CN116961959A - Data transmission method and network isolation equipment - Google Patents
Data transmission method and network isolation equipment Download PDFInfo
- Publication number
- CN116961959A CN116961959A CN202211006327.0A CN202211006327A CN116961959A CN 116961959 A CN116961959 A CN 116961959A CN 202211006327 A CN202211006327 A CN 202211006327A CN 116961959 A CN116961959 A CN 116961959A
- Authority
- CN
- China
- Prior art keywords
- data packet
- sub
- verification
- data
- field
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000002955 isolation Methods 0.000 title claims abstract description 94
- 238000000034 method Methods 0.000 title claims abstract description 55
- 230000005540 biological transmission Effects 0.000 title claims abstract description 46
- 238000012795 verification Methods 0.000 claims abstract description 168
- 238000004458 analytical method Methods 0.000 claims description 38
- 238000006243 chemical reaction Methods 0.000 claims description 25
- 230000003287 optical effect Effects 0.000 claims description 18
- 239000000835 fiber Substances 0.000 claims description 13
- 238000010200 validation analysis Methods 0.000 claims 1
- 230000000694 effects Effects 0.000 abstract description 10
- 238000001914 filtration Methods 0.000 description 17
- 230000006870 function Effects 0.000 description 9
- 238000004891 communication Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 6
- 238000004590 computer program Methods 0.000 description 4
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000005336 cracking Methods 0.000 description 1
- 238000013524 data verification Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/08—Protocols for interworking; Protocol conversion
Abstract
The application provides a data transmission method and network isolation equipment, wherein the data transmission method comprises the following steps: acquiring a first data packet sent by first equipment; converting the first data packet into a second data packet based on a preset protocol; generating the first data packet based on the second data packet when the second data packet passes the verification; transmitting the first data packet to a second device; wherein the first device and the second device belong to networks of different security levels. The application can improve the data isolation effect.
Description
Technical Field
The present application relates to the field of network information security technologies, and in particular, to a data transmission method and a network isolation device.
Background
For networks with different security levels, isolation between networks is usually required, at present, mainly used isolation measures are firewalls, and the firewalls do not block network connection between the internal network and the external network, and the risk of hijacking and multiplexing exists, so that the data isolation effect is poor.
Disclosure of Invention
The application provides a data transmission method and network isolation equipment, which are used for solving the problem of poor data isolation effect.
In a first aspect, an embodiment of the present application provides a data transmission method, which is applied to a network isolation device, including:
acquiring a first data packet sent by first equipment;
converting the first data packet into a second data packet based on a preset protocol;
generating the first data packet based on the second data packet when the second data packet passes the verification;
and sending the first data packet to second equipment.
In a second aspect, an embodiment of the present application further provides a network isolation device, including:
the first interface unit is used for acquiring a first data packet sent by the first equipment;
the first processing unit is used for converting the first data packet into a second data packet based on a preset protocol;
a second processing unit, configured to generate the first data packet based on the second data packet if the second data packet passes the verification;
a second interface unit, configured to send the first data packet to a second device;
the first interface unit is used for communicating with the first device, the second interface unit is used for communicating with the second device, the first end of the first interface unit is connected with the first end of the first processing unit, the second end of the first processing unit is connected with the first end of the second processing unit, and the second end of the second processing unit is connected with the first end of the second interface unit.
In a third aspect, an embodiment of the present application further provides a data transmission apparatus, including:
the receiving module is used for acquiring a first data packet sent by the first equipment;
the conversion module is used for converting the first data packet into a second data packet based on a preset protocol;
the generation module is used for generating the first data packet based on the second data packet under the condition that the second data packet passes verification;
and the sending module is used for sending the first data packet to the second equipment.
In a fourth aspect, an embodiment of the present application further provides an electronic device, including a processor and a memory, where the memory stores a program or instructions executable on the processor, the program or instructions implementing the steps of the data transmission method according to the first aspect when executed by the processor.
In a fifth aspect, embodiments of the present application further provide a readable storage medium having stored thereon a program or instructions which, when executed by a processor, implement the steps of the data transmission method according to the first aspect.
In the embodiment of the application, for the first data packet which needs to be transmitted to the second device by the first device, after the first data packet is converted into the second data packet based on the preset protocol, the second data packet is verified, and under the condition that the second data packet passes the verification, the first data packet is generated based on the second data packet, and then the second data packet is sent to the second device, so that data transmission can be realized between the first device and the second device, and the first data packet is converted into the second data packet based on the preset protocol, the network isolation device can verify the second data packet, and under the condition that the second data packet passes the verification, the second data packet is reversely converted into the first data packet, and the first device and the second device can not acquire the rule of verifying the transmitted data packet, thereby improving the security and the effectiveness of data isolation, and improving the effect of data isolation.
Drawings
In order to more clearly illustrate the technical solutions of the present application, the following description will briefly explain the drawings used in the embodiments or the description of the prior art, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings can be obtained according to these drawings without inventive effort to a person skilled in the art.
Fig. 1 is a schematic flow chart of a data transmission method according to an embodiment of the present application;
fig. 2 is a schematic structural diagram of a network isolation device according to an embodiment of the present application;
FIG. 3 is a second schematic diagram of a network isolation device according to an embodiment of the present application;
fig. 4 is a schematic flow chart of a network isolation method according to an embodiment of the present application;
FIG. 5 is a second flow chart of a network isolation method according to the embodiment of the application;
FIG. 6 is a schematic diagram of packet protocol conversion according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of a data transmission device according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
The terms "first," "second," and the like in embodiments of the present application are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. Furthermore, the use of "and/or" in the present application means at least one of the connected objects, such as a and/or B and/or C, means 7 cases including a alone a, B alone, C alone, and both a and B, both B and C, both a and C, and both A, B and C.
Referring to fig. 1, fig. 1 is a flow chart of a data transmission method according to an embodiment of the present application, which is applied to a network isolation device, as shown in fig. 1, and includes the following steps:
step 101, a first data packet sent by a first device is obtained.
The first data packet may be a data packet that the first device wants to send to a second device in another network.
By way of example, embodiments of the present application may be applied to an electronic device that may mediate communications between network devices that are isolated from each other, and may be used for secure isolation of data communicated between devices.
Step 102, converting the first data packet into a second data packet based on a preset protocol.
It should be noted that, the preset protocol is a private protocol, i.e. a protocol that is not disclosed to the outside. The first data packet is a data packet composed according to a network protocol established or agreed by both parties of data transmission, for example, a transmission control protocol/internet protocol (Transmission Control Protocol/Internet Protocol, TCP/IP), a point-to-point protocol (Point to Point Protocol, PPP), and the like.
In addition, the second device may also convert a data packet into a data packet conforming to a private protocol when the second device needs to send the data packet to the first device, where the private protocol may be different from the predetermined protocol.
The first data packet may be converted into a second data packet according to the preset protocol based on protocol conversion of the data packet, that is, the content of the second data packet is private to the first device or other devices, and the second data packet may conform to the preset protocol, so that verification and filtration may be performed on the second data packet according to a preset rule.
Step 103, generating a first data packet based on the second data packet when the second data packet passes the verification.
When two devices belonging to the mutually isolated networks perform data transmission, the transmitted data can be verified to ensure the safety of the data transmission. In the case that the packet verification is passed, transmission of the packet may be performed; in case the packet verification is not passed, the packet may be discarded, avoiding transmission of risky data.
The security verification of the second data packet may be implemented by verifying the format of the second data packet, or may be implemented by verifying the content of the second data packet, for example, whether the second data packet conforms to the format of the preset protocol may be verified, so as to ensure that the conversion of the second data packet is correct.
Step 104, the first data packet is sent to the second device.
Wherein the first device and the second device may belong to two mutually isolated networks, for example: the network with different security levels may be a network device with higher security levels that transmits data to a network device with lower security levels, for example, an intranet transmits data to an extranet, or a network device with lower security levels that transmits data to a network device with higher security levels, for example, an extranet transmits data to an intranet. The first device and the second device may belong to two networks isolated from each other but having the same security level, and data isolation and secure communication may be implemented by the network isolation device.
In the embodiment of the application, for the first data packet which needs to be transmitted to the second device by the first device, after the first data packet is converted into the second data packet based on the preset protocol, the second data packet is verified, and under the condition that the second data packet passes the verification, the first data packet is generated based on the second data packet, and then the second data packet is sent to the second device, so that data transmission can be realized between the first device and the second device, and the first data packet is converted into the second data packet based on the preset protocol, the network isolation device can verify the second data packet, and under the condition that the second data packet passes the verification, the second data packet is reversely converted into the first data packet, and the first device and the second device can not acquire the rule of verifying the transmitted data packet, thereby improving the security and the effectiveness of data isolation, and improving the effect of data isolation.
Optionally, before the first data packet is converted into the second data packet based on the preset protocol in step 102, the following steps may be further included:
verifying the first data packet to obtain a first verification result;
in step 102, the converting the first data packet into the second data packet based on the preset protocol may specifically include:
and under the condition that the first verification result indicates that verification is passed, converting the first data packet into a second data packet based on a preset protocol.
The method and the device do not limit the specific verification mode, and can verify through a preset filtering rule mode, for example, enumerate the specific rule which can be met by the verified data packet, only allow the data packet meeting the specific rule to pass, discard the data packet which does not meet the specific rule, or discard the data packet which meets the negative list through the negative list, and allow the data packet which does not meet the negative list to pass. For example, the source address, the destination address and the port number may be used as filtering conditions, and a first list of source addresses, destination addresses and port numbers that can be filtered may be preset, that is, a data packet conforming to the first list may pass verification, or a second list of source addresses, destination addresses and port numbers that cannot pass filtering may be set, and a data packet that does not conform to the second list may pass verification.
For another example, an isolation authentication code may be added to the packet content field of the data packet, and specifically, an isolation authentication code may be added to the end of the packet content field of the data packet. Only the data packet passing the legal authentication of the isolation authentication code is not discarded, specifically, the isolation authentication code can be calculated and generated by the first device according to a preset rule, that is, the first data packet sent by the first device can also carry an isolation authentication code, and of course, after the isolation authentication code of the first data packet passes verification, the isolation authentication code can be stripped to obtain the original first data packet, and the first data packet is converted into a second data packet conforming to a preset protocol.
It may be appreciated that, in the case that the first verification result indicates that verification is passed, the first data packet may be converted into the second data packet based on a preset protocol, so as to verify the second data packet; under the condition that the first verification result indicates that the verification is not passed, the first data packet can be considered to be not in accordance with the requirement of data transmission, the first data packet is discarded, and the verification is performed after the first data packet is not required to be converted into the second data packet in accordance with the preset protocol.
In this embodiment, the first data packet is verified to obtain a first verification result, and the first data packet is converted into the second data packet based on the preset protocol when the first verification result indicates that the verification is passed, so that the security of the first data packet can be primarily judged to improve the security of data transmission.
Optionally, in step 103, before generating the first data packet based on the second data packet, if the second data packet passes the verification, the method may further include the following steps:
analyzing the second data packet to obtain an analysis field of the second data packet;
verifying the second data packet based on the analysis field and a preset field of a preset protocol to obtain a second verification result;
in step 103, in the case that the second data packet passes the verification, generating the first data packet based on the second data packet includes:
and generating a first data packet based on the second data packet in the case that the second verification result indicates that the verification is passed.
Before converting the second data packet into the first data packet, the second data packet may be verified, for example, the format or the content of the second data packet may be verified, specifically, the parsing field of the second data packet may be obtained by parsing the second data packet, and the parsing field may be compared with the preset field of the preset protocol, so as to determine whether the second data packet obtained by the conversion accords with the preset protocol. Therefore, the first data packet can be ensured to be correctly converted into the second data packet according to the preset protocol, and the data packet which is not converted by the preset protocol or is incorrectly converted into the data packet which accords with the preset protocol is prevented from passing verification.
In addition, in case the second authentication result indicates that the authentication is not passed, the second data packet may be discarded, i.e. the first data packet is no longer transmitted to the second device.
Optionally, the preset field includes a protocol type field, a length field, a data field and a check field, the parsing field includes N parsing subfields, and N is a positive integer;
verifying the second data packet based on the analysis field and a preset field of a preset protocol to obtain a second verification result, which may specifically include:
matching the N analysis subfields with the protocol type field, the length field, the data field and the check field respectively to obtain matching results of the N analysis subfields;
and determining a second verification result based on the matching result.
It will be appreciated that when N is less than the number of specific fields in the preset field, the second packet cannot pass verification, for example, when N is 1, even if the 1 parsing sub-field may match any one of the protocol type field, the length field, the data field, and the check field, the verification result of the second packet is considered as not passing verification.
That is, the verification result of the second data packet may be considered as passing the verification only when the protocol type field, the length field, the data field, and the verification field have a matching parsing sub-field in the N parsing sub-fields.
In the embodiment, matching results of the N analysis subfields are obtained by respectively matching the N analysis subfields with a protocol type field, a length field, a data field and a check field; and based on the matching result, a second verification result is determined, namely, whether the second data packet accords with the field format of the preset protocol or not is judged, and verification is performed on the second data packet, so that the efficiency is high.
Optionally, determining the second verification result based on the matching result may specifically include:
under the condition that the protocol type field, the length field, the data field and the check field have a matched analysis sub-field in the N analysis sub-fields, acquiring the protocol type, the length, the data and the check code of the second data packet;
determining a target check code of the second data packet based on the protocol type, the length and the data of the second data packet;
obtaining a second verification result based on the target verification code and the verification code of the second data packet;
and under the condition that the target check code is consistent with the check code of the second data packet, the second verification result is a result indicating that verification is passed.
And under the condition that whether the second data packet accords with the field format of the preset protocol, the content of the second data packet can be further verified, and specifically, the verification code in the second data packet can be used for judging.
The check code may be calculated by a preset or agreed Algorithm, for example, the value of the check code needs to be obtained by calculating the Digest value of the key by using a cryptographic Digest Algorithm based on other fields in the data packet, and specifically, the cryptographic Digest Algorithm used in the embodiment of the present application may be an MD5Message-Digest Algorithm (MD 5Message-Digest Algorithm), a secure hash Algorithm (Secure Hash Algorithm, SHA), or the like.
The second verification result of the second data packet is determined by comparing the target verification code with the verification code of the second data packet, so that the verification of the content of the second data packet is performed by the verification code, and the reliability of data verification can be further improved.
In addition, in the case that the target check code is consistent with the check code of the second data packet, the second verification result is a result indicating that verification is passed; and under the condition that the target check code is inconsistent with the check code of the second data packet, the second verification result is a result indicating that verification is not passed.
Optionally, the second data packet includes a first sub-packet and a second sub-packet, where the first sub-packet is used to represent a network protocol corresponding to the first data packet, and the second sub-packet is used to represent data content of the first data packet;
in step 103, in the case that the second data packet passes the verification, generating the first data packet based on the second data packet may specifically include:
respectively verifying the first sub-data packet and the second sub-data packet;
and generating the first data packet based on the first sub-data packet and the second sub-data packet under the condition that the first sub-data packet and the second sub-data packet pass verification.
As an alternative embodiment, when the first data packet is converted into the second data packet, the data packet may be split into a data packet describing a protocol and a data packet describing the content of the data packet. That is, when the second data packet is verified, the first sub data packet and the second sub data packet can be verified respectively, and when the first sub data packet and the second sub data packet pass verification, the first sub data packet and the second sub data packet are included and converted to obtain the first data packet.
In this embodiment, the first data packet is converted into the first sub data packet and the second sub data packet based on a preset protocol, so that the complexity of the preset protocol can be improved, the difficulty of cracking the preset protocol is increased, and the security of data transmission is improved. And the first sub-data packet is used for representing a network protocol corresponding to the first data packet, the second sub-data packet is used for representing the data content of the first data packet, and the first data packet can be generated based on the first sub-data packet and the second sub-data packet without influencing data transmission under the condition that the first sub-data packet and the second sub-data packet pass verification.
Optionally, the first sub-packet and the second sub-packet each include an identification field, and the identification of the identification field of the first sub-packet is matched with the identification of the identification field of the second sub-packet;
under the condition that the first sub-data packet and the second sub-data packet pass verification, generating the first data packet based on the first sub-data packet and the second sub-data packet specifically can include:
under the condition that the first sub-data packet and the second sub-data packet pass verification, the first sub-data packet and the second sub-data packet are converted based on the identification of the identification field of the first sub-data packet and the identification of the identification field of the second sub-data packet, so that the first data packet is obtained.
It can be understood that after the first packet is converted into two independent first sub-packets and second sub-packets, the verification process of the first sub-packets and the second sub-packets are also independent, and by using the identifier of the identifier field in the packet, for example, the identifier of the identifier field in the first sub-packet and the identifier of the identifier field in the second sub-packet are consistent, two packets obtained by converting the same original packet can be quickly found, and combined and converted to reversely generate the original packet.
Optionally, taking the first sub-packet including the identifier of the identifier field as an example, the first sub-packet may further include a protocol type corresponding to the protocol type field, a length corresponding to the length field, data corresponding to the data field, and a check code corresponding to the check field, where the check code in the first sub-packet may be generated based on the identifier of the first sub-packet, the protocol type, the length, and the data.
As shown in fig. 2, an embodiment of the present application further provides a network isolation device, including:
a first interface unit 201, configured to obtain a first data packet sent by a first device;
the first processing unit 202 is configured to convert the first data packet into a second data packet based on a preset protocol;
a second processing unit 203, configured to generate a first data packet based on the second data packet if the second data packet passes verification;
a second interface unit 204, configured to send the first data packet to the second device;
the first interface unit 201 is configured to communicate with a first device, the second interface unit 204 is configured to communicate with a second device, a first end of the first interface unit 201 is connected to a first end of the first processing unit 202, a second end of the first processing unit 202 is connected to a first end of the second processing unit 203, and a second end of the second processing unit 203 is connected to a first end of the second interface unit 204.
Specifically, the first interface unit 201 and the second interface unit 204 may be hardware devices such as a network card, a serial communication interface, a video communication interface, an ethernet interface, and a USB interface, so as to implement communication with other devices, for example, the first interface unit 201 receives a first data packet sent by a first device, and after verifying the first data packet, the second interface unit 204 sends the first data packet to a second device, so as to implement data transmission between the first device and the second device in networks with different security levels; the second interface unit 204 may also be configured to receive data sent by the second device and send the data to the first device through the first interface unit 201, and for a specific process, reference may be made to the above embodiment.
Specifically, the first processing unit 202 and the second processing unit 203 may be implemented by a central processing unit (Central Processing Unit, CPU), an application specific integrated circuit (Application Specific Integrated Circuit, ASIC), a Field programmable gate array (Field-Programmable Gate Array, FPGA), a complex programmable logic device (Complex Programmable Logic Device, CPLD), or the like.
In the embodiment of the present application, for a first data packet that needs to be transmitted by a first device to a second device, the first interface unit 201 obtains the first data packet, after the first processing unit 202 converts the first data packet into a second data packet based on a preset protocol, the second data packet is verified, and if the second data packet passes verification, the second processing unit 203 generates the first data packet based on the second data packet, and then sends the second data packet to the second device through the second interface unit 204, so that data transmission can be implemented between the first device and the second device belonging to networks with different security levels, and the first data packet is converted into the second data packet based on the preset protocol, and if the second data packet passes verification, the second data packet is reversely converted into the first data packet, so that the security and the effectiveness of data isolation can be improved, and the effect of data isolation can be improved.
Optionally, the first processing unit 202 is further configured to verify the first data packet to obtain a first verification result;
and under the condition that the first verification result indicates that verification is passed, converting the first data packet into a second data packet based on a preset protocol.
Optionally, the apparatus further comprises a first isolation unit 205 and a second isolation unit 206, the first isolation unit 205 being configured to authenticate the second data packet; a second isolation unit 206, configured to verify the third data packet sent by the second processing unit 203, and send the third data packet to the first processing unit 202 if the third data packet passes the verification;
the second end of the first processing unit 202 is connected to the first end of the first isolation unit 205, and the second end of the first isolation unit 205 is connected to the first end of the second processing unit 203;
the first end of the second processing unit 203 is connected to the first end of the second isolation unit 206, and the second end of the second isolation unit 206 is connected to the second end of the first processing unit 202.
It will be appreciated that the transmission of the data packet from the first processing unit 202 to the first isolation unit 205 to the second processing unit 203 is unidirectional, and the transmission of the data packet from the second processing unit 203 to the second isolation unit 206 to the first processing unit 202 is unidirectional.
For example, the first isolation unit 205 and the second isolation unit 206 may be implemented by using FPGAs, and are only used for implementing a unidirectional data filtering function, without having other computing and storing functions, so as to ensure that the isolation function is implemented correctly and completely, and have higher security.
Taking an example that the security level of the network where the first device is located is higher than that of the network where the second device is located, data transmitted from the first device to the second device is sequentially from the first interface unit 201, the first processing unit 202, the first isolation unit 205, the second processing unit 203 to the second interface unit 204 in the network isolation device, and data transmitted from the second device to the first device is sequentially from the second interface unit 204, the second processing unit 203, the second isolation unit 206, the first processing unit 202 to the first interface unit 201 in the network isolation device, that is, data transmitted from the first device to the second device and data transmitted from the second device to the second device are in different transmission paths.
For the first device, even if the second device controls or breaks the second processing unit 203, it is difficult to acquire a scheme in which the first processing unit 202 performs packet authentication or protocol conversion; for the second device, even if the first device controls or breaks the first processing unit 202, it is difficult to acquire a scheme in which the second processing unit 203 performs packet authentication or protocol conversion. Therefore, the data isolation effect of both parties is good, and the safety of both parties can be further improved.
Optionally, the second interface unit 204 is further configured to obtain a fourth data packet sent by the second device;
the second processing unit 203 is further configured to obtain a fourth data packet sent by the second device and received through the second interface unit 204, and verify the fourth data packet to obtain a third verification result;
and converting the fourth data packet into a third data packet in the case that the third verification result indicates that the verification is passed.
Wherein the conversion of the fourth data packet into the third data packet may use another predetermined protocol.
Optionally, the second end of the first processing unit 202 is connected to the first end of the first isolation unit 205 through a first single-fiber unidirectional optical module, and the second end of the first isolation unit 205 is connected to the first end of the second processing unit 203 through a second single-fiber unidirectional optical module;
the first end of the second processing unit 203 is connected to the first end of the second isolation unit 206 through a third single-fiber unidirectional optical module, and the second end of the second isolation unit 206 is connected to the second end of the first processing unit 202 through a fourth single-fiber unidirectional optical module.
It can be understood that the first single-fiber unidirectional optical module, the second single-fiber unidirectional optical module, the third single-fiber unidirectional optical module and the fourth single-fiber unidirectional optical module can construct unidirectional communication optical channels, that is, unidirectional transmission of data is fundamentally ensured from a physical layer, and data packets transmitted are verified through the first isolation unit 205 and the second isolation unit 206, so that security of data transmission can be improved.
Optionally, the first processing unit 202 is specifically configured to:
analyzing the second data packet to obtain an analysis field of the second data packet;
verifying the second data packet based on the analysis field and a preset field of a preset protocol to obtain a second verification result;
the second processing unit 203 is specifically configured to:
and generating a first data packet based on the second data packet in the case that the second verification result indicates that the verification is passed.
Optionally, the preset field includes a protocol type field, a length field, a data field and a check field, the parsing field includes N parsing subfields, and N is a positive integer;
verifying the second data packet based on the analysis field and a preset field of a preset protocol to obtain a second verification result, wherein the second verification result comprises:
matching the N analysis subfields with the protocol type field, the length field, the data field and the check field respectively to obtain matching results of the N analysis subfields;
and determining a second verification result based on the matching result.
Optionally, determining the second verification result based on the matching result includes:
under the condition that the protocol type field, the length field, the data field and the check field have a matched analysis sub-field in the N analysis sub-fields, acquiring the protocol type, the length, the data and the check code of the second data packet;
Determining a target check code of the second data packet based on the protocol type, the length and the data of the second data packet;
obtaining a second verification result based on the target verification code and the verification code of the second data packet;
and under the condition that the target check code is consistent with the check code of the second data packet, the second verification result is a result indicating that verification is passed.
Optionally, the second data packet includes a first sub-packet and a second sub-packet, where the first sub-packet is used to represent a network protocol corresponding to the first data packet, and the second sub-packet is used to represent data content of the first data packet;
in the case that the second data packet passes verification, generating a first data packet based on the second data packet, comprising:
respectively verifying the first sub-data packet and the second sub-data packet;
and generating the first data packet based on the first sub-data packet and the second sub-data packet under the condition that the first sub-data packet and the second sub-data packet pass verification.
Optionally, the first sub-packet and the second sub-packet each include an identification field, and the identification of the identification field of the first sub-packet is matched with the identification of the identification field of the second sub-packet;
in the case that both the first sub-packet and the second sub-packet pass verification, generating the first packet based on the first sub-packet and the second sub-packet includes:
Under the condition that the first sub-data packet and the second sub-data packet pass verification, the first sub-data packet and the second sub-data packet are converted based on the identification of the identification field of the first sub-data packet and the identification of the identification field of the second sub-data packet, so that the first data packet is obtained.
For better understanding, specific examples are as follows:
the embodiment of the application also provides a realization method of the high-security network isolation device, which is applied to the network isolation device, wherein the hardware architecture of the network isolation device is shown in fig. 3 and comprises a first network interface module, a first application processing module, a first isolation module, a second application processing module and a second network interface module.
On a hardware architecture, a double-application processing module and a double-isolation module are adopted, so that the whole architecture meets the safety concept of red-black isolation and the safety principle of unidirectional transmission, wherein the first application processing module can be used as a black area, and the second application processing module can be used as a red area.
As shown in fig. 4, for a packet sent from the external network to the internal network (i.e., a packet from a low security level demand network to a high security level demand network), the process flow of the network isolation device is as follows:
(1) The first network interface module receives an internet protocol (Internet Protocol, IP) data packet sent by the external network and forwards the data packet to the first application processing module;
(2) The first application processing module carries out first layer policy matching on the IP data packet and directly discards the IP data packet which does not accord with the policy;
the protocol conversion is carried out on the IP data packet conforming to the strategy, the IP data packet is converted into two types of private protocols, and the two types of private protocols are sent to the first isolation module;
(3) The first isolation module performs second-layer filtering verification on the private protocol data packet, and directly discards the data packet which does not pass the verification;
transmitting the data packet passing the verification to a second application processing module;
(4) The second application processing module performs protocol conversion on the private protocol data packet, restores the private protocol data packet to an IP data packet, and directly discards the data packet with failed protocol conversion, for example, missing data packets which cannot be paired and combined, and the like;
and transmitting the data packet with successful protocol conversion to a second network interface module;
(5) And the second network interface module sends the IP data packet to the intranet for subsequent processing.
As shown in fig. 5, for a packet sent from an intranet to an extranet (i.e., a packet from a low-security-level-demand network to a high-security-level-demand network), the process flow of the network isolation device is as follows:
(1) The second network interface module receives the IP data packet sent by the intranet and forwards the IP data packet to the second application processing module;
(2) The second application processing module carries out first layer policy matching on the IP data packet and directly discards the IP data packet which does not accord with the policy;
the protocol conversion is carried out on the IP data packet conforming to the strategy, the IP data packet is converted into two types of private protocols, and the two types of private protocols are sent to the second isolation module;
(3) The second isolation module performs second-layer filtering verification on the private protocol data packet, and directly discards the data packet which does not pass the verification;
transmitting the data packet passing verification to a first application processing module;
(4) The first application processing module performs protocol conversion on the private protocol data packet, restores the private protocol data packet to an IP data packet, and directly discards the data packet with failed protocol conversion, for example, missing data packets which cannot be paired and combined, and the like;
and transmitting the data packet with successful protocol conversion to the first network interface module;
(5) And the first network interface module sends the IP data packet to the intranet for subsequent processing.
Specifically, for the case of a packet sent from an external network to an internal network (i.e., a packet from a low-security-level-requirement network to a high-security-level-requirement network), the first layer filtering may be performed in the first application processing module (black area), and the filtering method may have multiple rules, for example, filtering with a source address, a destination address and a port number as rules, and only the network packet matching the rule list is not discarded; the isolation authentication code is added at the end of the message content field of the data packet, only the network data packet which is legally authenticated by the authentication code through the application processing module is not discarded, the isolation authentication code is calculated and packed by the equipment for sending the data packet, the isolation authentication code of each data packet is calculated and generated according to the agreed rule, and the authentication code is stripped after authentication.
For the network data packet subjected to the first layer filtering, the first application processing module performs protocol conversion, and the network protocol is converted into a private protocol: the original data packet is divided into a protocol description packet and a payload packet, which are respectively a part for describing network protocol data and a part for recording the content of an actual data packet, wherein the specific format of the protocol can be defined by user, but at least comprises a protocol type field, a length field, a data field, a check field and a sequence number identification field for identifying the relation between the two types of data, so that the protocol description packet and the corresponding payload packet can be completely restored into the original network protocol data packet during reverse protocol conversion. The protocol conversion mode is shown in fig. 6.
After the data packet finishes protocol conversion, the data packet is sent through a unidirectional optical channel and is subjected to second-layer filtering by an isolation module, the isolation module for realizing the filtering is independent hardware and can be realized by adopting an FPGA, only the unidirectional data filtering function is realized, other computing and storage functions are not provided, and the correct and complete realization of the isolation function can be ensured, so that the data packet has higher safety.
For example, the filtering verification of the private protocol can be implemented by adopting two methods of private protocol format verification and check code verification, and specifically comprises the following steps:
And (3) verifying a private protocol format: because the private protocol is not disclosed to the outside, the data packet can be analyzed according to the protocol format of 'protocol type + length + sequence identification + data + check', and the analysis rule considers that the verification is passed;
verification of check codes: the check code can be defined as a digest value of a key calculated by a password digest algorithm on a field of protocol type, length, sequence identifier and data, and is verified in a mode of comparing the calculated digest value with a check field carried in a private protocol packet, and the verification is considered to be passed if the comparison is consistent.
Alternatively, unidirectional transmission of the private protocol data packet may be implemented by constructing an optical channel using a single-fiber unidirectional optical module. The legal data packets filtered by the isolation module are subjected to protocol conversion again in the application processing module (red zone), the two related data packets are matched through the sequence number identification field of the private protocol, the data packets are restored into network protocol data packets, and finally the network protocol data packets are sent to the intranet equipment for subsequent operation. For the data packet sent from the intranet to the extranet (i.e. the data packet from the high-security-level demand network to the low-security-level demand network), the processing flow is reversely consistent, and only the filtering rule is kept different from the forward rule, so that even if the application processing module (black area) is controlled and cracked, the reverse filtering rule cannot be mastered, thereby obtaining the intranet data, and being beneficial to further improving the security.
Referring to fig. 7, fig. 7 is a schematic structural diagram of a data transmission device according to an embodiment of the present application. As shown in fig. 7, the data transmission apparatus 700 includes:
a receiving module 701, configured to obtain a first data packet sent by a first device;
the conversion module 702 is configured to convert the first data packet into a second data packet based on a preset protocol;
a generating module 703, configured to generate a first data packet based on the second data packet if the second data packet passes verification;
a sending module 704, configured to send the first data packet to the second device.
Optionally, the data transmission device 700 further includes:
the first verification module is used for verifying the first data packet to obtain a first verification result;
a conversion module 702 comprising:
and the conversion unit is used for converting the first data packet into the second data packet based on a preset protocol under the condition that the first verification result indicates that verification is passed.
Optionally, the data transmission device 700 further includes:
the analysis module is used for analyzing the second data packet to obtain an analysis field of the second data packet;
the second verification module is used for verifying the second data packet based on the analysis field and a preset field of a preset protocol to obtain a second verification result;
The generating module 703 includes:
the first generation unit is used for generating a first data packet based on the second data packet when the second verification result indicates that verification is passed.
Optionally, the preset field includes a protocol type field, a length field, a data field and a check field, the parsing field includes N parsing subfields, and N is a positive integer;
a second authentication module comprising:
the matching unit is used for respectively matching the N analysis subfields with the protocol type field, the length field, the data field and the check field to obtain matching results of the N analysis subfields;
and a determining unit configured to determine a second verification result based on the matching result.
Optionally, the determining unit is specifically configured to:
under the condition that the protocol type field, the length field, the data field and the check field have a matched analysis sub-field in the N analysis sub-fields, acquiring the protocol type, the length, the data and the check code of the second data packet;
determining a target check code of the second data packet based on the protocol type, the length and the data of the second data packet;
obtaining a second verification result based on the target verification code and the verification code of the second data packet;
and under the condition that the target check code is consistent with the check code of the second data packet, the second verification result is a result indicating that verification is passed.
Optionally, the second data packet includes a first sub-packet and a second sub-packet, where the first sub-packet is used to represent a network protocol corresponding to the first data packet, and the second sub-packet is used to represent data content of the first data packet;
the generating module 703 includes:
the verification unit is used for verifying the first sub-data packet and the second sub-data packet respectively;
and the second generation unit is used for generating the first data packet based on the first sub data packet and the second sub data packet under the condition that the first sub data packet and the second sub data packet pass verification.
Optionally, the first sub-packet and the second sub-packet each include an identification field, and the identification of the identification field of the first sub-packet is matched with the identification of the identification field of the second sub-packet;
the second generation unit is specifically configured to:
under the condition that the first sub-data packet and the second sub-data packet pass verification, the first sub-data packet and the second sub-data packet are converted based on the identification of the identification field of the first sub-data packet and the identification of the identification field of the second sub-data packet, so that the first data packet is obtained.
The data transmission device 700 can implement the processes of the method embodiment of fig. 1 in the embodiment of the present application, and achieve the same beneficial effects, and for avoiding repetition, the description is omitted here.
The embodiment of the application also provides electronic equipment. Because the principle of the electronic device for solving the problem is similar to that of the data transmission method shown in fig. 1 in the embodiment of the present application, the implementation of the electronic device may refer to the implementation of the method, and the repetition is not repeated. As shown in fig. 8, the electronic device of the embodiment of the present application includes a memory 820, a transceiver 810, and a processor 800;
a memory 820 for storing a computer program; a transceiver 810 for transceiving data under the control of the processor 800; processor 800 for reading a computer program in memory 820 and performing the following operations:
acquiring a first data packet sent by first equipment;
converting the first data packet into a second data packet based on a preset protocol;
generating a first data packet based on the second data packet if the second data packet passes verification;
the first data packet is sent to the second device.
Wherein in fig. 8, a bus architecture may comprise any number of interconnected buses and bridges, and in particular, one or more processors represented by processor 800 and various circuits of memory represented by memory 820, linked together. The bus architecture may also link together various other circuits such as peripheral devices, voltage regulators, power management circuits, etc., which are well known in the art and, therefore, will not be described further herein. The bus interface provides an interface. Transceiver 810 may be a number of elements, including a transmitter and a transceiver, providing a means for communicating with various other apparatus over a transmission medium. The processor 800 is responsible for managing the bus architecture and general processing, and the memory 820 may store data used by the processor 800 in performing operations.
The processor 800 may be a central processing unit (Central Processing Unit, CPU), an application specific integrated circuit (Application Specific Integrated Circuit, ASIC), a Field programmable gate array (Field-Programmable Gate Array, FPGA), or a complex programmable logic device (Complex Programmable Logic Device, CPLD), or may employ a multi-core architecture.
Optionally, the processor 800 is further configured to read the computer program in the memory 820 and perform the following operations:
verifying the first data packet to obtain a first verification result;
converting the first data packet into a second data packet based on a preset protocol, including:
and under the condition that the first verification result indicates that verification is passed, converting the first data packet into a second data packet based on a preset protocol.
Optionally, the processor 800 is further configured to read the computer program in the memory 820 and perform the following operations:
analyzing the second data packet to obtain an analysis field of the second data packet;
verifying the second data packet based on the analysis field and a preset field of a preset protocol to obtain a second verification result;
in the case that the second data packet passes verification, generating a first data packet based on the second data packet, comprising:
And generating a first data packet based on the second data packet in the case that the second verification result indicates that the verification is passed.
Optionally, the preset field includes a protocol type field, a length field, a data field and a check field, the parsing field includes N parsing subfields, and N is a positive integer;
verifying the second data packet based on the analysis field and a preset field of a preset protocol to obtain a second verification result, wherein the second verification result comprises:
matching the N analysis subfields with the protocol type field, the length field, the data field and the check field respectively to obtain matching results of the N analysis subfields;
and determining a second verification result based on the matching result.
Optionally, determining the second verification result based on the matching result includes:
under the condition that the protocol type field, the length field, the data field and the check field have a matched analysis sub-field in the N analysis sub-fields, acquiring the protocol type, the length, the data and the check code of the second data packet;
determining a target check code of the second data packet based on the protocol type, the length and the data of the second data packet;
obtaining a second verification result based on the target verification code and the verification code of the second data packet;
And under the condition that the target check code is consistent with the check code of the second data packet, the second verification result is a result indicating that verification is passed.
Optionally, the second data packet includes a first sub-packet and a second sub-packet, where the first sub-packet is used to represent a network protocol corresponding to the first data packet, and the second sub-packet is used to represent data content of the first data packet;
in the case that the second data packet passes verification, generating a first data packet based on the second data packet, comprising:
respectively verifying the first sub-data packet and the second sub-data packet;
and generating the first data packet based on the first sub-data packet and the second sub-data packet under the condition that the first sub-data packet and the second sub-data packet pass verification.
Optionally, the first sub-packet and the second sub-packet each include an identification field, and the identification of the identification field of the first sub-packet is matched with the identification of the identification field of the second sub-packet;
in the case that both the first sub-packet and the second sub-packet pass verification, generating the first packet based on the first sub-packet and the second sub-packet includes:
under the condition that the first sub-data packet and the second sub-data packet pass verification, the first sub-data packet and the second sub-data packet are converted based on the identification of the identification field of the first sub-data packet and the identification of the identification field of the second sub-data packet, so that the first data packet is obtained.
The electronic device provided in the embodiment of the present application may execute the method embodiment shown in fig. 1, and its implementation principle and technical effects are similar, and this embodiment will not be described herein.
The embodiment of the present application further provides a readable storage medium, where a program or an instruction is stored, where the program or the instruction realizes each process of the embodiment of the method described in fig. 1 or fig. 2 when executed by a processor, and the process can achieve the same technical effect, so that repetition is avoided and no detailed description is given here.
Wherein the processor is a processor in the electronic device described in the above embodiment. The readable storage medium includes a computer readable storage medium such as a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk or an optical disk, and the like.
The embodiment of the application further provides a chip, the chip includes a processor and a communication interface, the communication interface is coupled to the processor, and the processor is configured to run a program or instructions, so as to implement each process of the embodiment of the method described in fig. 1, and achieve the same technical effects, so that repetition is avoided, and no further description is given here.
It should be understood that the chips referred to in the embodiments of the present application may also be referred to as system-on-chip chips, chip systems, or system-on-chip chips, etc.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element. Furthermore, it should be noted that the scope of the methods and apparatus in the embodiments of the present application is not limited to performing the functions in the order shown or discussed, but may also include performing the functions in a substantially simultaneous manner or in an opposite order depending on the functions involved, e.g., the described methods may be performed in an order different from that described, and various steps may be added, omitted, or combined. Additionally, features described with reference to certain examples may be combined in other examples.
From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art in the form of a computer software product stored in a storage medium (e.g. ROM/RAM, magnetic disk, optical disk) comprising instructions for causing a terminal (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the method according to the embodiments of the present application.
The embodiments of the present application have been described above with reference to the accompanying drawings, but the present application is not limited to the above-described embodiments, which are merely illustrative and not restrictive, and many forms may be made by those having ordinary skill in the art without departing from the spirit of the present application and the scope of the claims, which are to be protected by the present application.
Claims (13)
1. A data transmission method applied to a network isolation device, comprising:
acquiring a first data packet sent by first equipment;
converting the first data packet into a second data packet based on a preset protocol;
generating the first data packet based on the second data packet when the second data packet passes the verification;
transmitting the first data packet to a second device;
the preset protocol is used for data isolation between the first device and the second device.
2. The method of claim 1, wherein prior to converting the first data packet into the second data packet based on the preset protocol, the method further comprises:
verifying the first data packet to obtain a first verification result;
the converting the first data packet into a second data packet based on a preset protocol includes:
and under the condition that the first verification result indicates that verification is passed, converting the first data packet into a second data packet based on the preset protocol.
3. The method of claim 1, wherein the method further comprises, in the event that the second data packet is validated, prior to generating the first data packet based on the second data packet:
Analyzing the second data packet to obtain an analysis field of the second data packet;
verifying the second data packet based on the analysis field and a preset field of the preset protocol to obtain a second verification result;
and generating the first data packet based on the second data packet under the condition that the second data packet passes verification, including:
and generating the first data packet based on the second data packet under the condition that the second verification result indicates that verification is passed.
4. The method of claim 3, wherein the preset field includes a protocol type field, a length field, a data field, and a check field, the parse field includes N parse subfields, N is a positive integer;
the verifying the second data packet based on the analysis field and the preset field of the preset protocol to obtain a second verification result includes:
matching the N analysis subfields with the protocol type field, the length field, the data field and the check field respectively to obtain a matching result of the N analysis subfields;
and determining the second verification result based on the matching result.
5. The method of claim 4, wherein the determining the second validation result based on the matching result comprises:
the protocol type field, the length field, the data field and the check field acquire the protocol type, the length, the data and the check code of the second data packet under the condition that a matched analysis subfield exists in the N analysis subfields;
determining a target check code of the second data packet based on the protocol type, the length and the data of the second data packet;
obtaining the second verification result based on the target verification code and the verification code of the second data packet;
and the second verification result is a result indicating that verification is passed under the condition that the target verification code is consistent with the verification code of the second data packet.
6. The method according to any one of claims 1 to 5, wherein the second data packet includes a first sub-packet and a second sub-packet, the first sub-packet being used to represent a network protocol to which the first data packet corresponds, and the second sub-packet being used to represent data content of the first data packet;
And generating the first data packet based on the second data packet under the condition that the second data packet passes verification, including:
respectively verifying the first sub-data packet and the second sub-data packet;
and generating the first data packet based on the first sub-data packet and the second sub-data packet under the condition that the first sub-data packet and the second sub-data packet pass verification.
7. The method of claim 6, wherein the first subpacket and the second subpacket each include an identification field, and wherein an identification of the identification field of the first subpacket matches an identification of the identification field of the second subpacket;
generating the first data packet based on the first sub-data packet and the second sub-data packet when the first sub-data packet and the second sub-data packet pass verification, including:
and under the condition that the first sub-data packet and the second sub-data packet pass verification, converting the first sub-data packet and the second sub-data packet based on the identification of the identification field of the first sub-data packet and the identification of the identification field of the second sub-data packet so as to obtain the first data packet.
8. A network isolation device, comprising:
the first interface unit is used for acquiring a first data packet sent by the first equipment;
the first processing unit is used for converting the first data packet into a second data packet based on a preset protocol;
a second processing unit, configured to generate the first data packet based on the second data packet if the second data packet passes the verification;
a second interface unit, configured to send the first data packet to a second device;
the first interface unit is used for communicating with the first device, the second interface unit is used for communicating with the second device, the first end of the first interface unit is connected with the first end of the first processing unit, the second end of the first processing unit is connected with the first end of the second processing unit, and the second end of the second processing unit is connected with the first end of the second interface unit.
9. The apparatus of claim 8, further comprising a first isolation unit and a second isolation unit, the first isolation unit to validate the second data packet; the second isolation unit is configured to verify a third data packet sent by the second processing unit, and send the third data packet to the first processing unit when the third data packet passes the verification;
The second end of the first processing unit is connected with the first end of the first isolation unit, and the second end of the first isolation unit is connected with the first end of the second processing unit;
the first end of the second processing unit is connected with the first end of the second isolation unit, and the second end of the second isolation unit is connected with the second end of the first processing unit.
10. The device of claim 9, wherein a second end of the first processing unit is connected to a first end of the first isolation unit through a first single-fiber unidirectional optical module, and a second end of the first isolation unit is connected to a first end of the second processing unit through a second single-fiber unidirectional optical module;
the first end of the second processing unit is connected with the first end of the second isolation unit through a third single-fiber unidirectional optical module, and the second end of the second isolation unit is connected with the second end of the first processing unit through a fourth single-fiber unidirectional optical module.
11. A data transmission apparatus, comprising:
the receiving module is used for acquiring a first data packet sent by the first equipment;
the conversion module is used for converting the first data packet into a second data packet based on a preset protocol;
The generation module is used for generating the first data packet based on the second data packet under the condition that the second data packet passes verification;
and the sending module is used for sending the first data packet to the second equipment.
12. An electronic device comprising a processor and a memory storing a program or instructions executable on the processor, which when executed by the processor, implement the steps of the data transmission method of any one of claims 1 to 7.
13. A readable storage medium, characterized in that the readable storage medium has stored thereon a program or instructions which, when executed by a processor, implement the steps of the data transmission method according to any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211006327.0A CN116961959A (en) | 2022-08-22 | 2022-08-22 | Data transmission method and network isolation equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211006327.0A CN116961959A (en) | 2022-08-22 | 2022-08-22 | Data transmission method and network isolation equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116961959A true CN116961959A (en) | 2023-10-27 |
Family
ID=88444953
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211006327.0A Pending CN116961959A (en) | 2022-08-22 | 2022-08-22 | Data transmission method and network isolation equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116961959A (en) |
-
2022
- 2022-08-22 CN CN202211006327.0A patent/CN116961959A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111010376B (en) | Master-slave chain-based Internet of things authentication system and method | |
| US8533806B2 (en) | Method for authenticating a trusted platform based on the tri-element peer authentication(TEPA) | |
| CN109309685B (en) | Information transmission method and device | |
| US11245535B2 (en) | Hash-chain based sender identification scheme | |
| CN111010363B (en) | Information authentication method and system, authentication module and user terminal | |
| CN108234506B (en) | Unidirectional isolation network gate and data transmission method | |
| US20190132119A1 (en) | Method for exchanging messages between security-relevant devices | |
| Tanygin et al. | Establishing trusted channel for data exchange between source and receiver by modified one-time password method | |
| CN114827150A (en) | Internet of things terminal data uplink adaptation method, system and storage medium | |
| US9241048B2 (en) | Mechanism for processing network event protocol messages | |
| CN109921908A (en) | A kind of CAN bus identity identifying method and identity authorization system | |
| CN111148275B (en) | Communication method, device and system based on equipment code | |
| US8452968B2 (en) | Systems, methods, apparatus, and computer readable media for intercepting and modifying HMAC signed messages | |
| CN111224773B (en) | Quantum key management equipment | |
| CN113162885B (en) | Safety protection method and device for industrial control system | |
| CN116961959A (en) | Data transmission method and network isolation equipment | |
| CN110198202B (en) | Method and device for checking AFDX (avionics full Duplex switched Ethernet) bus message data source | |
| Zhang et al. | A systematic approach to formal analysis of QUIC handshake protocol using symbolic model checking | |
| CN113098746B (en) | CAN bus communication method and device for work machine | |
| CN109194490B (en) | Power distribution network communication security authentication system and method | |
| CN114065302A (en) | Data processing method, device, equipment, medium and block chain network | |
| CN112822217A (en) | Server access method, device, equipment and storage medium | |
| CN107493262B (en) | Method and device for transmitting data | |
| CN116599774B (en) | Encryption chip for information security and data protection of Internet of vehicles | |
| Pevnev et al. | The Method of Data Integrity Assurance for Increasing IoT Infrastructure Security |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |