CN116684169A - Application layer data security transmission method and system based on network identity - Google Patents
Application layer data security transmission method and system based on network identity Download PDFInfo
- Publication number
- CN116684169A CN116684169A CN202310753780.6A CN202310753780A CN116684169A CN 116684169 A CN116684169 A CN 116684169A CN 202310753780 A CN202310753780 A CN 202310753780A CN 116684169 A CN116684169 A CN 116684169A
- Authority
- CN
- China
- Prior art keywords
- storage access
- storage
- request message
- server
- service request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000005540 biological transmission Effects 0.000 title claims abstract description 25
- 238000000034 method Methods 0.000 title claims abstract description 23
- 238000007906 compression Methods 0.000 claims description 8
- 230000006835 compression Effects 0.000 claims description 8
- 238000005516 engineering process Methods 0.000 description 5
- 238000012986 modification Methods 0.000 description 5
- 230000004048 modification Effects 0.000 description 5
- 238000007792 addition Methods 0.000 description 3
- 230000002457 bidirectional effect Effects 0.000 description 3
- 238000000605 extraction Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 238000013144 data compression Methods 0.000 description 2
- 238000013500 data storage Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 235000014510 cooky Nutrition 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Abstract
The invention provides a network identity-based application layer data security transmission method and system. The method comprises the following steps: the service application end obtains user information and performs identity authentication; after the identity authentication is passed, the business application terminal initiates a storage access service request message; after the storage access service request message is encrypted, the storage access service request message is transmitted to a storage access server by a message proxy; the storage access server side obtains a storage index corresponding to the storage access service request message; the storage access server side invokes corresponding business application data from the storage server according to the storage index; the storage server encrypts the corresponding business application data and returns the encrypted business application data to the storage access server; the storage access server feeds back encrypted service application data to the service application terminal; the service application end obtains decryption information after the identity authentication is passed, and decrypts and displays the received service application data. The system comprises: the system comprises a business application end, a storage access server end and a storage server.
Description
[ field of technology ]
The invention relates to the technical field of network security, in particular to a method and a system for safely transmitting application layer data based on network identity.
[ background Art ]
The data security transmission technology is particularly important in the technical field of network security, but the prior art cannot meet the requirement of full-link transmission security of data in a platform.
[ invention ]
The invention provides a network identity-based application layer data security transmission method and system, and aims to realize the full-link transmission security of data in a platform.
The embodiment of the invention discloses a network identity-based application layer data security transmission method, which comprises the following steps: s1, a service application end acquires user information and performs identity authentication; s2, after the identity authentication is passed, the business application terminal initiates a storage access service request message; s3, after the storage access service request message is encrypted, the storage access service request message is transmitted to a storage access server side by a message proxy; s4, the storage access server side acquires a storage index corresponding to the storage access service request message; s5, the storage access server side invokes corresponding business application data from the storage server according to the storage index; s6, the storage server encrypts the corresponding business application data and returns the encrypted business application data to the storage access server; s7, the storage access server feeds back the encrypted service application data to the service application terminal; s8, the service application end obtains decryption information after the identity authentication is passed, and decrypts and displays the received service application data.
Before the service application terminal initiates the storage access service request message in step S2, the access authority of the user is authenticated, and after the access authority authentication is passed, the storage access service request message is initiated.
Wherein the encryption and decryption algorithm comprises: AES algorithm, DES algorithm, RSA algorithm, or cryptographic algorithm.
In step S6, the storage server compresses the corresponding service application data and encrypts the compressed data; step S7, the storage access server feeds the encrypted service application data back to the service application terminal after compression; and in step S8, the service application end decrypts and decompresses the received service application data.
The storage access service request message in step S3 is transmitted to the storage access server by the message proxy after being encrypted, and specifically includes: s31, after the storage access service request message is encrypted, the storage access service request message is transmitted to a message proxy server of a business application terminal; s32, the message proxy server of the business application end decrypts the storage access service request message and acquires address information of the storage access service end; s33, the message proxy server of the business application terminal re-encrypts the storage access service request message and transmits the storage access service request message to the storage access service terminal according to the address information of the storage access service terminal.
The storage access server in step S4 obtains a storage index corresponding to the storage access service request message, which specifically includes: s41, a message proxy server of a storage access server decrypts the storage access service request message and acquires corresponding storage server information; s42, the message proxy server of the storage access server re-encrypts the storage access service request message and routes the storage access service request message to a corresponding storage server; s43, the storage access server decrypts the storage access service request message and acquires a storage index corresponding to the storage access service request message.
The embodiment of the invention provides a network identity-based application layer data security transmission system, which comprises the following components: the system comprises a business application terminal, a storage access server terminal and a storage server; the service application end is used for acquiring user information and carrying out identity authentication, and after the identity authentication is passed, the service application end initiates a storage access service request message, encrypts the storage access service request message and transmits the storage access service request message to the storage access service end through the message proxy; the system is also used for obtaining decryption information after the identity authentication is passed, decrypting and displaying the received service application data; the storage access server is used for acquiring a storage index corresponding to the storage access service request message, retrieving corresponding service application data from a storage server according to the storage index, and feeding back the encrypted service application data to the service application terminal; and the storage server is used for encrypting the corresponding business application data and returning the encrypted business application data to the storage access server.
The invention relates to a network identity-based application layer data security transmission method and system, which adopts a network identity identification technology to verify the access authority and access flow of a user when accessing data stored in a platform, controls access, verifies or re-verifies new nodes and applications, establishes bidirectional trust, prevents malicious addition, modification or extraction of data, realizes the full-link transmission security of the data in the platform, and can be applied to a data access convergence platform and a data processing integration platform.
[ description of the drawings ]
Fig. 1 is a flowchart of a method for securely transmitting application layer data based on network identity according to embodiment 1 of the present invention;
fig. 2 is a schematic diagram of a message routing process of an application layer data security transmission method based on network identity according to embodiment 1 of the present invention;
fig. 3 is a schematic diagram of an application layer data security transmission system based on network identity according to embodiment 2 of the present invention.
[ detailed description ] of the invention
The inventor finds that the application layer data security transmission scheme supports data security management of the whole life cycle of data in the data transmission process, including encryption and decryption of transmission data and authority control of a main body participating in data transmission based on network identity, can realize the whole link transmission security of the data in a platform, and is applied to a data access convergence platform and a data processing integral platform. Encryption of the data transmission process can be supported, and encryption and decryption of the floor file can be supported. The platform defaults to support various encryption algorithms including AES, DES, RSA, national encryption algorithm and the like, and also supports user-defined data encryption and decryption algorithm. The following is a detailed description of the embodiments.
An embodiment 1, an application layer data security transmission method based on network identity in this embodiment, as shown in fig. 1 and 2, includes the following main steps:
101. and the service application end acquires the user information and performs identity authentication.
Specifically taking a customer portrait application as an example, in a business layer of a business application end, a customer portrait application client initiates identity authentication to a customer portrait application server end through a user pass TGC (Token Granting Cookie), and the business application end acquires user information and performs identity authentication.
102. And after the identity authentication is passed, authenticating the access authority of the user.
Specifically, the client portrait application client is authenticated according to the authority list, and identity authority service is completed.
103. The business application terminal initiates a storage access service request message.
Specifically, after the access right authentication is completed, the client portrait application client obtains the identity service token ST (Service Token), and triggers the business application data layer to initiate the storage access service request message.
104. After the storage access service request message is encrypted, the storage access service request message is transmitted to the storage access server side by the message proxy.
Specifically, after the storage access service request message is encrypted at the data layer of the service application end, the storage access service request message is transmitted to the message proxy server of the communication layer of the service application end. The message proxy server decrypts the storage access service request message, acquires the address information of the storage access server, re-encrypts the storage access service request message, and transmits the storage access service request message to the storage access server according to the address information of the storage access server.
105. The storage access server acquires a storage index corresponding to the storage access service request message.
Specifically, the message proxy server of the storage access server communication layer decrypts the storage access service request message and acquires the corresponding storage server information. The message broker server re-encrypts the storage access service request message and routes it to the corresponding storage server. And when the storage access server passes through the storage access server data layer, the storage access server decrypts the storage access service request message and acquires a storage index corresponding to the storage access service request message.
106. And the storage access server side retrieves corresponding business application data from the storage server according to the storage index.
107. And the storage server encrypts the corresponding business application data and returns the encrypted business application data to the storage access server.
The service application data in this step is preferably compressed and then encrypted, so as to improve the transmission efficiency.
108. The storage access server feeds back the encrypted service application data to the service application terminal.
The storage access server side of the step feeds back the compressed encrypted service application data to the service application side.
109. The service application end obtains decryption information after the identity authentication is passed, and decrypts and displays the received service application data.
In this step, the service application terminal decrypts and decompresses the received service application data and displays the decrypted service application data.
In the method of this embodiment, the encryption, decryption, compression algorithm includes, but is not limited to: AES algorithm, DES algorithm, RSA algorithm, or cryptographic algorithm, and third party data encryption and compression algorithm. The application servers, networks, etc. of the hardware resources shown in fig. 2 are of conventional configuration and will not be described in detail. The method of the embodiment adopts advanced network identification technology to verify the user access authority and access flow when the data stored in the platform is accessed. And controlling access, verifying or re-verifying new nodes and applications, establishing bidirectional trust, and preventing malicious addition, modification or extraction of data. Data encryption and data compression functions at the data storage layer and the data transport layer. And supporting the loading of the third party data encryption and compression algorithm.
Embodiment 2, an application layer data security transmission system based on network identity according to this embodiment is implemented by using the method of the foregoing embodiment, as shown in fig. 3, and includes: the service application 201, the storage access server 202 and the storage server 203 are implemented by the method of the above embodiment 1.
The service application end 201 is configured to obtain user information and perform identity authentication, initiate a storage access service request message after the identity authentication is passed, encrypt the storage access service request message, and transmit the encrypted storage access service request message to the storage access service end 202 by the message proxy; and the system is also used for obtaining decryption information after the identity authentication is passed, decrypting and displaying the received service application data.
The storage access server 202 is configured to obtain a storage index corresponding to the storage access service request message, retrieve corresponding service application data from the storage server 203 according to the storage index, and feed back the encrypted service application data to the service application 201.
The storage server 203 is configured to encrypt the corresponding service application data and return the encrypted service application data to the storage access server 202.
In the system of this embodiment, the encryption, decryption, compression algorithms include, but are not limited to: AES algorithm, DES algorithm, RSA algorithm, or cryptographic algorithm, and third party data encryption and compression algorithm. The system of the embodiment adopts advanced network identification technology to verify the user access authority and access flow when the data stored in the platform is accessed. And controlling access, verifying or re-verifying new nodes and applications, establishing bidirectional trust, and preventing malicious addition, modification or extraction of data. Data encryption and data compression functions at the data storage layer and the data transport layer. And supporting the loading of the third party data encryption and compression algorithm.
The description and applications of the present invention herein are illustrative and exemplary only and are not intended to limit the scope of the invention to the embodiments described above. Variations and modifications of the embodiments disclosed herein are fully possible and various alternatives and equivalents of the embodiments are known to those skilled in the art. It will also be apparent to those of skill in the art that the invention may be embodied in other forms, structures, arrangements, proportions, and with other components, materials, and parts, without departing from the spirit or essential characteristics thereof, and that other variations and modifications may be made in the embodiments disclosed herein without departing from the scope or spirit of the invention.
Claims (7)
1. The application layer data security transmission method based on the network identity is characterized by comprising the following steps:
s1, a service application end acquires user information and performs identity authentication;
s2, after the identity authentication is passed, the business application terminal initiates a storage access service request message;
s3, after the storage access service request message is encrypted, the storage access service request message is transmitted to a storage access server side by a message proxy;
s4, the storage access server side acquires a storage index corresponding to the storage access service request message;
s5, the storage access server side invokes corresponding business application data from the storage server according to the storage index;
s6, the storage server encrypts the corresponding business application data and returns the encrypted business application data to the storage access server;
s7, the storage access server feeds back the encrypted service application data to the service application terminal;
s8, the service application end obtains decryption information after the identity authentication is passed, and decrypts and displays the received service application data.
2. The method for securely transmitting application layer data based on network identity according to claim 1, wherein in step S2, before the service application terminal initiates the storage access service request message, the access authority of the user is authenticated, and after the access authority passes the authentication, the storage access service request message is initiated.
3. The network identity-based application layer data secure transmission method of claim 1, wherein the encryption and decryption algorithm comprises: AES algorithm, DES algorithm, RSA algorithm, or cryptographic algorithm.
4. The method for securely transmitting application layer data based on network identity according to claim 1, wherein in step S6, the storage server compresses the corresponding service application data before encrypting it;
step S7, the storage access server feeds the encrypted service application data back to the service application terminal after compression; the method comprises the steps of,
in step S8, the service application end decrypts and decompresses the received service application data.
5. The method for securely transmitting application layer data based on network identity according to claim 1, wherein the storage access service request message in step S3 is transmitted to the storage access server by the message proxy after being encrypted, specifically comprising:
s31, after the storage access service request message is encrypted, the storage access service request message is transmitted to a message proxy server of a business application terminal;
s32, the message proxy server of the business application end decrypts the storage access service request message and acquires address information of the storage access service end;
s33, the message proxy server of the business application terminal re-encrypts the storage access service request message and transmits the storage access service request message to the storage access service terminal according to the address information of the storage access service terminal.
6. The method for securely transmitting application layer data based on network identity according to claim 1, wherein the storage access server in step S4 obtains a storage index corresponding to the storage access service request message, and specifically includes:
s41, a message proxy server of a storage access server decrypts the storage access service request message and acquires corresponding storage server information;
s42, the message proxy server of the storage access server re-encrypts the storage access service request message and routes the storage access service request message to a corresponding storage server;
s43, the storage access server decrypts the storage access service request message and acquires a storage index corresponding to the storage access service request message.
7. A network identity based application layer data secure transmission system, comprising: the system comprises a business application terminal, a storage access server terminal and a storage server;
the service application end is used for acquiring user information and carrying out identity authentication, and after the identity authentication is passed, the service application end initiates a storage access service request message, encrypts the storage access service request message and transmits the storage access service request message to the storage access service end through the message proxy; the system is also used for obtaining decryption information after the identity authentication is passed, decrypting and displaying the received service application data;
the storage access server side is used for acquiring a storage index corresponding to the storage access service request message, retrieving corresponding business application data from a storage server according to the storage index, and
feeding back the encrypted service application data to the service application terminal;
and the storage server is used for encrypting the corresponding business application data and returning the encrypted business application data to the storage access server.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310753780.6A CN116684169A (en) | 2023-06-26 | 2023-06-26 | Application layer data security transmission method and system based on network identity |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310753780.6A CN116684169A (en) | 2023-06-26 | 2023-06-26 | Application layer data security transmission method and system based on network identity |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116684169A true CN116684169A (en) | 2023-09-01 |
Family
ID=87779094
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310753780.6A Pending CN116684169A (en) | 2023-06-26 | 2023-06-26 | Application layer data security transmission method and system based on network identity |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116684169A (en) |
-
2023
- 2023-06-26 CN CN202310753780.6A patent/CN116684169A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10313135B2 (en) | Secure instant messaging system | |
| US9137223B2 (en) | Apparatus and method for transmitting data, and recording medium storing program for executing method of the same in computer | |
| US9137017B2 (en) | Key recovery mechanism | |
| US8788811B2 (en) | Server-side key generation for non-token clients | |
| KR101265873B1 (en) | Distributed single sign-on service | |
| CA2527718C (en) | System, method and computer product for sending encrypted messages to recipients where the sender does not possess the credentials of the recipient | |
| US20030081774A1 (en) | Method and apparatus for dynamic generation of symmetric encryption keys and exchange of dynamic symmetric key infrastructure | |
| US20080285756A1 (en) | Random shared key | |
| US20080031459A1 (en) | Systems and Methods for Identity-Based Secure Communications | |
| US20110296171A1 (en) | Key recovery mechanism | |
| US20200162245A1 (en) | Method and system for performing ssl handshake | |
| WO2010078755A1 (en) | Method and system for transmitting electronic mail, wlan authentication and privacy infrastructure (wapi) terminal thereof | |
| CN108809633B (en) | Identity authentication method, device and system | |
| CN110493272B (en) | Communication method and communication system using multiple keys | |
| US20020018570A1 (en) | System and method for secure comparison of a common secret of communicating devices | |
| CN113779619A (en) | Encryption and decryption method for ceph distributed object storage system based on state cryptographic algorithm | |
| EP4096160A1 (en) | Shared secret implementation of proxied cryptographic keys | |
| CN111698203A (en) | Cloud data encryption method | |
| US11265298B2 (en) | Method for end-to-end transmission of a piece of encrypted digital information, application of this method and object implementing this method | |
| CN113918971A (en) | Block chain based message transmission method, device, equipment and readable storage medium | |
| CN116684169A (en) | Application layer data security transmission method and system based on network identity | |
| US20190379645A1 (en) | System for secure arbitrary data transport | |
| US11736462B1 (en) | Hybrid content protection architecture for email | |
| US20230041783A1 (en) | Provision of digital content via a communication network | |
| CN114244569A (en) | SSL VPN remote access method, system and computer equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |