CN117319027A

CN117319027A - Anti-tracing method and device based on multi-hop secure communication and readable storage medium

Info

Publication number: CN117319027A
Application number: CN202311252792.7A
Authority: CN
Inventors: 王慧平; 代兆军
Original assignee: Guangdong Chanming Information Technology Co ltd
Current assignee: Guangdong Chanming Information Technology Co ltd
Priority date: 2023-09-27
Filing date: 2023-09-27
Publication date: 2023-12-29

Abstract

The invention discloses an anti-tracing method and device based on multi-hop secure communication and a readable storage medium, wherein the method comprises the following steps: invoking an encryption communication protocol to execute dynamic route establishment, constructing a safety communication link comprising an access client, an entrance node, an isolation node and an exit node, and randomly selecting at least three relay nodes in the entrance node, the isolation node and the exit node cluster; initiating a connection request to a random communication node, and entering an encrypted data communication state after successful connection; encrypting and decrypting the session message in the secure communication link by adopting an asymmetric encryption system of an RSA public key encryption algorithm; and constructing a bidirectional identity verification mechanism between the access client and the server side of the access node, wherein the access client verifies the digital certificate information of the server side of the access node, and the server side of the access node verifies the account password of the access client. The technical problem that potential safety hazards exist in the existing traceability scheme is solved.

Description

Anti-tracing method and device based on multi-hop secure communication and readable storage medium

Technical Field

The application relates to the technical field of computer network security, in particular to a multi-hop secure communication-based anti-tracing method, a multi-hop secure communication-based anti-tracing device and a readable storage medium.

Background

Currently, there are two general types of existing anti-tracing schemes: 1. the existing mature VPN communication protocol is mainly PPTP, L2TP or OPENVPN, and the like, and the remote network resource is accessed anonymously by setting up VPN access service in a private server and connecting the VPN access service through a corresponding client program. 2. And carrying out targeted modification development based on proxy protocol open source software such as SOCKS5, adding forwarding nodes, deploying the forwarding nodes into proxy service, and carrying out remote proxy access on a client through special hardware equipment or client programs to realize a basic traceability function.

The prior art scheme has the common potential safety hazards that the access process is transparent, the direct-connection agent and the communication encryption protocol are open-source schemes, and the open-source encryption protocol is easy to analyze and capture. Meanwhile, the common network tracking technology and agent risk mainly have the following points:

1. for the direct connection proxy, the local IP information is traced by directly breaking proxy service or by proxy IP information of the data packet.

2. The number of forwarding stages is small, the number of forwarding stages is usually not more than 3 layers, forwarding nodes are fixed, and communication delay is high.

3. The access process is transparent and the open source encryption communication protocol has obvious flow characteristics, is easy to detect, detect and capture by the deep message, decrypts the flow information by grabbing and recording abnormal flow and abnormal access behaviors, analyzes the flow information, and obtains the associated domain name and IP.

4. The communication encryption key is used for a long time after being generated, and the timeliness is poor. During long-term use, the risk exists that the communication data is decrypted and man-in-the-middle attack is carried out after the communication data is acquired by a third party.

Disclosure of Invention

The invention mainly aims to provide an anti-tracing method, an anti-tracing system and a readable storage medium based on multi-hop secure communication, and aims to solve the technical problems that the existing anti-tracing scheme has transparent access process, a direct-connection proxy and a communication encryption protocol as an open source scheme, and the open source encryption protocol is easy to analyze and capture and other potential safety hazards.

In order to solve the technical problem, the present invention provides a first aspect of an anti-tracing method based on multi-hop secure communication, the method comprising:

invoking an encryption communication protocol to execute dynamic route establishment, constructing a safety communication link comprising an access client, an entrance node, an isolation node and an exit node, and randomly selecting at least three relay nodes in the entrance node, the isolation node and the exit node cluster;

initiating a connection request to a random communication node, and entering an encrypted data communication state after successful connection; encrypting and decrypting the session message in the secure communication link by adopting an RSA public key encryption algorithm asymmetric encryption system;

And constructing a bidirectional identity verification mechanism between the access client and the server side of the entry node, wherein the access client verifies the digital certificate information of the server side of the entry node, and the server side of the entry node verifies the account password of the access client.

Further, the method further comprises:

when the connection of the encrypted data communication state is disconnected, a new secure communication link is reconstructed, and the original secure communication link is destroyed immediately.

Further, the encrypting and decrypting the session message in the secure communication link by adopting the asymmetric encryption system of the RSA public key encryption algorithm specifically comprises:

transmitting a session key in the secure communication link by adopting an RSA public key encryption algorithm asymmetric encryption system, presetting a certificate public key on a server of an exit node and an access client, directly using a TLS secure channel to acquire a session key parameter after the access client uses a secure transport layer protocol TLS to connect with a server of an entry node, and negotiating the session key between the RSA asymmetric encryption system and the access client by the server of the exit node when the secure communication link is established.

Further, after negotiating the session key by the server of the egress node using RSA asymmetric cryptosystem when the secure communication link is established, the method further comprises:

and the server of the exit node and the access client forcibly re-conduct key negotiation according to a preset time period, and the session key parameters are randomly generated by the two ends.

Further, before the calling the encrypted communication protocol to perform dynamic routing chaining, the method further includes:

modulating the encryption communication protocol, wherein the encryption communication protocol is an end-to-end encryption communication protocol based on data packet delivery, and the encryption communication protocol is internally provided with multi-hop communication support; the bottom layer of the encryption communication protocol uses an asynchronous communication library interface for communication, the upper layer of the encryption communication protocol uses a unified data packet read-write interface and an asynchronous callback interface, the maximum single packet 64KB data Bao Wen is supported for receiving and transmitting, different bottom layer data communication protocols UDP/TCP/TLS are supported for setting, the encryption communication protocol is internally provided with a plurality of encryption algorithms comprising AES256, AES128 and CHACH 20 for carrying out whole-course encryption on the data packets, and different encryption suites are supported for configuration through parameters.

Further, the encrypting and decrypting the session message in the secure communication link by adopting the asymmetric encryption system of the RSA public key encryption algorithm comprises:

the access client connecting to the server of the ingress node through TLS using a digital certificate, requesting establishment of a server routing link to the designated egress node;

the server of the entry node randomly generates a routing link table according to a routing strategy, generates a random number A at the same time, and downwards sends out a link establishment request containing the random number A;

when the server of the outlet node receives the data packet containing the random number A, generating a connection parameter, encrypting the connection parameter by using a public key through RSA4096, and transmitting the encrypted connection parameter back to the server of the inlet node along a link;

after receiving the data packet sent from the server of the exit node, the server of the entrance node unwraps with a private key to obtain the connection parameters;

the server of the entry node transmits the random number A and the connection parameter to the access client through TLS;

the server of the access client and the exit node respectively utilize SHA256 algorithm to hash the random number A and the connection parameter to generate a session key;

And the server of the access client and the exit node encrypts and decrypts the session message by utilizing a symmetrical encryption algorithm and a session key.

Optionally, after the step of the server of the ingress node randomly generating a routing link table according to a routing policy and simultaneously generating a random number a and sending down a link establishment request including the random number a, the method includes:

in the process of requesting to establish a link, if an intermediate node in the link is not reachable, entering overtime and restarting the link establishment flow;

if all intermediate nodes are reachable in the link, after a data packet containing a random number A reaches a server of an outlet node, the server of the outlet node generates connection parameters, encrypts the connection parameters by RSA4096 by using a public key and transmits the encrypted connection parameters back to the server of the inlet node along the link;

optionally, the symmetric encryption algorithm is one of the encryption algorithms including AES256, AES128, and cha 20.

A second aspect of the embodiment of the present invention provides an anti-tracing apparatus based on multi-hop secure communication, where the apparatus includes: a memory, a processor, and a computer program stored on the memory and executable on the processor, the computer program when executed by the processor implementing the following:

A third aspect of the embodiments of the present invention provides a computer readable storage medium, where a tracing-preventive program based on multi-hop secure communication is stored, where the tracing-preventive program based on multi-hop secure communication implements the steps of the tracing-preventive method based on multi-hop secure communication when executed by a processor.

The technical scheme of the invention has the beneficial effects that:

According to the anti-tracing method, the device and the computer readable storage medium based on the multi-hop secure communication, disclosed by the embodiment of the invention, the risk of detecting and recording the characteristic package is reduced through the modulated private encryption communication protocol, interception is avoided, meanwhile, three encryption algorithms of AES256, AES128 and CHACH 20 are built in to encrypt the data package in the whole process, and different users are supported to encrypt the data by using different algorithms. Executing ciphertext forwarding to the whole course of the user communication data message, and supporting a data transparent proxy to a TCP/UDP/ICMP communication protocol; the communication data is encrypted using AES256 (default), AES128, and cha20 encryption algorithms throughout; the client and the server perform bidirectional identity authentication, and authentication is performed between the client and the server through account password and certificate, so that malicious access of a third party to the server is avoided.

Drawings

Fig. 1 is a schematic diagram of a hardware structure of a mobile terminal implementing various embodiments of the present invention;

fig. 2 is a schematic diagram of a communication network system according to an embodiment of the present invention;

FIG. 3 is a flowchart of an anti-tracing method based on multi-hop secure communication according to an embodiment of the present invention;

fig. 4 is a schematic architecture flow diagram of an anti-trace link of the whole multi-hop secure communication according to an embodiment of the present invention;

FIG. 5 is a flowchart of encrypting and decrypting a session message in the secure communication link by using an asymmetric encryption system of an RSA public key encryption algorithm according to an embodiment of the present invention;

FIG. 6 is a block diagram of a RSA key distribution communication flow provided by an embodiment of the present invention;

fig. 7 is a hardware structure block diagram of an anti-tracing device based on multi-hop secure communication according to an embodiment of the present invention;

fig. 8 is a communication flow block diagram of an anti-tracing device based on multi-hop secure communication according to an embodiment of the present invention.

The achievement of the objects, functional features and advantages of the present invention will be further described with reference to the accompanying drawings, in conjunction with the embodiments.

Description of the embodiments

It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.

In the following description, suffixes such as "module", "component", or "unit" for representing elements are used only for facilitating the description of the present invention, and have no specific meaning per se. Thus, "module," "component," or "unit" may be used in combination.

The access clients, servers, etc. described in the present invention may be implemented in various forms, and may include mobile terminals such as cell phones, tablet computers, notebook computers, palm top computers, personal digital assistants (PersonalDigitalAssistant, PDA), portable media players (PortableMediaPlayer, PMP), navigation devices, wearable devices, smart bracelets, pedometers, etc., as well as fixed terminals such as digital TVs, desktop computers, etc.

The following description will be given taking a mobile terminal as an example, and those skilled in the art will understand that the configuration according to the embodiment of the present invention can be applied to a fixed type terminal in addition to elements particularly used for a moving purpose.

Referring to fig. 1, which is a schematic diagram of a hardware structure of a mobile terminal implementing various embodiments of the present invention, the mobile terminal 100 may include: RF (radio frequency) unit 101, wiFi module 102, audio output unit 103, a/V (audio/video) input unit 104, sensor 105, display unit 106, user input unit 107, interface unit 108, memory 109, processor 110, and power source 111. Those skilled in the art will appreciate that the mobile terminal structure shown in fig. 1 is not limiting of the mobile terminal and that the mobile terminal may include more or fewer components than shown, or may combine certain components, or a different arrangement of components.

The following describes the components of the mobile terminal in detail with reference to fig. 1:

the radio frequency unit 101 may be used for receiving and transmitting signals during the information receiving or communication process, specifically, after receiving downlink information of the base station, processing the downlink information by the processor 110; and, the uplink data is transmitted to the base station. Typically, the radio frequency unit 101 includes, but is not limited to, an antenna, at least one amplifier, a transceiver, a coupler, a low noise amplifier, a duplexer, and the like. In addition, the radio frequency unit 101 may also communicate with networks and other devices through quick payment of public transportation costs. The public transportation fee shortcut payment may use any communication standard or protocol, including but not limited to GSM (global system for mobile communications), GPRS (general packet radio service), CDMA2000 (code division multiple access2000 ), WCDMA (wideband code division multiple access), TD-SCDMA (time division-synchronous code division multiple access), FDD-LTE (frequency division duplex-longterm evolution) and TDD-LTE (time division duplex-longterm evolution), etc.

WiFi belongs to a short-distance wireless transmission technology, and a mobile terminal can help a user to send and receive emails, browse pages, access streaming media and the like through the WiFi module 102, so that wireless broadband Internet access is provided for the user. Although fig. 1 shows a WiFi module 102, it is understood that it does not belong to the necessary constitution of a mobile terminal, and can be omitted entirely as required within a range that does not change the essence of the invention.

The audio output unit 103 may convert audio data received by the radio frequency unit 101 or the WiFi module 102 or stored in the memory 109 into an audio signal and output as sound when the mobile terminal 100 is in a call signal reception mode, a talk mode, a recording mode, a voice recognition mode, a broadcast reception mode, or the like. Also, the audio output unit 103 may also provide audio output (e.g., a call signal reception sound, a message reception sound, etc.) related to a specific function performed by the mobile terminal 100. The audio output unit 103 may include a speaker, a buzzer, and the like.

The a/V input unit 104 is used to receive an audio or video signal. The a/V input unit 104 may include a graphic processor (GraphicsProcessingUnit, GPU) 1041 and a microphone 1042, the graphic processor 1041 processing image data of still pictures or videos obtained by an image capturing device (e.g., a camera) in a video capturing mode or an image capturing mode. The processed image frames may be displayed on the display unit 106. The image frames processed by the graphics processor 1041 may be stored in the memory 109 (or other storage medium) or transmitted via the radio frequency unit 101 or the WiFi module 102. The microphone 1042 can receive sound (audio data) via the microphone 1042 in a phone call mode, a recording mode, a voice recognition mode, and the like, and can process such sound into audio data. The processed audio (voice) data may be converted into a format output that can be transmitted to the mobile communication base station via the radio frequency unit 101 in the case of a telephone call mode. The microphone 1042 may implement various types of noise cancellation (or suppression) algorithms to cancel (or suppress) noise or interference generated in the course of receiving and transmitting the audio signal.

The mobile terminal 100 also includes at least one sensor 105, such as a light sensor, a motion sensor, and other sensors. Specifically, the light sensor includes an ambient light sensor and a proximity sensor, wherein the ambient light sensor can adjust the brightness of the display panel 1061 according to the brightness of ambient light, and the proximity sensor can turn off the display panel 1061 and/or the backlight when the mobile terminal 100 moves to the ear. The accelerometer sensor can detect the acceleration in all directions (generally three axes), can detect the gravity and the direction when the accelerometer sensor is static, can be used for identifying the gesture of a mobile phone (such as transverse and vertical screen switching, related games, magnetometer gesture calibration), vibration identification related functions (such as pedometer and knocking), and the like, and can be configured as other sensors such as fingerprint sensors, pressure sensors, iris sensors, molecular sensors, gyroscopes, barometers, hygrometers, thermometers, infrared sensors and the like, which are not repeated herein.

The display unit 106 is used to display information input by a user or information provided to the user. The display unit 106 may include a display panel 1061, and the display panel 1061 may be configured in the form of a liquid crystal display (LiquidCrystalDisplay, LCD), an organic light-emitting diode (organic light-EmittingDiode, OLED), or the like.

The user input unit 107 may be used to receive input numeric or character information and to generate key signal inputs related to user settings and function control of the mobile terminal. In particular, the user input unit 107 may include a touch panel 1071 and other input devices 1072. The touch panel 1071, also referred to as a touch screen, may collect touch operations thereon or thereabout by a user (e.g., operations of the user on the touch panel 1071 or thereabout by using any suitable object or accessory such as a finger, a stylus, etc.) and drive the corresponding connection device according to a predetermined program. The touch panel 1071 may include two parts of a touch detection device and a touch controller. The touch detection device detects the touch azimuth of a user, detects a signal brought by touch operation and transmits the signal to the touch controller; the touch controller receives touch information from the touch detection device, converts it into touch point coordinates, and sends the touch point coordinates to the processor 110, and can receive and execute commands sent from the processor 110. Further, the touch panel 1071 may be implemented in various types such as resistive, capacitive, infrared, and surface acoustic wave. The user input unit 107 may include other input devices 1072 in addition to the touch panel 1071. In particular, other input devices 1072 may include, but are not limited to, one or more of a physical keyboard, function keys (e.g., volume control keys, switch keys, etc.), a trackball, mouse, joystick, etc., as specifically not limited herein.

Further, the touch panel 1071 may overlay the display panel 1061, and when the touch panel 1071 detects a touch operation thereon or thereabout, the touch panel 1071 is transferred to the processor 110 to determine the type of touch event, and then the processor 110 provides a corresponding visual output on the display panel 1061 according to the type of touch event. Although in fig. 1, the touch panel 1071 and the display panel 1061 are two independent components for implementing the input and output functions of the mobile terminal, in some embodiments, the touch panel 1071 may be integrated with the display panel 1061 to implement the input and output functions of the mobile terminal, which is not limited herein.

The interface unit 108 serves as an interface through which at least one external device can be connected with the mobile terminal 100. For example, the external devices may include a wired or wireless headset port, an external power (or battery charger) port, a wired or wireless data port, a memory card port, a port for connecting a device having an identification module, an audio input/output (I/O) port, a video I/O port, an earphone port, and the like. The interface unit 108 may be used to receive input (e.g., data information, power, etc.) from an external device and transmit the received input to one or more elements within the mobile terminal 100 or may be used to transmit data between the mobile terminal 100 and an external device.

Memory 109 may be used to store software programs as well as various data. The memory 109 may mainly include a storage program area that may store an operating system, application programs required for at least one function (such as a sound playing function, an image playing function, etc.), and a storage data area; the storage data area may store data (such as audio data, phonebook, etc.) created according to the use of the handset, etc. In addition, memory 109 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid-state storage device.

The processor 110 is a control center of the mobile terminal, connects various parts of the entire mobile terminal using various interfaces and lines, and performs various functions of the mobile terminal and processes data by running or executing software programs and/or modules stored in the memory 109 and calling data stored in the memory 109, thereby performing overall monitoring of the mobile terminal. Processor 110 may include one or more processing units; preferably, the processor 110 may integrate an application processor and a modem processor, wherein the application processor primarily processes an operating system, a user interface, an application program, etc., and the modem processor primarily processes public transportation fee quick payment. It will be appreciated that the modem processor described above may not be integrated into the processor 110.

The mobile terminal 100 may further include a power source 111 (e.g., a battery) for supplying power to the respective components, and preferably, the power source 111 may be logically connected to the processor 110 through a power management system, so as to perform functions of managing charging, discharging, and power consumption management through the power management system.

Although not shown in fig. 1, the mobile terminal 100 may further include a bluetooth module or the like, which is not described herein.

In order to facilitate understanding of the embodiments of the present invention, a communication network system on which the mobile terminal of the present invention is based will be described below.

Referring to fig. 2, fig. 2 is a schematic diagram of a communication network system, which is an LTE system of a general mobile communication technology, according to an embodiment of the present invention, where the LTE system includes a UE (user equipment) 201, an e-UTRAN (evolved UMTS terrestrial radio access network) 202, an epc (evolved packet core) 203, and an IP service 204 of an operator, which are sequentially connected in a communication manner.

Specifically, the UE201 may be the terminal 100 described above, and will not be described herein.

The E-UTRAN202 includes eNodeB2021 and other eNodeB2022, etc. The eNodeB2021 may be connected with other eNodeB2022 by a backhaul (e.g., an X2 interface), the eNodeB2021 is connected to the EPC203, and the eNodeB2021 may provide access from the UE201 to the EPC 203.

EPC203 may include MME (mobility management entity) 2031, hss (home subscriber server) 2032, other MME2033, SGW (serving gateway) 2034, pgw (packet data network gateway) 2035 and PCRF (policy and tariff function) 2036, etc. The MME2031 is a control node that handles signaling between the UE201 and EPC203, providing bearer and connection management. HSS2032 is used to provide registers to manage functions such as home location registers (not shown) and to hold user specific information about service characteristics, data rates, etc. All user data may be sent through SGW2034 and PGW2035 may provide IP address allocation and other functions for UE201, PCRF2036 is a policy and charging control policy decision point for traffic data flows and IP bearer resources, which selects and provides available policy and charging control decisions for a policy and charging enforcement function (not shown).

IP services 204 may include the internet, intranets, IMS (IPMultimediaSubsystem ), or other IP services, etc.

Although the LTE system is described above as an example, it should be understood by those skilled in the art that the present invention is not limited to LTE systems, but may be applied to other public transportation fee quick payment systems, such as GSM, CDMA2000, WCDMA, TD-SCDMA, and future new network systems.

The various embodiments of the method of the present invention are presented based on the above-described hardware architecture of the mobile terminal 100 and the communication network system.

Example 1

As shown in fig. 3, an embodiment of the present invention provides an anti-tracing method based on multi-hop secure communication, where the method includes:

s101, calling an encryption communication protocol to execute dynamic route establishment, constructing a safety communication link comprising an access client, an access node, an isolation node and an exit node, and randomly selecting at least three relay nodes from the access node, the isolation node and the exit node cluster;

as shown in fig. 4, the architecture of the anti-tracing link of the whole multi-hop secure communication of the present embodiment mainly comprises an access client, an entry node, an isolation node and an exit node according to a data flow. Based on the multi-stage jump proxy technology, a secure communication link is constructed to pass through at least the ingress node, the isolation node and the egress node. And finally, carrying out proxy traffic access through the exit node after the multi-stage jump. The characteristics of mutual isolation and random link construction among nodes greatly increase the difficulty of a communication third party in tracking the source IP.

S102, initiating a connection request to a random communication node, and entering an encrypted data communication state after successful connection; encrypting and decrypting the session message in the secure communication link by adopting an RSA public key encryption algorithm asymmetric encryption system;

s103, a bidirectional identity verification mechanism is established between the access client and the server side of the entry node, the access client verifies the digital certificate information of the server side of the entry node, and the server side of the entry node verifies the account password of the access client.

Optionally, the method further comprises: when the connection of the encrypted data communication state is disconnected, a new secure communication link is reconstructed, and the original secure communication link is destroyed immediately.

Specifically, the encrypting and decrypting the session message in the secure communication link by adopting the asymmetric encryption system of the RSA public key encryption algorithm includes:

transmitting a session key in the secure communication link by adopting an RSA public key encryption algorithm asymmetric encryption system, presetting a certificate public key on a server of an exit node and an access client, directly using a TLS secure channel to acquire a session key parameter after the access client uses a secure transport layer protocol TLS to connect with a server of an entry node, and negotiating the session key between the RSA asymmetric encryption system and the access client by the server of the exit node when the secure communication link is established; the session key parameter is randomly generated by two ends, the server forces the re-key negotiation according to a preset time period, and the session key is obtained by two ends through the operation of a pre-fabricated hash algorithm.

RSA public key cryptosystem. The public key cryptosystem is a cryptosystem that uses different encryption keys and decryption keys, and is a "computationally infeasible" cryptosystem in which decryption keys are derived from known encryption keys. In the public key cryptosystem, an encryption key (i.e., public key) PK is public information, and a decryption key (i.e., secret key) SK is required to be kept secret. Both encryption algorithm E and decryption algorithm D are also disclosed. Although the decryption key SK is determined by the public key PK, SK cannot be calculated from PK. The RSA algorithm is the first algorithm to be used for both encryption and digital signature, and is also easy to understand and operate.

The secure transport layer protocol (TLS) is used to provide confidentiality and data integrity between two communicating applications. The protocol consists of two layers: TLS recording protocol (TLS Record) and TLS Handshake protocol (TLS handle). The lower layer is the TLS recording protocol, which sits above a certain reliable transport protocol (e.g. TCP). The connection security provided by the TLS recording protocol has two basic characteristics:

private-symmetric encryption is used for data encryption (DES, RC4, etc.). The key generated by symmetric encryption is unique to each connection and is negotiated based on another protocol, such as a handshake protocol. The recording protocol may also be used without encryption.

Reliability-information transfer includes information integrity checking by MAC using keys. Secure hash functions (SHA, MD5, etc.) are used for MAC computation. The recording protocol can operate without a MAC but is generally only used in this mode, i.e. another protocol is negotiating security parameters using the recording protocol transport.

The TLS recording protocol is used to encapsulate various higher layer protocols. A handshake protocol, which is one of such encapsulation protocols, allows the server and client to mutually authenticate each other before the application protocol transmits and receives its first data byte, negotiating an encryption algorithm and an encryption key. The connection security provided by the TLS handshake protocol has three basic attributes:

the identity of the peer may be authenticated using asymmetric, or public key cryptography. The authentication is optional but requires at least one node party.

The negotiation of the shared encryption key is secure. Negotiating encryption is difficult for a thief to obtain. Furthermore, authenticated connections cannot be encrypted, even by an attacker entering the middle of the connection.

The negotiation is reliable. Without detection of the communication partner member, any attacker cannot modify the communication negotiation.

Wherein the server of the egress node negotiates the session key using an RSA asymmetric cryptosystem when the secure communication link is established, the method further comprising:

Optionally, the session key parameter is randomly generated by two ends, the intermediate node cannot decrypt data, and the server of the exit node and the access client force re-key negotiation every 2 hours, so that the session key is prevented from being obtained and cracked without being replaced for a long time.

Specifically, before the dynamic routing chaining is performed by the calling encryption communication protocol, the method further includes: modulating the encryption communication protocol, wherein the encryption communication protocol is an end-to-end encryption communication protocol based on data packet delivery, and the encryption communication protocol is internally provided with multi-hop communication support; the bottom layer of the encryption communication protocol uses an asynchronous communication library interface for communication, the upper layer of the encryption communication protocol uses a unified data packet read-write interface and an asynchronous callback interface, the maximum single packet 64KB data Bao Wen is supported for receiving and transmitting, different bottom layer data communication protocols UDP/TCP/TLS are supported for setting, the encryption communication protocol is internally provided with a plurality of encryption algorithms comprising AES256, AES128 and CHACH 20 for carrying out whole-course encryption on the data packets, and different encryption suites are supported for configuration through parameters.

The encryption communication protocol is designed as an end-to-end encryption communication protocol based on data packet delivery, the communication protocol greatly simplifies the communication operation between a client and a remote server, the built-in multi-hop communication support of the protocol supports the maximum 8-hop forwarding communication, the protocol automatically executes dynamic routing and chain establishment before the user session begins each time, and the protocol automatically initiates a connection request to a random communication node, and enters an encryption data communication state once the connection is successful.

The method is characterized in that the asynchronous communication library is a cross-platform full-asynchronous communication library, is composed of pure C language, supports interface butt joint of industrial libraries such as LIBEV, OPENSSL, MBEDTLS, supports TCP/UDP/TLS three protocols full-asynchronous communication, is realized based on the asynchronous communication of a SELECT model, and has good compatibility; the communication library provides an event start-stop function and a timer function for an upper layer unified abstract asynchronous IO event interface, is convenient to use, is a communication foundation of the whole access system, and ensures the high efficiency and stability of an encrypted communication protocol.

The encryption transmission protocol is modulated based on an SS encryption protocol, and Shadowsocks (SS for short) is an encryption transmission protocol based on a Socks5 proxy mode, and can also refer to various development packets for realizing the encryption transmission protocol. The development package is developed by using programming languages such as Python, C, C ++, C#, go language, rust and the like, and most of the main implementations (except the iOS platform) adopt a plurality of free software licensing protocols such as Apache license, GPL, MIT license and the like to open the original codes. The SS is divided into a server side and a client side, and before use, the server side program needs to be deployed on the server side, and then a home agent is connected and created through the client side. The operation principle of the SS is basically the same as that of other agents, and a specific transit server is used for completing data transmission. For example, the user cannot directly access Google, but the proxy server can be accessed, and the user can directly connect with the proxy server, so that the user can connect with the proxy server through specific software, and then the proxy server obtains website content and transmits the website content back to the user, thereby realizing the proxy internet surfing effect. The server and client software may require that the password and encryption be provided and that the two be consistent before successful connection. After connecting to the server, the client builds a local Socks5 proxy (or VPN, transparent proxy, etc.) at the local entity. When browsing the network, the client collects the network traffic through the Socks5 (or other forms) proxy and then sends the network traffic to the server through confusion encryption to prevent the network traffic from being identified and intercepted, and vice versa.

Deep packet inspection (Deep packet inspection, DPI) is a technique used by the application layer to detect and process data transmitted over the network, and is widely used for intrusion detection, traffic analysis (Traffic analysis), and data mining. Literally, the term "depth" is relative to ordinary message detection-in contrast to ordinary message detection, DPI can detect message content and protocol characteristics. PI is used by ISPs to track user behavior for improving the accuracy of their ad push traffic, and recently is facilitated by open networks to be considered as a fire-proof great wall, one of the important technologies for detecting keywords and sniffing encrypted traffic. Based on the necessary hardware facilities, the proper detection model (keyword filtering) and the corresponding pattern matching algorithm, the fireproof great wall can accurately and quickly judge suspicious traffic which is contrary to the expected standard from the real-time network environment, and timely take countermeasures expected by the reviewer.

As shown in fig. 5 and 6, the encrypting and decrypting the session message in the secure communication link by adopting the asymmetric encryption system of the RSA public key encryption algorithm includes:

s201, the access client connects to a server of the entry node through TLS by using a digital certificate, and requests to establish a server routing link to the designated exit node;

S202, the server of the entry node randomly generates a route link table according to a route strategy, generates a random number A at the same time, and downwards sends out a link establishment request containing the random number A;

s203, in the process of requesting to establish a link, if an intermediate node in the link is not reachable, entering overtime and restarting the link establishment flow;

s204, if all intermediate nodes are reachable in the link, after a data packet containing a random number A reaches a server of an outlet node, the server of the outlet node generates connection parameters, encrypts the connection parameters by RSA4096 by using a public key and transmits the encrypted connection parameters back to the server of the inlet node along the link;

s205, after the server of the entry node receives the data packet sent from the server of the exit node, the connection parameters are obtained by unlocking the private key;

s206, the server of the entry node transmits the random number A and the connection parameter to the access client through TLS;

s207, the server of the access client and the server of the exit node respectively carry out hash operation on the random number A and the connection parameter by utilizing an SHA256 algorithm to generate a session key;

s208, the server of the access client and the exit node encrypts and decrypts the session message by using a symmetric encryption algorithm and a session key.

Routing policies are techniques for modifying routing information in order to change the route traversed by network traffic, primarily by changing routing attributes (including reachability). Policy routing is a more flexible packet routing forwarding mechanism than routing based on the target network. Policy routing is applied, the router decides how to process the data packet to be routed through a routing diagram, and the routing diagram decides the next hop forwarding router of a data packet. The types of policy routing are broadly divided into two types, one of which is a policy based on the destination address of the route, called destination address routing, and the other of which is a policy based on the source address of the route, called source address routing; with the development of policy routing, a third routing mode, namely an intelligent balanced policy mode, exists. The routing policy is a control-level behavior, the object of the operation is a routing entry, and the matching is a route, specifically a target network segment, a mask, a next hop, a metric value, tag, community, and the like.

In this embodiment, when the secure communication link is constructed, the system randomly selects relay nodes from the ingress node, the isolation node and the egress node cluster, and the entire secure communication link is formed by at least three relay nodes, and a maximum of 8 relay nodes can be configured. When the line is reconstructed, the original safety line can be destroyed immediately, the risk of directly connecting with the proxy is avoided, and the local identity can not be revealed even if part of relay nodes are broken. And a bidirectional identity verification mechanism is adopted between the client and the server, the client verifies the certificate information of the server, and the server verifies the account password of the client, so that malicious access of a third party is avoided.

Example 2

As shown in fig. 7, the embodiment of the present invention further provides a hardware structure schematic diagram of an anti-tracing device based on multi-hop secure communication, where the device at least includes a processor 11, a memory 12, and a data bus 13. The data bus 13 is used to implement the connection communication between the processor 11 and the memory 12, and the memory 12 is a computer readable storage medium, which can store at least one computer program that can be read, compiled and executed by the processor 11 to implement a corresponding process flow. In the present embodiment, the memory 11 is a computer readable storage medium, in which a trace-back prevention program based on multi-hop secure communication is implemented as follows, and the program is executable by the processor 11:

The existing traceability scheme has the common potential safety hazards of transparent access process, direct connection proxy and the like. Meanwhile, common tracing network tracking technology and agent risks are mainly risks that a single-hop agent is easy to trace, an encryption protocol is opened, and an encryption key which is unchanged for a long time is easy to analyze and capture. As shown in fig. 8, the difficulties encountered by the conventional solution are solved by the following point technique:

the private encryption communication protocol adopts a cross-platform full-asynchronous communication library written in pure C language, supports interface butt joint of industrial libraries such as LIBEV, OPENSSL, MBEDTLS, supports TCP/UDP/TLS three-protocol full-asynchronous communication, realizes asynchronous communication based on a SELECT model, and has good compatibility; the communication library provides an event start-stop function and a timer function for an upper layer unified abstract asynchronous IO event interface, is convenient to use, is a communication foundation of the whole access system, and ensures the high efficiency and stability of an encrypted communication protocol.

In the scheme, RSA4096 bits are adopted to realize communication key exchange in the aspect of communication security, a certificate public key is prefabricated by an export line program, a user session key is negotiated through an RSA asymmetric cryptosystem, key parameters are randomly generated by two ends, and the key is forcedly re-keyed every 2 hours; the system supports flexible encryption algorithm configuration, can configure different encryption strategies for different users, prefabricates symmetric encryption suites such as AES256 (default), AES128, CHACH 20 and the like, encrypts the user data message by using the corresponding encryption suite in the whole course, and ensures the safety and controllability of user network data.

Multiple encryption protection, the scheme executes ciphertext forwarding on the whole course of the user communication data message, and supports the data transparent proxy of the TCP/UDP/ICMP communication protocol; the communication data is encrypted by using AES256 (default), AES128 and CHACH 20 encryption algorithm in the whole course, and the session key is forcedly updated for 2 hours, so that the session key is prevented from being broken without being replaced for a long time; the communication process uses a proprietary communication protocol; the client and the server perform bidirectional identity authentication, and authentication is performed between the client and the server through account password and certificate, so that malicious access of a third party to the server is avoided.

Example 3

Another aspect of the embodiments of the present invention further provides a computer readable storage medium, where a multi-hop secure communication-based anti-tracing program is stored, where the multi-hop secure communication-based anti-tracing method of embodiment 1 is implemented when the multi-hop secure communication-based anti-tracing program is executed by a processor.

It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

The foregoing embodiment numbers of the present invention are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.

From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. ROM/RAM, magnetic disk, optical disk) comprising instructions for causing a terminal device (which may be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) to perform the method according to the embodiments of the present invention.

The foregoing description is only of the preferred embodiments of the present invention, and is not intended to limit the scope of the invention, but rather is intended to cover any equivalents of the structures or equivalent processes disclosed herein or in the alternative, which may be employed directly or indirectly in other related arts.

Claims

1. The method for preventing tracing based on multi-hop secure communication is characterized by comprising the following steps:

2. The multi-hop secure communication-based anti-trace-back method according to claim 1, further comprising:

3. The anti-tracing method based on multi-hop secure communication according to claim 1, wherein said encrypting and decrypting session messages in said secure communication link using an RSA public key encryption algorithm asymmetric encryption system specifically comprises:

4. The backtracking prevention method of multi-hop secure communication of claim 3, wherein the server of the egress node negotiates the session key using RSA asymmetric cryptosystem when the secure communication link is established, the method further comprising:

5. The multi-hop secure communication based anti-trace-back method according to claim 1, wherein before the invoking the encrypted communication protocol performs dynamic route chaining, the method further comprises:

6. The anti-tracing method based on multi-hop secure communication according to claim 1, wherein said encrypting and decrypting session messages in said secure communication link using an RSA public key encryption algorithm asymmetric encryption system comprises:

7. The backtracking prevention method of multi-hop secure communication according to claim 6, wherein the server of the ingress node randomly generates a routing link table according to a routing policy, and simultaneously generates a random number a, and after the step of issuing a link establishment request including the random number a downward, the method comprises:

if all intermediate nodes are reachable in the link, after the data packet containing the random number A reaches the server of the outlet node, the server of the outlet node generates connection parameters, encrypts the connection parameters by RSA4096 by using a public key and transmits the encrypted connection parameters back to the server of the inlet node along the link.

8. The multi-hop secure communication based anti-trace-back method according to claim 7, wherein said symmetric encryption algorithm is one of the encryption algorithms comprising AES256, AES128 and cha 20.

9. An anti-trace-source device based on multi-hop secure communication, the device comprising: a memory, a processor, and a computer program stored on the memory and executable on the processor, the computer program when executed by the processor implementing the following:

10. A computer readable storage medium, wherein a multi-hop secure communication based anti-trace-back program is stored on the computer readable storage medium, and the multi-hop secure communication based anti-trace-back program implements the steps of the multi-hop secure communication based anti-trace-back method according to any one of claims 1-8 when executed by a processor.