risk exposure surface is reduced, the security of intranet data export is ensured, and the convenience of intranet data use is also ensured; the three-level data management and control mode of the blacklist keyword data set, the whitelist keyword data set and the red list keyword data set is creatively used; the correctness and compliance of data export are ensured; the traditional AES encryption algorithm is abandoned, the encryption protection is carried out on the data by using the national encryption algorithm, potential safety hazards possibly existing in the AES are eliminated, and the complete autonomous and controllable data safety is realized.
In an example, a secure network data transmission control system based on national security is provided, as shown in fig. 2, including three parts of a client, proxy node and a server. The client is responsible for collecting data of the server and sending the data to the proxy node. The proxy node and the client are both in the intranet, and the proxy node is responsible for interfacing all client data, and sending the data to the server in the extranet after cleaning the data.
Further, the functions of the respective parts are described:
and (one) a client: the client comprises a login module and a data sending/receiving module.
A login module: and the method is responsible for the mode of user name and password or token key, and the proxy node is communicated with the server side, so that the function of the corresponding authority of the user can be used after authentication is completed.
Data transmission/reception module: 1. the file time stamp in the folder of the server where the client is located is checked regularly, the change of the time stamp represents the update of file data, the current line number m of the file is checked according to the line number n of the file read last time, the m-n is the data to be sent this time, the file name can be obtained through regular matching, the newly added data in the file is encrypted through a national encryption algorithm, and then the server is sent through a proxy node. 2. And 3, clicking to upload the file, encrypting the national password, and sending the encrypted file to the server through the proxy node. 4. And meanwhile, receiving the data sent by the server through the proxy node, and finishing agent configuration after decryption.
(two) proxy node: the proxy node comprises a data cleansing module and a data sending/receiving part.
And a data cleaning module: and after each row of data sent by the client is received and the IP address is verified to be correct, removing the character strings of the keywords in the blacklist and the red list in the user authority, and only retaining the character strings of the keywords in the whitelist.
Data transmission/reception module: and sending the cleaned data and the client authentication information in the data cleaning module to the server. And returning the server configuration information and the server authentication return information to the client. And (3) periodically communicating with the server, updating the authority (ip address, white list, black list and red list) of all users, encrypting all data transmission by using a national encryption algorithm, and decrypting all data received by using the national encryption algorithm.
And (III) a server side: the server comprises a user module, a message pushing module, an alarm module and an encryption/decryption module.
And (3) a user module: and providing a web page, logging in by a user, and paging and viewing data sent by the client. The administrator user can perform user creation and configure ip addresses and blacklist, whitelist and whitelist keyword groups of data which can be sent by the user client. The keywords in the blacklist keyword group are effective for all users, and if the keywords are contained in the data sent by all user clients, the data can be cleaned by the proxy node and cannot be sent to the server. Each user can configure an independent red list keyword group, character strings in the keyword string group can configure effective time or permanently effective, if keywords are contained in data sent by all user clients, the data can be cleaned by proxy nodes and cannot be sent to a server, but the content of the keyword group can be applied to an admin user at any time, the keyword character strings are added or temporary or permanent release of a certain keyword character string is carried out. The strings in the white list key string group are configured by the user himself, and each row of data sent by the client must include the strings in the string group.
Message pushing module: the user can send the data sent by the client to the user in at least two modes of mail and nailing for the user to use.
And an alarm module: the administrator is notified of the fact that the user sends out the non-compliance data at a certain IP node through mail, and each piece of non-compliance data can be configured to trigger an alarm or N pieces of non-compliance data are sent out for a period of time to trigger an alarm.
Encryption/decryption module: and the method is responsible for decrypting the data sent by the proxy node by using a national encryption algorithm, and encrypting the data sent to the proxy node by using the national encryption algorithm.
The system eliminates the traditional firewall or VPN scheme, adopts a mode of client-proxy node cleaning forwarding-server configuration, display and data use, and the intranet proxy node only needs one port to communicate with the external network server, so that the risk exposure surface is reduced, the security of intranet data export is ensured, and the convenience of intranet data use is also ensured; the blacklist, the white list and the red list are creatively used, keywords in the blacklist are effective for all users in a three-level data management and control mode, and all data sent by the user agents cannot contain keywords in the keyword group. The character strings in the key character string group in the red list can be configured to take effect for a long time or take effect permanently, the data sent by the user agent cannot contain the key words in the key character string group, but the user can apply for adjusting the content of the key character string group to the admin at any time, and the temporary or permanent release of a certain key character string is carried out. The character strings in the white list key character string group are configured by a user, and each row of data sent by the agent must comprise the character strings in the character string group, so that the correctness and compliance of data export are ensured; the traditional AES encryption algorithm is abandoned, the data is encrypted and protected by using the domestic encryption algorithm, potential safety hazards possibly existing in AES are eliminated, and the complete autonomous and controllable data safety is realized.
The embodiment of the invention provides a data security transmission control method, which is used for a data security transmission control system 1 according to the embodiment of the invention; as shown in fig. 3, the method comprises the steps of:
step 301: the client in the data security transmission control system acquires target user data and server data, sends the server data to an agent node in the data security transmission control system, and sends the target user data to a server in the data security transmission control system for verification through the agent node.
The specific acquisition and transmission process is described with reference to the above interaction process of the client 111, the proxy node 12 and the server 13 in the data security transmission control system 1, and will not be described herein.
Further, the verification process of the target user data refers to the above description of the function of the server 13 in the data security transmission control system 1, and will not be repeated here.
Step 302: and after the verification is passed, the client encrypts the server data by using a cryptographic algorithm to obtain server encrypted data, and sends the server encrypted data to the proxy node.
The specific encryption process refers to the above description of the function of the client 111 in the data security transmission control system 1, and the specific transmission process refers to the above description of the interaction process between the client 111 and the proxy node 12 in the data security transmission control system 1, which is not described herein.
Step 303: and the proxy node receives the blacklist keyword data set, the whitelist keyword data set and the red list keyword data set which are sent by the server, processes the blacklist keyword data set, the whitelist keyword data set and the red list keyword data set based on the server encryption data through a national encryption algorithm, the blacklist keyword data set and the red list keyword data set to obtain target server encryption data, and sends the target server encryption data to the server.
Specifically, the black list keyword data set, the white list keyword data set, and the red list keyword data set are obtained by referring to the above description of the functions of the user module in the server 13 in the data security transmission control system 1, and are not repeated herein.
Further, the process of obtaining the encrypted data of the target server refers to the above-mentioned interaction process and functional description of the second cryptographic module 1211, the data cleaning module 121 and the second data transmission module 122 in the proxy node 12 in the data security transmission control system 1, which are not described herein again.
Further, the process of sending the encrypted data of the target server to the server is described with reference to the above interaction process between the proxy node 12 and the server 13 in the data security transmission control system 1, which is not described herein.
Step 304: and the server decrypts the encrypted data of the target server by using the cryptographic algorithm to obtain the data of the target server, and sends the data of the target server to the corresponding user.
The specific decryption process refers to the above description of the function of the third cryptographic module 132 in the data security transmission control system 1, and will not be described herein.
The specific transmission process refers to the above description of the function of the message pushing module 133 in the data security transmission control system 1, and will not be repeated here.
Further, if the target server encrypted data contains non-compliance data and the existing non-compliance data meets the preset alarm requirement, an alarm instruction is sent to the corresponding administrator user.
The preset alarm requirement is preset, and an alarm can be triggered for each piece of non-compliance data or N pieces of non-compliance data are sent for a period of time to trigger the alarm.
The specific transmission process refers to the above description of the function of the alarm module 134 in the data security transmission control system 1, and will not be repeated here.
The data safety transmission control method provided by the embodiment of the invention is used for carrying out safety transmission of data, ensures the correctness and compliance of the transmitted data, and realizes complete autonomous and controllable data safety transmission.
In one example, as shown in fig. 4, a workflow of the secure network data transmission control system based on the national security in the above example is provided:
1. an administrator logs in a web page of a user module at a service end, configures a global blacklist and a user default red list, all data sent by the user agent cannot contain keywords in the blacklist and the red list keyword group, the user applies for adjusting the content of the red list keyword group to an admin user, adds a keyword character string or temporarily or permanently releases a certain keyword character string, creates an alarm (the user blacklist, the character string in the red list is matched for N times or sends an alarm to the administrator after being matched each time), and creates a user (a user name, a password and a compliance IP)
2. The user checks the currently effective red list through the web page of the user module at the service end, applies for adding the red list content or modifying the red list content and the effective time length to the manager as required, configures the white list, and the data sent by the user must contain the character strings in the string group of the white name list, configures the data mail or nails to send.
3. The user uses the client to apply authentication to the server through the proxy node in a mode of user name and password or token, the authority to send data is available after the authentication is passed, and the data stream sent by the client is encrypted through the national encryption algorithm.
4. And after the client passes authentication, the client periodically transmits file contents to the server through the proxy node, the proxy node performs data cleaning and records non-compliance data, the proxy node transmits the compliance data and the non-compliance data to the server, and a data stream transmitted by the proxy node is encrypted through a national encryption algorithm.
5. After the server receives the data sent by the proxy node and decrypts the data, the server performs front-end page display, sends the data to the user through mails or nails according to user configuration, judges that the condition of the non-compliant data meets the alarm requirement, and sends a mail alarm to an administrator.
The embodiment of the invention also provides a data security transmission control device which is used for the data security transmission control system 1 according to the embodiment of the invention; as shown in fig. 5, the apparatus includes:
the acquisition and transmission module 501 is configured to acquire target user data and server data by a client in the data security transmission control system, send the server data to an agent node in the data security transmission control system, and send the target user data to a server in the data security transmission control system for verification through the agent node; for details, see the description of step 301 in the above method embodiment.
The encryption and transmission module 502 is configured to encrypt the server data by using a cryptographic algorithm after the verification is passed, obtain server encrypted data, and send the server encrypted data to the proxy node; for details, see the description of step 302 in the method embodiment described above.
The processing and transmitting module 503 is configured to receive, by the proxy node, the blacklist keyword data set, the whitelist keyword data set, and the red list keyword data set that are sent by the server, and obtain target server encrypted data based on the server encrypted data through a cryptographic algorithm, the blacklist keyword data set, the whitelist keyword data set, and the red list keyword data set, and send the target server encrypted data to the server; for details, see the description of step 303 in the method embodiment above.
The decryption and transmission module 504 is configured to decrypt the encrypted data of the target server by using the cryptographic algorithm by using the server to obtain target server data, and send the target server data to a corresponding user; for details, see the description of step 304 in the method embodiment above.
The data safety transmission control device provided by the embodiment of the invention is used for carrying out safety transmission of data, ensures the correctness and compliance of the transmitted data, and realizes complete independent and controllable data safety transmission.
The functional description of the data security transmission control device provided by the embodiment of the invention refers to the description of the data security transmission control method in the above embodiment in detail.
The embodiment of the present invention also provides a storage medium, as shown in fig. 6, on which a computer program 601 is stored, which when executed by a processor, implements the steps of the data security transmission control method in the above embodiment. The storage medium may be a magnetic Disk, an optical disc, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a Flash Memory (Flash Memory), a Hard Disk (HDD), a Solid State Drive (SSD), or the like; the storage medium may also comprise a combination of memories of the kind described above.
It will be appreciated by those skilled in the art that implementing all or part of the above-described embodiment method may be implemented by a computer program to instruct related hardware, where the program may be stored in a computer readable storage medium, and the program may include the above-described embodiment method when executed. The storage medium may be a magnetic Disk, an optical disc, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a Flash Memory (Flash Memory), a Hard Disk (HDD), a Solid State Drive (SSD), or the like; the storage medium may also comprise a combination of memories of the kind described above.
The present invention also provides an electronic device, as shown in fig. 7, which may include a processor 71 and a memory 72, where the processor 71 and the memory 72 may be connected by a bus or other means, and in fig. 7, the connection is exemplified by a bus.
The processor 71 may be a central processing unit (Central Processing Unit, CPU). The processor 71 may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), field programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or combinations of the above.
The memory 72 serves as a non-transitory computer readable storage medium that may be used to store non-transitory software programs, non-transitory computer-executable programs, and modules, such as corresponding program instructions/modules in embodiments of the present invention. The processor 71 executes various functional applications of the processor and data processing, i.e., implements the data security transmission control method in the above-described method embodiments, by running non-transitory software programs, instructions, and modules stored in the memory 72.
The memory 72 may include a memory program area that may store an operating device, an application program required for at least one function, and a memory data area; the storage data area may store data created by the processor 71, etc. In addition, memory 72 may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, memory 72 may optionally include memory located remotely from processor 71, such remote memory being connectable to processor 71 through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The one or more modules are stored in the memory 72, which when executed by the processor 71, perform the data security transmission control method in the embodiment shown in fig. 3-4.
The details of the electronic device may be understood in reference to the corresponding related descriptions and effects in the embodiments shown in fig. 3 to 4, which are not described herein.
Although embodiments of the present invention have been described in connection with the accompanying drawings, various modifications and variations may be made by those skilled in the art without departing from the spirit and scope of the invention, and such modifications and variations fall within the scope of the invention as defined by the appended claims.
Claims (10)
1. A data security transmission control system; characterized in that the system comprises: the server comprises a client, the server and the proxy node are arranged in an intranet, the server is arranged in an extranet, one end of the proxy node is connected with the client, and the other end of the proxy node is connected with the server;
the server is used for acquiring a user database, a blacklist keyword data set, a whitelist keyword data set and a red list keyword data set, and sending the blacklist keyword data set, the whitelist keyword data set and the red list keyword data set to the proxy node;
the client is used for acquiring target user data and server data and sending the target user data to the server through the proxy node;
the server is further configured to verify the target user data based on the user database, and send a verification result to the client through the proxy node;
the client is further configured to encrypt the server data by using a cryptographic algorithm when the verification result is that the verification is passed, obtain server encrypted data, and send the server encrypted data to the proxy node;
The proxy node is configured to obtain target server encrypted data based on the server encrypted data, and send the target server encrypted data to the server through a cryptographic algorithm, the blacklist keyword data set, the whitelist keyword data set and the blacklist keyword data set;
the server is further configured to decrypt the encrypted data of the target server by using the cryptographic algorithm to obtain target server data, and send the target server data to a corresponding user.
2. The system of claim 1, wherein the server comprises:
and the user module is used for creating the user database, configuring a blacklist keyword data set, a whitelist keyword data set and a red list keyword data set based on the user database, receiving an adjustment instruction sent by the client, and updating the red list keyword data set based on the adjustment instruction.
3. The system of claim 1, wherein the client comprises:
the login module is used for acquiring the target user data;
the first data transmission module is used for periodically checking file time stamps in file folders in the server, acquiring server update data when the file time stamps are changed, encrypting the server update data by utilizing the cryptographic algorithm, and transmitting the encrypted server update data to the server through the proxy node.
4. The system of claim 3, wherein the system further comprises a controller configured to control the controller,
the first data transmission module is further configured to obtain a file name of the folder by using a regular matching method, encrypt the file name by using the cryptographic algorithm, and send the encrypted file name to the server through the proxy node.
5. The system of claim 1, wherein the proxy node comprises: the data cleaning module comprises a second national encryption and decryption module;
the second cryptographic module is configured to decrypt the server encrypted data by using the cryptographic algorithm to obtain the server data, and send the server data to the data cleaning module;
the data cleaning module is used for processing the server data by utilizing the blacklist keyword data set, the whitelist keyword data set and the red list keyword data set to obtain the target server data, and sending the target server data to the second national encryption and decryption module;
the second cryptographic module is configured to encrypt the target server data by using the cryptographic algorithm to obtain target server encrypted data, and send the target server encrypted data to the second data transmission module;
And the second data transmission module is used for sending the encrypted data of the target server to the server.
6. The system of claim 1, wherein the server further comprises:
the third cryptographic module is used for decrypting the encrypted data of the target server by utilizing the cryptographic algorithm to obtain the data of the target server, and sending the data of the target server to the message pushing module and the alarm module;
the message pushing module is used for sending the target server data to the user according to a preset pushing mode;
and the alarm module is used for sending an alarm instruction to a corresponding administrator user when the target server data contains non-compliance data and the non-compliance data accords with a preset alarm requirement.
7. A data security transmission control method for the data security transmission control system according to any one of claims 1 to 6; characterized in that the method comprises:
the client in the data security transmission control system acquires target user data and server data, sends the server data to an agent node in the data security transmission control system, and sends the target user data to a server in the data security transmission control system for verification through the agent node;
After verification is passed, the client encrypts the server data by using a cryptographic algorithm to obtain server encrypted data, and sends the server encrypted data to the proxy node;
the proxy node receives a blacklist keyword data set, a whitelist keyword data set and a red list keyword data set which are sent by the server, processes the blacklist keyword data set, the whitelist keyword data set and the red list keyword data set through a national encryption algorithm based on the server encryption data to obtain target server encryption data, and sends the target server encryption data to the server;
and the server decrypts the encrypted data of the target server by using the cryptographic algorithm to obtain the data of the target server, and sends the data of the target server to the corresponding user.
8. A data security transmission control apparatus for use in the data security transmission control system according to any one of claims 1 to 6; characterized in that the device comprises:
the acquisition and transmission module is used for a client in the data security transmission control system to acquire target user data and server data, transmitting the server data to an agent node in the data security transmission control system, and transmitting the target user data to a server in the data security transmission control system for verification through the agent node;
The encryption and transmission module is used for encrypting the server data by the client side through a national encryption algorithm after verification is passed, obtaining server encrypted data and sending the server encrypted data to the proxy node;
the processing and transmitting module is used for receiving the blacklist keyword data set, the whitelist keyword data set and the red list keyword data set which are sent by the server side by the proxy node, processing the blacklist keyword data set, the whitelist keyword data set and the red list keyword data set based on the server encryption data through a national encryption algorithm to obtain target server encryption data, and sending the target server encryption data to the server side;
and the decryption and transmission module is used for decrypting the encrypted data of the target server by the server side through the cryptographic algorithm to obtain the data of the target server, and sending the data of the target server to a corresponding user.
9. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program for causing the computer to execute the data security transmission control method according to claim 7.
10. An electronic device, comprising: a memory and a processor, the memory and the processor being communicatively connected to each other, the memory storing a computer program, the processor executing the computer program to perform the data security transmission control method according to claim 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310542687.0A CN116545706B (en) | 2023-05-15 | 2023-05-15 | Data security transmission control system, method and device and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310542687.0A CN116545706B (en) | 2023-05-15 | 2023-05-15 | Data security transmission control system, method and device and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116545706A CN116545706A (en) | 2023-08-04 |
| CN116545706B true CN116545706B (en) | 2024-01-23 |
Family
ID=87443187
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310542687.0A Active CN116545706B (en) | 2023-05-15 | 2023-05-15 | Data security transmission control system, method and device and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116545706B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117319093A (en) * | 2023-11-30 | 2023-12-29 | 国网江苏省电力有限公司 | Data access service method based on isolation device |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102646173A (en) * | 2012-02-29 | 2012-08-22 | 成都新云软件有限公司 | Safety protection control method and system based on white and black lists |
| CN104767752A (en) * | 2015-04-07 | 2015-07-08 | 西安汇景倬元信息技术有限公司 | Distributed network isolating system and method |
| CN108337249A (en) * | 2018-01-19 | 2018-07-27 | 论客科技(广州)有限公司 | A kind of data safe transmission method, system and device |
| CN111934879A (en) * | 2020-07-08 | 2020-11-13 | 福建亿能达信息技术股份有限公司 | Data transmission encryption method, device, equipment and medium for internal and external network system |
| CN112751839A (en) * | 2020-12-25 | 2021-05-04 | 江苏省未来网络创新研究院 | Anti-virus gateway processing acceleration strategy based on user traffic characteristics |
| WO2021088641A1 (en) * | 2019-11-07 | 2021-05-14 | 中兴通讯股份有限公司 | Data transmission method, data processing method, data reception method and device, and storage medium |
| CN113094697A (en) * | 2021-04-20 | 2021-07-09 | 云南电网有限责任公司信息中心 | Safety protection control method based on black and white list |
| CN115174262A (en) * | 2022-08-02 | 2022-10-11 | 浙江中控技术股份有限公司 | Method and device for safely accessing internal network and electronic equipment |
| CN115549988A (en) * | 2022-09-19 | 2022-12-30 | 江苏省人民医院(南京医科大学第一附属医院) | Internal and external network data transmission system and method |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170171170A1 (en) * | 2015-12-09 | 2017-06-15 | Xasp Security, Llc | Dynamic encryption systems |
-
2023
- 2023-05-15 CN CN202310542687.0A patent/CN116545706B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102646173A (en) * | 2012-02-29 | 2012-08-22 | 成都新云软件有限公司 | Safety protection control method and system based on white and black lists |
| CN104767752A (en) * | 2015-04-07 | 2015-07-08 | 西安汇景倬元信息技术有限公司 | Distributed network isolating system and method |
| CN108337249A (en) * | 2018-01-19 | 2018-07-27 | 论客科技(广州)有限公司 | A kind of data safe transmission method, system and device |
| WO2021088641A1 (en) * | 2019-11-07 | 2021-05-14 | 中兴通讯股份有限公司 | Data transmission method, data processing method, data reception method and device, and storage medium |
| CN111934879A (en) * | 2020-07-08 | 2020-11-13 | 福建亿能达信息技术股份有限公司 | Data transmission encryption method, device, equipment and medium for internal and external network system |
| CN112751839A (en) * | 2020-12-25 | 2021-05-04 | 江苏省未来网络创新研究院 | Anti-virus gateway processing acceleration strategy based on user traffic characteristics |
| CN113094697A (en) * | 2021-04-20 | 2021-07-09 | 云南电网有限责任公司信息中心 | Safety protection control method based on black and white list |
| CN115174262A (en) * | 2022-08-02 | 2022-10-11 | 浙江中控技术股份有限公司 | Method and device for safely accessing internal network and electronic equipment |
| CN115549988A (en) * | 2022-09-19 | 2022-12-30 | 江苏省人民医院(南京医科大学第一附属医院) | Internal and external network data transmission system and method |
Non-Patent Citations (2)
| Title |
|---|
| 基于转发隔离的文件安全传输系统;夏演;王煜;;安徽理工大学学报(自然科学版)(第01期);全文 * |
| 夏演 ; 王煜 ; .基于转发隔离的文件安全传输系统.安徽理工大学学报(自然科学版).2018,(第01期),全文. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116545706A (en) | 2023-08-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11483143B2 (en) | Enhanced monitoring and protection of enterprise data | |
| CN107018134B (en) | Power distribution terminal safety access platform and implementation method thereof | |
| US9852300B2 (en) | Secure audit logging | |
| CN105027493B (en) | Safety moving application connection bus | |
| CN102685093B (en) | A kind of identity authorization system based on mobile terminal and method | |
| US7590844B1 (en) | Decryption system and method for network analyzers and security programs | |
| US20180351734A1 (en) | Cloud storage method and system | |
| JP2017507629A (en) | Security and data privacy for lighting sensor networks | |
| US11063917B2 (en) | Communication network with rolling encryption keys and data exfiltration control | |
| US7266705B2 (en) | Secure transmission of data within a distributed computer system | |
| US8584228B1 (en) | Packet authentication and encryption in virtual networks | |
| CN109558739B (en) | Program running method and device, terminal and readable medium | |
| US20230037520A1 (en) | Blockchain schema for secure data transmission | |
| CN116545706B (en) | Data security transmission control system, method and device and electronic equipment | |
| CN105049448B (en) | Single-sign-on device and method | |
| Huang et al. | Implementing publish/subscribe pattern for CoAP in fog computing environment | |
| US10158610B2 (en) | Secure application communication system | |
| CN103905557A (en) | Data storage method and device used for cloud environment and downloading method and device | |
| KR101839048B1 (en) | End-to-End Security Platform of Internet of Things | |
| KR101541165B1 (en) | Mobile message encryption method, computer readable recording medium recording program performing the method and download server storing the method | |
| Junghanns et al. | Engineering of secure multi-cloud storage | |
| CN112989320B (en) | User state management system and method for password equipment | |
| EP2892206B1 (en) | System and method for push framework security | |
| CN109194650B (en) | Encryption transmission method based on file remote encryption transmission system | |
| US10764260B2 (en) | Distributed processing of a product on the basis of centrally encrypted stored data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |