CN117749855A - Secure data transmission method, system, terminal and computer program product - Google Patents

Secure data transmission method, system, terminal and computer program product Download PDF

Info

Publication number
CN117749855A
CN117749855A CN202211116984.0A CN202211116984A CN117749855A CN 117749855 A CN117749855 A CN 117749855A CN 202211116984 A CN202211116984 A CN 202211116984A CN 117749855 A CN117749855 A CN 117749855A
Authority
CN
China
Prior art keywords
terminal
data
tls
ssl
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211116984.0A
Other languages
Chinese (zh)
Inventor
鲁瑞
陈战伟
王晓颖
赵峰
温会平
侯建卫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Group Shanxi Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Group Shanxi Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Group Shanxi Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN202211116984.0A priority Critical patent/CN117749855A/en
Publication of CN117749855A publication Critical patent/CN117749855A/en
Pending legal-status Critical Current

Links

Abstract

The application relates to the technical field of data characteristic optimization, and provides a secure data transmission method, a system, a terminal and a computer program product, which comprise the following steps: the first terminal and the third terminal perform TLS/SSL connection establishment to generate a first security assurance channel; when the first terminal detects that the security data sent to the third terminal needs to pass through the second terminal, the first terminal and the second terminal perform TLS/SSL connection establishment to generate a second security assurance channel; the first terminal encapsulates and encrypts the security data in TLS/SSL data of a first security protection channel, carries information sent to the second terminal in a message of the TLS/SSL data of the first security protection channel, and carries out integral encryption through the second security protection channel to obtain first encrypted data and sends the first encrypted data to the second terminal. The second terminal can distinguish specific data types and data transmission modes, and provides a customized data transmission optimization mode and a guarantee scheme for a user.

Description

Secure data transmission method, system, terminal and computer program product
Technical Field
The present application relates to the field of data characteristic optimization technology, and in particular, to a secure data transmission method, system, terminal and computer program product.
Background
Currently, many application layer protocols (HTTP, FTP, SMTP, etc.) have network security issues, such as HTTP protocol, which is an application layer communication protocol between a client browser or other program and a Web server (HyperText Transfer Protocol ).
The HTTP protocol uses plaintext information in the transmission process, and once the transmission message is intercepted, the transmission content is leaked; if the message is tampered in the transmission process, the message cannot be easily found; the reliability of the identity of the opposite end of the message exchange cannot be guaranteed.
To solve such problems, one adds SSL/TLS protocol or HTTPS protocol (HyperText Transfer Protocol over Secure Socket Layer, hypertext transfer security protocol) between the application layer and the transport layer. Among them, TLS (Transport Layer Security, secure transport layer) is a standardized product of SSL (Secure Sockets Layer, secure socket layer), which can be understood as an upgrade of SSL.
TLS is a protocol built on top of the transport layer TCP protocol, serving the application layer, and its precursor is SSL (Secure Socket Layer ), which implements the function of encrypting the application layer messages before transmission by TCP. The HTTPS protocol can be understood as http+ssl/TLS, i.e. HTTP joins the SSL layer, the security basis of HTTPS is SSL, so the details of encryption require SSL for secure HTTP data transfer.
However, when the security protocol is used for data transmission, the data packet including header field and data content is basically encrypted, which makes the conventional deep parsing scheme DPI (Deep Packet Inspection) of the data packet by the network operator ineffective, and cannot distinguish between specific data types and data transmission modes, and cannot provide a customized data transmission optimization mode and guarantee scheme for the user.
Disclosure of Invention
The embodiments of the present application provide a secure data transmission method, system, terminal and computer program product, which are used for solving the technical problem that a network operator cannot obtain the data content of a security protocol flowing through the network operator and pertinently provides communication optimization.
In a first aspect, an embodiment of the present application provides a method for transmitting secure data, including: the first terminal initiates a TCP connection request between third terminals, performs TLS/SSL connection establishment after TCP connection establishment, and generates a first security assurance channel; when the first terminal detects that the safety data sent to the third terminal needs to pass through the second terminal, triggering a TLS/SSL+TCP/IP protocol stack working mechanism based on a preset strategy; based on a TLS/SSL+TCP/IP protocol stack working mechanism, a first terminal initiates a TCP connection request between second terminals, and after the TCP connection is established, TLS/SSL connection establishment is carried out, and a second security assurance channel is generated; the first terminal encapsulates and encrypts the security data in TLS/SSL data of a first security protection channel, carries information sent to a second terminal in a message of the TLS/SSL data of the first security protection channel, and carries out integral encryption through the second security protection channel to obtain first encrypted data; the first terminal transmits the first encrypted data to the second terminal.
In one embodiment, the information sent to the second terminal is carried in a TLS/SSL data packet of the first security channel, including: the information sent by the first terminal to the second terminal is packaged in an option field of an IP packet header of the inner layer; or the information sent by the first terminal to the second terminal is packaged in the next packet header and the extended packet header information fields of the IPv6 packet header of the inner layer.
In one embodiment, the first terminal encrypts the security data encapsulation in TLS/SSL data of the first security association, comprising: the first terminal processes the security data into encrypted data through TLS/SSL data of the first security assurance channel, wherein the encrypted data sequentially comprises an IP header, a TCP header, the TLS/SSL header and the security data from left to right.
In one embodiment, the first encrypted data includes, from left to right, an IP header, a TCP header, a TLS/SSL header, an IP header, information sent to the second terminal, a TCP header, a TLS/SSL header, and security data.
In one embodiment, the secure data transmission method further comprises: when the first terminal detects that the security data sent to the third terminal does not need to pass through the second terminal, the first terminal encapsulates and encrypts the security data in the TLS/SSL data of the first security assurance channel, and sends the security data encapsulated and encrypted by the TLS/SSL data of the first security assurance channel to the third terminal.
In a second aspect, an embodiment of the present application provides a secure data transmission method, including: the second terminal responds to the TCP connection request between the first terminals, and performs TLS/SSL connection establishment after TCP connection establishment, and generates a second security assurance channel; the second terminal initiates a TCP connection request between the third terminals, and after the TCP connection is established, TLS/SSL connection establishment is carried out; the second terminal receives first encrypted data sent from the first terminal, wherein the first encrypted data comprises security data required to be received by the third terminal and information required to be received by the second terminal; the second terminal decrypts the first encrypted data through a second security channel to obtain information required to be received by the second terminal; the second terminal sends the security data which needs to be received by the third terminal to the third terminal.
In one embodiment, the second terminal sending the security data to the third terminal that needs to be received by the third terminal includes: the second terminal sends the data decrypted by the second security channel to the third terminal; the data decrypted by the second security protection channel sequentially comprises an IP header, a TCP header, a TLS/SSL header and security data from left to right.
In a third aspect, an embodiment of the present application provides a secure data transmission system, including: the first terminal, the second terminal and the third terminal; the first terminal is used for: a TCP connection request between third terminals is initiated, TLS/SSL connection establishment is carried out after TCP connection establishment, and a first security assurance channel is generated; when the first terminal detects that the safety data sent to the third terminal needs to pass through the second terminal, triggering a TLS/SSL+TCP/IP protocol stack working mechanism based on a preset strategy; based on a TLS/SSL+TCP/IP protocol stack working mechanism, a TCP connection request between second terminals is initiated, TLS/SSL connection establishment is carried out after TCP connection establishment, and a second security assurance channel is generated; encrypting the security data package in TLS/SSL data of a first security protection channel, carrying information sent to a second terminal in a message of the TLS/SSL data of the first security protection channel, and carrying out integral encryption through a second security protection channel to obtain first encrypted data; transmitting the first encrypted data to the second terminal; the second terminal is used for: responding to a TCP connection request between the first terminals, establishing TLS/SSL connection after the TCP connection is established, and generating a second security assurance channel; a TCP connection request between third terminals is initiated, and TLS/SSL connection establishment is carried out after the TCP connection is established; receiving first encrypted data sent from a first terminal, wherein the first encrypted data comprises security data required to be received by a third terminal and information required to be received by a second terminal; decrypting the first encrypted data through a second security channel to obtain information required to be received by a second terminal; the security data which is required to be received by the third terminal is sent to the third terminal; the third terminal is used for: responding to a TCP connection request between the first terminals, establishing TLS/SSL connection after the TCP connection is established, and generating a first security assurance channel; and responding to the TCP connection request between the second terminals, and carrying out TLS/SSL connection establishment after the TCP connection establishment.
In a fourth aspect, an embodiment of the present application provides an electronic device, including a processor and a memory storing a computer program, where the processor implements the steps of the secure data transmission method of the first or second aspect when executing the program.
In a fifth aspect, embodiments of the present application provide a computer program product comprising a computer program which, when executed by a processor, implements the steps of the secure data transmission method of the first or second aspect.
According to the secure data transmission method, the secure data transmission system, the secure data transmission terminal and the computer program product, when the first terminal detects that secure data transmitted to the third terminal needs to pass through the second terminal, a TLS/SSL+TCP/IP protocol stack working mechanism is triggered based on a preset strategy; the first terminal initiates a TCP connection request between the second terminals, performs TLS/SSL connection establishment after TCP connection establishment, and generates a second security assurance channel; the first terminal encapsulates and encrypts the security data in TLS/SSL data of the first security protection channel, carries information sent to the second terminal in a message of the TLS/SSL data of the first security protection channel, and carries out integral encryption through the second security protection channel to obtain first encrypted data. According to the method and the device, based on the end-to-end encryption transmission, the second terminal performs partial data acquisition based on the specific strategy, so that a finer customized data transmission optimization mode and a guarantee scheme are provided for a user, and the user experience is improved.
Drawings
For a clearer description of the present application or of the prior art, the drawings that are used in the description of the embodiments or of the prior art will be briefly described, it being apparent that the drawings in the description below are some embodiments of the present application, and that other drawings may be obtained from these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic flow chart of a secure data transmission method according to an embodiment of the present application;
fig. 2 is a schematic flow chart of a TLS handshake procedure in a TLS protocol provided in an embodiment of the present application;
fig. 3 is a schematic diagram of a TLS recording protocol in a TLS protocol provided in an embodiment of the present application;
FIG. 4 is a schematic diagram of a TLS/SSL+TCP/IP protocol stack operating mechanism provided by an embodiment of the present application;
FIG. 5 is a schematic diagram of the structure of encrypted data according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of first encrypted data provided in an embodiment of the present application;
FIG. 7 is a second flowchart of a secure data transmission method according to an embodiment of the present disclosure;
fig. 8 is one of signaling diagrams of a secure data transmission method according to an embodiment of the present application;
fig. 9 is a schematic structural diagram of second encrypted data provided in an embodiment of the present application;
fig. 10 is a second signaling diagram of a secure data transmission method according to an embodiment of the present disclosure.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the present application more apparent, the technical solutions in the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are some, but not all, embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, are intended to be within the scope of the present application.
Referring to fig. 1, fig. 1 is a flow chart of a secure data transmission method according to an embodiment of the present disclosure. In this embodiment, the secure data transmission method is applied to the first terminal, and may include steps S110 to S150, where each step is specifically as follows:
s110: the first terminal initiates a TCP connection request between the third terminals, performs TLS/SSL connection establishment after the TCP connection establishment, and generates a first security assurance channel.
It should be noted that, the terminal referred to in this application is an input/output device connected to a computer system. Alternatively, the first terminal may be a user terminal or a client, the second terminal may be a network operator, and the third terminal may be a content provider.
In order to ensure the data transmission safety, content encryption exists between the first terminal and the third terminal. Taking TLS/SSL technology as an encryption means for illustration:
the TLS protocol mainly solves the following three network security problems:
1. privacy (message privacy), wherein privacy is realized by encrypting encryption, all information is transmitted in an encrypted manner, and a third party cannot sniff;
2. integrity (message integrity), through a MAC check mechanism, once tampered, both parties will discover immediately;
3. authentication (mutual authentication), both parties authenticate, both parties can be equipped with certificates, preventing identity impersonation.
The TLS protocol can be divided into two parts, 1, a handshake protocol (Handshake Protocol) client and server negotiate to determine a set of key strings for encryption of data transmissions. 2. Recording Protocol (Record Protocol): and carrying out data encryption transmission by using the key negotiated by the client and the server.
TLS handshake procedure: the handshake protocol is a very important protocol in the TLS protocol, and generates a shared key and an interaction certificate by interaction of a client and a server side, and sharing some necessary information. Referring to fig. 2, fig. 2 is a schematic flow chart of a TLS handshake procedure in a TLS protocol according to an embodiment of the present application. The method specifically comprises the following 15 steps:
and step 1, the ClientHello-client sends the supported SSL/TLS highest protocol version number, the supported encryption algorithm set, the compression method set and other information to the server.
And 2. After receiving the client information, the ServerHello-server selects SSL/TLS protocol versions, encryption methods and compression methods which can be supported by both parties and returns the SSL/TLS protocol versions, encryption methods and compression methods to the client.
(optional) step 3. Sendcertificate-server sends the server certificate to the client.
(optional) step 4. RequestCertification-if two-way authentication is selected, the server side requests the client side for the client certificate.
And 5. The ServerHelloDone-server side informs the client side of ending the initial negotiation.
(optional) step 6. ResponseCommertificate—if two-way authentication is chosen, the client sends the client certificate to the server side.
And 7, encrypting the client public key and the key seed by using the public key of the server side by the ClientKeyexchange-client side, and then transmitting the encrypted client public key and the key seed to the server side.
(optional) step 8. Authentication verify-if two-way authentication is selected, the client generates a digital signature with the local private key and sends it to the server, letting it authenticate with the received client public key.
And 9. Generating a communication key by the CreateSecretKey-communication parties based on the information such as the key seed.
Step 10. ChangeCipherSpec-client informs the server that the communication mode has been switched to encryption mode.
And step 11, preparing the finished-client for encrypted communication.
Step 12. ChangeCipherSpec-server informs the client that the communication mode has been switched to encryption mode.
And step 13, preparing the finished-server for encrypted communication.
Step 14. Encrypted/DecryptedData-both encrypt the communication content by a symmetric encryption algorithm using the client key.
After the end of the closeconnection-communication, either party issues a message to disconnect the SSL connection.
TLS recording protocol, which is mainly responsible for message compression, encryption and data authentication. Referring to fig. 3, fig. 3 is a schematic diagram of a TLS recording protocol in the TLS protocol according to an embodiment of the present application.
The message is first segmented, then compressed, and then its message authentication code is calculated, then encrypted using a symmetric cipher using CBC mode whose initial vector is generated by the master cipher. After the ciphertext is obtained, other information such as type, version, length and the like can be added, and finally the final message data is formed.
The above, encryption (anti-eavesdropping), authentication (anti-counterfeit), and integrity protection (tamper-proof) effects can be achieved by using SSL/TLS. The first terminal may initiate a TCP connection request to the third terminal, perform TLS/SSL connection establishment after TCP connection establishment, and generate a first security protection channel to obtain a communication key. The communication key may be used to cryptographically encapsulate the traffic data.
S120: when the first terminal detects that the security data sent to the third terminal needs to pass through the second terminal, a TLS/SSL+TCP/IP protocol stack working mechanism is triggered based on a preset strategy.
Wherein the security data may be understood as encrypted service data.
When an intermediate entity exists between the first terminal and the third terminal, such as the second terminal, the second terminal cannot read the encrypted data of the first terminal due to the existence of SSL/TLS, so that a customized data transmission mode cannot be provided for a client.
Therefore, the preset strategy is set in the first terminal in advance, and the method is suitable for a TLS/SSL+TCP/IP protocol stack working mechanism. Under the condition that the second terminal needs to acquire certain service information in a specific scene, protocol stack optimization is performed through the first terminal and the third terminal, and a layer of TLS/SSL+TCP/IP protocol stack is added on the original TLS/SSL+TCP/IP bottom layer. The message header (such as an IP header) carries information which is needed to be analyzed and acquired by the first terminal or the third terminal by the second terminal and an upper TCP/IP packet, and the information is safely packaged through a new safety guarantee channel which is possibly established between the first terminal and the second terminal and between the second terminal and the third terminal, so that the key information analysis of the second terminal can be carried out without damaging the basis of a top-layer content encryption mechanism, and the safety of information transmission among the first terminal, the second terminal and the third terminal of the whole information transmission chain is ensured.
Optionally, in the transmission direction of the first terminal > the second terminal > the third terminal, the third security protection channel 3 may be used as an option, and in the transmission direction of the third terminal > the second terminal > the first terminal, the second security protection channel 2 may be used as an option. As shown in fig. 4, fig. 4 is a schematic diagram of a TLS/ssl+tcp/IP protocol stack operating mechanism provided in an embodiment of the present application.
Optionally, for a scenario that does not require the second terminal to acquire specific service information, the data does not need to be encapsulated by the newly added TLS/ssl+tcp/IP protocol stack, and is directly transmitted to layer one/layer two for processing.
S130: based on the TLS/SSL+TCP/IP protocol stack working mechanism, the first terminal initiates a TCP connection request between the second terminals, establishes TLS/SSL connection after TCP connection establishment, and generates a second security assurance channel.
The first terminal responds to the TLS/SSL+TCP/IP protocol stack working mechanism, establishes TLS/SSL connection with the second terminal, generates a second security assurance channel 2, and generates a communication secret key.
S140: the first terminal encapsulates and encrypts the security data in TLS/SSL data of the first security protection channel, carries information sent to the second terminal in a message of the TLS/SSL data of the first security protection channel, and carries out integral encryption through the second security protection channel to obtain first encrypted data.
S150: the first terminal transmits the first encrypted data to the second terminal.
According to the secure data transmission method provided by the embodiment of the application, when the first terminal detects that secure data sent to the third terminal needs to pass through the second terminal, a TLS/SSL+TCP/IP protocol stack working mechanism is triggered based on a preset strategy; the first terminal initiates a TCP connection request between the second terminals, performs TLS/SSL connection establishment after TCP connection establishment, and generates a second security assurance channel; the first terminal encapsulates and encrypts the security data in TLS/SSL data of the first security protection channel, carries information sent to the second terminal in a message of the TLS/SSL data of the first security protection channel, and carries out integral encryption through the second security protection channel to obtain first encrypted data. According to the method and the device, based on the end-to-end encryption transmission, the second terminal performs partial data acquisition based on the specific strategy, so that a finer customized data transmission optimization mode and a guarantee scheme are provided for a user, and the user experience is improved.
Optionally, the information sent to the second terminal is carried in a TLS/SSL data packet of the first security channel, including:
the information sent by the first terminal to the second terminal is packaged in an option field of an IP packet header of the inner layer; or the information sent by the first terminal to the second terminal is packaged in the next packet header and the extended packet header information fields of the IPv6 packet header of the inner layer.
Optionally, the first terminal encrypts the security data encapsulation in TLS/SSL data of the first security protection channel, including:
the first terminal processes the security data into encrypted data through TLS/SSL data of the first security assurance channel, wherein the encrypted data sequentially comprises an IP header, a TCP header, the TLS/SSL header and the security data from left to right. Referring to fig. 5, fig. 5 is a schematic structural diagram of encrypted data according to an embodiment of the present application.
Optionally, the first encrypted data comprises, from left to right, an IP header, a TCP header, a TLS/SSL header, an IP header, information sent to the second terminal, a TCP header, a TLS/SSL header, and security data. Referring to fig. 6, fig. 6 is a schematic structural diagram of first encrypted data according to an embodiment of the present application.
Referring to fig. 7, fig. 7 is a second flowchart of a secure data transmission method according to an embodiment of the present disclosure. The secure data transmission method provided by the embodiment is applied to the second terminal, and includes steps S210 to S250, and the steps are specifically as follows:
s210: and the second terminal responds to the TCP connection request between the first terminals, performs TLS/SSL connection establishment after the TCP connection establishment, and generates a second security assurance channel.
S220: the second terminal initiates a TCP connection request between the third terminals, and performs TLS/SSL connection establishment after TCP connection establishment.
S230: the second terminal receives the first encrypted data sent from the first terminal.
Wherein the first encrypted data includes security data that needs to be received by the third terminal and information that needs to be received by the second terminal.
S240: the second terminal decrypts the first encrypted data through the second security channel to obtain information which needs to be received by the second terminal.
S250: the second terminal sends the security data which needs to be received by the third terminal to the third terminal.
Optionally, the second terminal sending the security data that needs to be received by the third terminal to the third terminal includes:
the second terminal sends the data decrypted by the second security channel to the third terminal; the data decrypted by the second security protection channel sequentially comprises an IP header, a TCP header, a TLS/SSL header and security data from left to right.
Optionally, the second terminal initiates a TCP connection request between the third terminals, and after the TLS/SSL connection is established after the TCP connection is established, the method further includes:
generating a third security channel between the second terminal and the third terminal; the second terminal sending the security data to be received by the third terminal to the third terminal includes: the second terminal carries out integral encryption on the safety data through a third safety guarantee channel to obtain second encrypted data; the second terminal transmits the second encrypted data to the third terminal.
The application also provides a secure data transmission system comprising: the terminal comprises a first terminal, a second terminal and a third terminal.
The first terminal is used for: a TCP connection request between third terminals is initiated, TLS/SSL connection establishment is carried out after TCP connection establishment, and a first security assurance channel is generated; when the first terminal detects that the safety data sent to the third terminal needs to pass through the second terminal, triggering a TLS/SSL+TCP/IP protocol stack working mechanism based on a preset strategy; based on a TLS/SSL+TCP/IP protocol stack working mechanism, a TCP connection request between second terminals is initiated, TLS/SSL connection establishment is carried out after TCP connection establishment, and a second security assurance channel is generated; encrypting the security data package in TLS/SSL data of a first security protection channel, carrying information sent to a second terminal in a message of the TLS/SSL data of the first security protection channel, and carrying out integral encryption through a second security protection channel to obtain first encrypted data; transmitting the first encrypted data to the second terminal; the second terminal is used for: responding to a TCP connection request between the first terminals, establishing TLS/SSL connection after the TCP connection is established, and generating a second security assurance channel; a TCP connection request between third terminals is initiated, and TLS/SSL connection establishment is carried out after the TCP connection is established; receiving first encrypted data sent from a first terminal, wherein the first encrypted data comprises security data required to be received by a third terminal and information required to be received by a second terminal; decrypting the first encrypted data through a second security channel to obtain information required to be received by a second terminal; the security data which is required to be received by the third terminal is sent to the third terminal; the third terminal is used for: responding to a TCP connection request between the first terminals, establishing TLS/SSL connection after the TCP connection is established, and generating a first security assurance channel; and responding to the TCP connection request between the second terminals, and carrying out TLS/SSL connection establishment after the TCP connection establishment.
The distance description is divided into a first terminal, a second terminal and a third terminal by a content provider, a network operator and a user terminal. Referring to fig. 8, fig. 8 is a signaling diagram of a secure data transmission method according to an embodiment of the present disclosure.
Embodiment one: encryption and decryption of the second terminal (IPV 4option field carrying information)
For convenience of presentation, the following embodiment refers to a first terminal by the end a, a second terminal by the end B, and a third terminal by the end C.
0. Terminal a (e.g., browser, application APP, etc.) initiates a service request.
1. Based on the triggering of the service request, the terminal A (such as a browser, an application APP and the like) initiates a TCP connection request between the terminal C, performs TLS/SSL connection establishment after the TCP connection establishment, and generates a communication secret key (a first security assurance channel 1). The IP data package format of the data encrypted based on the key generated by the first security channel 1 is shown in fig. 5.
2. Based on a preset policy, such as a specific indication (e.g. browser type, application APP ID) of the terminal a, the terminal a selects whether to trigger the underlying TLS/ssl+tcp/IP protocol stack working mechanism. If the B end is required to provide service, the IP data packet in the step 1 is sent to a newly added TLS/SSL+TCP/IP protocol stack; if not, directly transmitting to the lower layer. The preset policy may be preconfigured at the end a to determine the data that needs to be encapsulated by the newly added TLS/ssl+tcp/IP protocol stack. The identification determination can be performed by using browser indication information, APP ID information or IP address information and the like, wherein the APP ID and the like can be identified through a transmission port; the IP address may be identified by IP packet information, which is not specifically limited in this application.
3. Based on the step 2 triggering the processing of the newly added TLS/SSL+TCP/IP protocol stack, the terminal A initiates a TCP connection request between the terminal B, performs TLS/SSL connection establishment after the TCP connection establishment, and generates a communication secret key (a second security assurance channel 2).
4. End B initiates a TCP connection request to end C. In the direction transmission direction of the terminal A-the terminal B-the terminal C, the TCP connection is established, then the newly added TLS/SSL connection is optionally established, and a communication secret key (the third security assurance channel 3TLS/SSL optional establishment) is generated.
5. The terminal A encapsulates and encrypts the data content in TLS/SSL data of the first security channel 1, carries information sent to the terminal B in an IP header domain of an outer layer of a TLS/SSL message of the first security channel 1, and encrypts the whole IP packet through a key negotiated by the second security channel 2. The IP data encapsulation format is shown in fig. 6.
Wherein, the data sent from the end A to the end B is encapsulated in the option field of the IP packet header of the inner layer. The specific diagram is as follows:
6. and the end A sends the data packaged in the step 5 to the end B.
7. And (3) decrypting the data in the step (5) by using the key negotiated in the step (3) by the terminal (B) to obtain the information which is sent to the terminal (B) by the terminal (A) in the IP header domain, wherein the information comprises a service transmission mode, a service type, a service transmission quality requirement and the like. And meanwhile, removing the encapsulation of the second security protection channel 2, namely decrypting the data content of the outer layer TLS/SSL in the step 5, removing the outer layer encapsulation, and sending the data content to the terminal C. The data encapsulation sent to terminal C is shown in fig. 5.
The information of the data sent from the terminal a to the terminal B, which is encapsulated in the option field of the IP packet header of the inner layer, may be deleted when the third security protection channel 3 is not established in the 8 th step. When the third security protection channel 3 exists in the step 8, the information of the option field can be reserved.
8. The third security channel 3 is used as an option, and the terminal B sends data to the terminal C.
When the information of the data package sent from the terminal a to the terminal B in the option field of the IP packet header of the inner layer does not establish the security protection channel 3 in step 8, the data package format sent from the terminal B to the terminal C is shown in fig. 5.
When the security channel 3 exists in the step 8, the data encapsulation format sent from the terminal B to the terminal C is shown in fig. 9. Fig. 9 is a schematic structural diagram of second encrypted data provided in an embodiment of the present application.
And C, decrypting the data acquired in the step 8 by using the key negotiated in the step 4.
In the second embodiment, the IPV6 extension field carrying information may be used instead of the IPV4option field carrying information. The steps in the embodiment of carrying information by using the IPV6 extension field, which are the same as those in the embodiment of carrying information by using the IPV4option field, are not described in detail, and the difference is that:
the end a, end B and end C transmit at the network layer using the IPV6 protocol. In the service transmission paths of the end A and the end C, the end B encrypts the content transmitted by the end A and the end C, and the end B needs to acquire the information presented to the end A and the end C by embedding the IPV6 expansion header fields of the inner layer of the data packet. The data sent from the end A to the end B is packaged in the next packet header and the extended packet header information field of the IPv6 packet header of the inner layer. In the following figures, a first next packet header field identifier is used for identifying an extension packet header carried in a header domain, a second next packet header indicates an extension packet header type, and information required to be obtained by end B analysis is carried in extension packet header information, wherein the information comprises a service transmission mode, a service type, a service transmission quality requirement and the like, and the specific following figures are as follows:
embodiment III: 5GC encryption and decryption (UE and UPF)
The difference between the third embodiment and the first and second embodiments is that in the third embodiment, the functions of the end a, the end B and the end C need to be implemented in UE, UPF and Server deployment, respectively. Protocol stack optimization of the end A and the end C needs to be deployed at the UE and the Server end, and UPF needs to support a TCP proxy function and a TLS/SSL function. Referring to fig. 10 in detail, fig. 10 is a second signaling diagram of a method for transmitting secure data according to an embodiment of the present disclosure.
According to the method and the system, through information interaction between the content provider and the network operator, the server of the content provider provides basic transmission characteristics of a determined specific service which can be analyzed for the network function node of the network operator on the basis of content information encryption transmission, the 5G network distinguishes specific data types and data transmission modes on the basis of encryption transmission, a finer customized data transmission optimization mode and a guarantee scheme are provided for users, and user experience is improved.
On the other hand, the embodiment of the application also provides a terminal, which may include: a processor (processor) and a memory (memory), the processor may call a computer program in the memory to perform the steps of the above secure data transmission method, which are not described herein.
In another aspect, embodiments of the present application further provide a computer program product, where the computer program product includes a computer program, where the computer program may be stored on a non-transitory computer readable storage medium, and when the computer program is executed by a processor, the computer may perform the steps of the secure data transmission method provided in the foregoing embodiments, and specifically reference may be made to the foregoing embodiments, which are not repeated herein.
In summary, the following technical effects can be achieved:
1. the first terminal and the third terminal perform protocol stack optimization, and a layer of TLS/SSL+TCP/IP protocol stack is added at the original TLS/SSL+TCP/IP bottom layer. Based on a preset strategy, for specific data (such as browser indication information, APP ID information or IP address information and the like), the first terminal triggers a lower TLS/SSL+TCP/IP protocol stack working mechanism to realize two-layer TLS/SSL security encapsulation; for the scene that the second terminal does not need to acquire the specific service information, the data does not need to be packaged through the newly added TLS/SSL+TCP/IP protocol stack and is directly transmitted to the layer one/layer two for processing.
2. The information that the sending end or the receiving end needs to be analyzed and acquired by the second terminal is carried in the inner layer message header fields (such as an IPv4option header field and an IPv6 extension header field).
3. And the first terminal and the third terminal respectively establish a bottom TLS/SSL secure data channel with the second terminal for packaging the inner-layer IP message.
4. And the second terminal processes the outer-layer encapsulation data, and determines whether the data sent to the second terminal by the first terminal can be reserved or not and then carries out corresponding processing according to whether the second terminal and the third terminal establish a safety guarantee channel or not.
The method has good market application prospect, can expand the safety service of operators facing to vertical industries and individual users, can map related information of business or application on the premise of ensuring data safety, and provides differentiated transmission service for different applications and businesses; meanwhile, for applications and services which do not need differentiated transmission services, the transmission can be directly carried out, and the external cannot sense.
The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on this understanding, the foregoing technical solution may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the respective embodiments or some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present application, and are not limiting thereof; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the corresponding technical solutions.

Claims (10)

1. A method of secure data transmission, comprising:
the first terminal initiates a TCP connection request between third terminals, performs TLS/SSL connection establishment after TCP connection establishment, and generates a first security assurance channel;
when the first terminal detects that the safety data sent to the third terminal needs to pass through the second terminal, triggering a TLS/SSL+TCP/IP protocol stack working mechanism based on a preset strategy;
based on the TLS/SSL+TCP/IP protocol stack working mechanism, the first terminal initiates a TCP connection request between the second terminals, performs TLS/SSL connection establishment after TCP connection establishment, and generates a second security assurance channel;
the first terminal encapsulates and encrypts the security data in TLS/SSL data of the first security protection channel, carries information sent to the second terminal in a message of the TLS/SSL data of the first security protection channel, and carries out integral encryption through the second security protection channel to obtain first encrypted data;
the first terminal transmits the first encrypted data to the second terminal.
2. The method according to claim 1, wherein the carrying the information sent to the second terminal in the TLS/SSL data packet of the first security channel includes:
the information sent by the first terminal to the second terminal is packaged in an option field of an IP packet header of an inner layer; or,
and the information sent by the first terminal to the second terminal is packaged in the next packet header and the extended packet header information fields of the IPv6 packet header of the inner layer.
3. The secure data transmission method of claim 1, wherein the first terminal encrypts the secure data encapsulation in TLS/SSL data of the first security association, comprising:
the first terminal processes the security data into encrypted data through TLS/SSL data of the first security guarantee channel, wherein the encrypted data sequentially comprises an IP header, a TCP header, a TLS/SSL header and the security data from left to right.
4. The secure data transmission method of claim 1, wherein the first encrypted data comprises, from left to right, an IP header, a TCP header, a TLS/SSL header, an IP header, information sent to the second terminal, a TCP header, a TLS/SSL header, and the secure data.
5. A method of secure data transmission, comprising:
the second terminal responds to the TCP connection request between the first terminals, and performs TLS/SSL connection establishment after TCP connection establishment, and generates a second security assurance channel;
the second terminal initiates a TCP connection request between third terminals, and TLS/SSL connection establishment is carried out after TCP connection establishment;
the second terminal receives first encrypted data sent from the first terminal, wherein the first encrypted data comprises security data required to be received by the third terminal and information required to be received by the second terminal;
the second terminal decrypts the first encrypted data through the second security channel to obtain information required to be received by the second terminal;
and the second terminal sends the security data which is required to be received by the third terminal to the third terminal.
6. The secure data transmission method of claim 5, wherein the second terminal transmitting secure data to be received by a third terminal to the third terminal comprises:
the second terminal sends the data decrypted by the second security channel to the third terminal; the data decrypted by the second security guarantee channel sequentially comprises an IP header, a TCP header, a TLS/SSL header and the security data from left to right.
7. The secure data transmission method of claim 5, wherein the second terminal initiates a TCP connection request between the third terminals, and wherein after the TLS/SSL connection is established after the TCP connection is established, further comprising:
generating a third security protection channel between the second terminal and the third terminal;
the second terminal sending the security data to be received by the third terminal to the third terminal includes:
the second terminal integrally encrypts the safety data through the third safety guarantee channel to obtain second encrypted data;
the second terminal sends the second encrypted data to the third terminal.
8. A secure data transmission system comprising a first terminal, a second terminal and a third terminal;
the first terminal is used for:
a TCP connection request between third terminals is initiated, TLS/SSL connection establishment is carried out after TCP connection establishment, and a first security assurance channel is generated; when the first terminal detects that the safety data sent to the third terminal needs to pass through the second terminal, triggering a TLS/SSL+TCP/IP protocol stack working mechanism based on a preset strategy; based on the TLS/SSL+TCP/IP protocol stack working mechanism, a TCP connection request between the second terminals is initiated, TLS/SSL connection establishment is carried out after TCP connection establishment, and a second security assurance channel is generated; encrypting the security data package in TLS/SSL data of the first security protection channel, carrying information sent to the second terminal in a message of the TLS/SSL data of the first security protection channel, and carrying out integral encryption through the second security protection channel to obtain first encrypted data; transmitting the first encrypted data to the second terminal;
the second terminal is used for:
responding to a TCP connection request between the first terminals, establishing TLS/SSL connection after the TCP connection is established, and generating a second security assurance channel; a TCP connection request between third terminals is initiated, and TLS/SSL connection establishment is carried out after the TCP connection is established; receiving first encrypted data sent from the first terminal, wherein the first encrypted data comprises security data required to be received by the third terminal and information required to be received by the second terminal; decrypting the first encrypted data through the second security channel to obtain information required to be received by a second terminal; transmitting security data which needs to be received by a third terminal to the third terminal;
the third terminal is used for:
responding to the TCP connection request between the first terminals, establishing TLS/SSL connection after TCP connection is established, and generating a first security assurance channel;
and responding to the TCP connection request between the second terminals, and carrying out TLS/SSL connection establishment after the TCP connection establishment.
9. A terminal comprising a processor and a memory storing a computer program, characterized in that the processor implements the steps of the secure data transmission method of any of claims 1 to 7 when executing the computer program.
10. A computer program product comprising a computer program, characterized in that the computer program, when executed by a processor, implements the steps of the secure data transmission method of any of claims 1 to 7.
CN202211116984.0A 2022-09-14 2022-09-14 Secure data transmission method, system, terminal and computer program product Pending CN117749855A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211116984.0A CN117749855A (en) 2022-09-14 2022-09-14 Secure data transmission method, system, terminal and computer program product

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211116984.0A CN117749855A (en) 2022-09-14 2022-09-14 Secure data transmission method, system, terminal and computer program product

Publications (1)

Publication Number Publication Date
CN117749855A true CN117749855A (en) 2024-03-22

Family

ID=90276281

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211116984.0A Pending CN117749855A (en) 2022-09-14 2022-09-14 Secure data transmission method, system, terminal and computer program product

Country Status (1)

Country Link
CN (1) CN117749855A (en)

Similar Documents

Publication Publication Date Title
CN108650227B (en) Handshaking method and system based on datagram secure transmission protocol
US8984268B2 (en) Encrypted record transmission
EP3633949B1 (en) Method and system for performing ssl handshake
US8671273B2 (en) Method of performance-aware security of unicast communication in hybrid satellite networks
CN111726366A (en) Device communication method, device, system, medium and electronic device
CN113114701B (en) QUIC data transmission method and device
JP2017536776A (en) Method and system for collecting clear text of network confidential data
CN112637136A (en) Encrypted communication method and system
KR20180130203A (en) APPARATUS FOR AUTHENTICATING IoT DEVICE AND METHOD FOR USING THE SAME
CN113572766A (en) Power data transmission method and system
CN112788594B (en) Data transmission method, device and system, electronic equipment and storage medium
US20080133915A1 (en) Communication apparatus and communication method
CN114844730A (en) Network system constructed based on trusted tunnel technology
CN112838925A (en) Data transmission method, device and system, electronic equipment and storage medium
KR101448866B1 (en) Security apparatus for decrypting data encrypted according to the web security protocol and operating method thereof
CN108040071A (en) A kind of VoIP audio-video encryptions key dynamic switching method
CN107431691A (en) A kind of data pack transmission method, device, node device and system
CN111835688B (en) Traffic fast forwarding method and system based on SSL/TLS protocol
Hohendorf et al. Secure End-to-End Transport Over SCTP.
CN117749855A (en) Secure data transmission method, system, terminal and computer program product
CN110351308B (en) Virtual private network communication method and virtual private network device
CN110995730B (en) Data transmission method and device, proxy server and proxy server cluster
CN113950802B (en) Gateway device and method for performing site-to-site communication
JP2003244194A (en) Data encrypting apparatus, encryption communication processing method, and data relaying apparatus
CN114707158A (en) Network communication authentication method and network communication authentication system based on TEE

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination