RU2762157C1 - Method for isolating data packets transmitted over public networks in the tcp/ip family protocol format using a combination of masking, encryption and control methods for the received data - Google Patents

Abstract

FIELD: information protection.

SUBSTANCE: invention relates to the field of digital information transmission. A data packet isolation module is proposed, which is made with the possibility of embedding between the network adapter and the channel layer protocol module for processing data packets. The module performs the transformation of data packets, in particular, determining the connection identifier for the recipient of the processed data packet; calculation of the offset relative to the beginning of the processed data packet and the size of the source data for compression and/or encryption; creation of a copy of the source packet with its addition with data areas that ensure its further processing; initialization and filling in the structure of the accompanying data for the processed data packet. Data is transmitted from the sender to the recipient via standard network routing devices in public networks and/or in local networks, while the transmitted data contains data packets converted by means of a data packet isolation module.

EFFECT: increase in the security of data exchange in the data transmission network.

16 cl, 3 dwg, 11 tbl

Description

The technical field to which the invention relates

The invention relates to the field of digital information transmission, and more specifically to a method for isolating data packets transmitted over public networks to create a secure environment for interaction between nodes of a distributed information system. Application of the method according to the invention creates a secure environment for interaction between nodes of a distributed private information system.

State of the art

Source CN 110941862 A (POI T GUANGZHOU IND INTERNET CO LTD, published 03/31/2020) discloses a data isolation system based on a programmable logic integrated circuit (FPGA), containing an Intranet transceiver module, a data packet encryption and decryption module, a data packet signature module and storage module implemented on the FPGA side, as well as a media access control (MAC) analysis module, firewall module, first high-speed transceiver interface module, second high-speed transceiver interface module, network protocol selection module, transmission protocol module and transceiver module for external networks data transmission. The disadvantages of this known solution include the fact that it is implemented with the involvement of a large amount of hardware, as a result of which, to implement the isolation of data packets in public networks, it is necessary to supplement the standard equipment involved in data exchange with a large number of additional hardware modules, which complicates the hardware implementation. system and reduces its suitability for use when exchanging data in public networks.

The source CN 111711615 A (CHENGDU JINSUNZHIAN TECH CO LTD, published 09/25/2020) discloses a system for synchronizing information in databases and a method implemented in the computing node of the information security system. The known system comprises an external network node, an external processing unit, an isolated data transfer area, an internal processing unit, and an internal network node. An external network node transmits information to be synchronized to an external processing unit, which decomposes the received data packet using the TCP / IP protocol and repackages the data packet using the TCP / IP protocol into a data packet using a special protocol. The isolated data transfer area is serially connected to the external processing unit and the internal processing unit and transfers the data packet using a special protocol to the internal processing unit, which repackages the data packet using a special protocol into a data packet using the TCP / IP protocol, which is then forwarded to the internal network node processing the received packet to obtain database synchronization data and performing synchronization in accordance with the established synchronization strategy. The disadvantages of this known solution include the fact that the use of a special protocol unmasks secure data transmission, indicating to a potential attacker that secure data transmission is being carried out at the moment.

Disclosure of invention

This section, which discloses various aspects and options for carrying out the claimed invention, is intended to provide a brief description of the claimed subject matter and variants of its implementation. A detailed description of the technical means and methods that implement the combination of features of the claimed inventions is given below. Neither this disclosure nor the following detailed description and accompanying drawings should be construed as defining the scope of the claimed invention. The scope of legal protection of the claimed invention is determined exclusively by the attached claims.

Taking into account the above-mentioned disadvantages of the prior art, the problem solved by the proposed invention is to protect data transmitted over existing data transmission networks, with minimal modification of the hardware and / or software involved in the data exchange, so that a potential external observer will not have information that secure data transmission is being carried out, as well as with what means the transmitted data is protected.

The technical result achieved when using the claimed invention is to improve the security of data exchange in the data transmission network.

The objective of the invention is to create a method for isolating data packets that would ensure reliable secure data transmission with minimal modification of the existing data transmission network both in terms of software and / or hardware and in terms of protocols and / or rules used in data transmission.

In the first aspect of the present invention, the problem is solved by a module for isolating data packets transmitted over public networks and / or over local networks, which is built between the network adapter and the module of link layer protocols, while the module for isolating data packets is configured to process data packets transmitted from the level of network protocols to the level of network adapters and from the level of network adapters to the level of network protocols, for converting data packets, while the conversion of data packets contains:

determining the connection identifier for the recipient of the processed data packet;

calculating an offset relative to the beginning of the processed data packet and the size of the original data for compression and / or encryption;

creating a copy of the original package with the addition of data areas to ensure its further processing;

initialization and filling of the accompanying data structure for the processed data packet;

calculating a diversified key based on the key corresponding to the connection identifier and the value from the augmented data structure;

data encryption using a diversified key for each package of processed data;

encryption of part of the accompanying data structure;

calculating a checksum of all encrypted data and placing the calculated checksum in the accompanying data structure;

calculating the masked method identifier value based on the values of the method identifier and the checksum of the encrypted data, and placing the calculated masked method identifier value in the accompanying data structure;

generating an encryption key for the connection identifier based on the values of the method identifier, the masked method identifier, and the value from the data area D;

encrypting the connection identifier and placing the encrypted connection identifier value in the accompanying data structure;

calculating an offset for the accompanying data structure in the processed data packet;

recalculating the checksum of the IP header and writing the recalculated checksum in the structure of the processed data packet; and

The data packet isolation module is configured to transmit data from the sender to the recipient through standard network routing devices in public networks and / or local networks, while the transmitted data contains data packets converted by the data packet isolation module.

In a second aspect, the object of the invention is solved by a method for isolating data packets transmitted over public networks and / or over local networks, the method comprising the steps of:

receive, by means of the data packet isolation module built between the network adapter and the data link layer protocol module, data packets transmitted from the network protocol layer to the network adapter layer and from the network adapter layer to the network protocol layer;

by means of the data packet isolation module, the received data packets are converted into a format in which the data packets do not give an outside observer information about the true communication protocols between the parties to the network exchange and about the source and the receiver of data and how to influence them, while the conversion of data packets contains the steps, where:

determine the connection identifier for the recipient of the processed data packet;

calculate the offset relative to the beginning of the processed data packet and the size of the original data for compression and / or encryption;

create a copy of the original package with the addition of data areas to ensure its further processing;

initialize and fill the structure of the accompanying data for the processed data packet;

calculating a diversified key based on the key corresponding to the connection identifier and the value from the structure of the augmented data;

performing data encryption using a diversified key for each package of processed data;

encrypting a portion of the accompanying data structure;

calculating a checksum of all encrypted data and placing the calculated checksum in the accompanying data structure;

calculating the value of the masked method identifier based on the values of the method identifier and the checksum of the encrypted data, and placing the calculated value of the masked method identifier in the accompanying data structure;

generating an encryption key for the connection identifier based on the values of the method identifier, the masked method identifier and the value from the data area D;

encrypting the connection identifier and placing the encrypted connection identifier value in the accompanying data structure;

calculating an offset for the accompanying data structure in the processed data packet;

recalculating the checksum of the IP header and writing the recalculated checksum in the structure of the processed data packet; and

transmit data from the sender to the recipient through standard network routing devices in public networks and / or local networks, while the transmitted data contains data packets converted by the data packet isolation module.

It will be apparent to those skilled in the art that, in addition to the foregoing aspects of the invention, the inventive concept underlying the present invention may be embodied in other aspects of the invention.

Brief Description of Drawings

The drawings are provided in this document to facilitate understanding of the essence of the present invention. The drawings are schematic and not to scale. The drawings are for illustrative purposes only and are not intended to define the scope of the present invention.

FIG. 1 shows a schematic block diagram of a data packet isolation module according to the invention and illustrates the embedding of the module according to the invention between the network protocol layer and the network adapter.

FIG. 2 shows a flow diagram of an exemplary embodiment of a data packet isolation method according to the invention.

FIG. 3 shows a diagram of the processing of a data packet before transmitting the packet for sending in accordance with the data packet isolation method according to the invention.

Implementation of the invention

Considering the disadvantages of the known solutions discussed above, the present invention is aimed at providing a method for isolating data packets transmitted between nodes of a public data network. The proposed method for isolating data packets essentially provides a protocol that performs the task of building private and corporate computer networks with a high degree of protection against external attacks aimed both at penetrating a private or corporate network and at stealing private or corporate data transmitted over public networks ... The properties of the protocol ensure its use at minimal cost due to the imposition of a method for isolating data packets on the existing infrastructure of a private or corporate network. The proposed method is implemented by a data packet isolation module built into an existing data transmission network between a network adapter and a data link layer protocol module.

The key characteristics of the method for isolating data packets according to the invention include operations related to the addition of identifiers to the transmitted data, which makes it possible to exclude the stage of authentication of the data sender on the receiver's side and to use symmetric methods of encryption of data transmitted over information communication channels both in local networks and in general purpose networks. The inventive concept implemented by the proposed group of inventions is based on the addition of the transmitted data with two types of identifiers, which are placed according to certain rules in data blocks (packets) transmitted over data transmission networks:

1. Application identifier of the data packet isolation method according to the invention to the data packet being processed. The presence of this identifier in the received data in explicit or transformed form indicates the use of the proposed method for isolating data packets. The offset of the position of the identifier in the received data block (packet) relative to the beginning of the data is a tunable parameter for the connection in each particular embodiment of the method according to the invention.

2. Connection identifier. This identifier indicates the use of a uniquely associated encryption key for transforming data in accordance with the method according to the invention. The offset of the position of the identifier in the transmitted data block (packet) relative to the beginning of the data is a tunable parameter for the connection in each particular embodiment of the method according to the invention.

Below, specific data will be described that supplement the data packets that are converted by the proposed method for isolating data packets according to the invention, as well as specific operations with this data, including, in particular, moving data as part of a packet, encrypting all or part of the data using the appropriate algorithm and / or encryption key, checksum calculation, etc. It should be understood that the described actions do not relate only to mathematical methods, rules of intellectual activity, presentation of information, etc. as such, but represent, in a certain sense, operations performed on a material object (in particular, a signal) by material means (in particular, by computing means of one or more computers, processors, integrated circuits, etc.) to obtain a technical result that consists in increasing the security of data exchange in the data transmission network, as indicated above.

The module for isolating data packets transmitted over public networks and / or over local networks, according to the invention, is built between the network adapter and the module of the link layer protocols. The data packet isolation module according to the invention may comprise at least a unit for processing information requests and control commands, a unit for processing received packets and a unit for processing sent packets. The data packet isolation module interacts with the interface of the network adapter with the TCP / IP protocol stack module, on the one hand, and with the TCP / IP protocol stack module, on the other hand. It should be noted that embodiments of the data packet isolation module according to the invention may be various combinations of hardware and software components, and the scope of the invention is not limited to any particular combination of hardware and / or software components implementing a data packet isolation module implementing a data packet isolation method according to the invention. Specific combinations of material and technical means implementing the module and / or method of isolating data packets according to the invention will be obvious to those skilled in the art. It should be noted, however, that in general the following conditions exist for the implementation of the invention.

The method for isolating data packets according to the invention is carried out under conditions of data exchange between network nodes over a communication network (data transmission network). Accordingly, its implementation requires appropriate computing and communication equipment, specific examples of which are themselves well known to those skilled in the art, and which should have the following components:

- a processor or programmable logic integrated circuit for implementing the algorithm for converting the processed data packets;

- read-only memory for storing data;

- random access memory to accommodate data involved in the transformation of processed data packets;

- a network adapter that allows the data packet isolation module to interact with other devices on the network;

- data buses connecting the components listed above.

In addition, the method according to the invention is implemented under the conditions of an operating system that controls one or more computers performing the functions of nodes participating in data exchange. The method according to the invention can be implemented under conditions of essentially any operating system known to those skilled in the art. As a non-limiting example, the possibility of embedding a module that implements the method for isolating data packets according to the invention is provided by operating systems (OS) of the Windows family from 98SE to 10, as well as MacOS, Linux.

A data packet isolation module implementing the data packet isolation method in accordance with the invention may be embedded between a network adapter and a data link protocol module (TCP / IP family protocols, as a non-limiting example), referred to in the context of this document as a data link protocol module. ... Embedding in the context of the claimed invention should be understood as follows: the data packet isolation module is embedded according to the invention into the processing chain of all network packets sent from the network protocol layer to the network adapter layer and received from the network adapter layer and sent to the network protocol layer. In addition, the data packet isolation module is configured to intercept and modify (modify) control commands and requests sent to the network adapter layer.

The method according to the invention makes it possible to transmit information to the protocol modules (for example, the protocol module of the data link layer) about the reduction of the maximum data packet size for the implementation of the described method, which implies a decrease in the payload of the packet by a certain amount. Reducing the maximum size of the data packet according to the proposed method is necessary, in particular, to make it possible to supplement the processed data packets with an accompanying data structure, as will be described in detail below.

The method according to the invention makes it possible to mask and / or disable the capabilities of the network adapter that impede the implementation of the method for isolating data packets according to the invention.

In accordance with the invention, the party (network node) receiving the established connections has a permanent IP address, or there is a routing node with such an IP address that will deliver a packet of processed data to the said network node by performing a network translation of the packet recipient address (NAT). The party (network node) initiating the connection establishment has information about the IP address of the party that receives the connections being established or, having information about the domain name of the party (network node) that receives the connections being established, it can obtain the IP address from the public or private network domain service names.

To implement the method according to the invention, the network node participating in the implementation of the method has computing power for performing mathematical calculations that provide data compression, data encryption, and calculation of cryptographic checksums. In addition, the network node is provided with the possibility of placing in its random-access memory the data necessary for the implementation of the method according to the invention by the data packet isolation module, as will be described in more detail below.

The general parameters of network nodes of a distributed information system, which are necessary for the implementation of the method according to the invention, include the following parameters.

1. The identifier of the feature of application to the transmitted packet of the method according to the invention (hereinafter IdTech). Based on the received common identifier for each sent data packet, a masked identifier (hereinafter IdTech _M ) is calculated by irreversible transformation of the IdTech identifier values and the cryptographic checksum (i.e., hash sum) of the encrypted data of the transmitted packet.

2. The size of the accompanying data structure used in the method according to the invention (hereinafter TechHdrLen).

3. The size and position of the individual elements of the accompanying data structure.

4. List of IP protocols and their parameters (for TCP / UDP - port ranges) that can mask real protocols.

5. The selected variant of placing the structure of the accompanying data used in the method according to the invention in the transmitted packet.

In the latter case, the structure of the accompanying data can be placed in the transmitted packet, as a non-limiting example, either after the header of the masking protocol, or at the end of the packet. In addition, in the method according to the invention, a variable displacement of the structure of the accompanying data in the transmitted packet is also possible. As a non-limiting example, the variable offset of the accompanying data structure can be calculated for each transmitted packet based on the following criteria:

- the size of the currently transmitted packet;

- the size of the packet header;

- the size of the selected masking protocol.

In order for the network node receiving the transmitted packet to reproduce the computation of the structure offset of the accompanying data for a given packet to be transmitted, the structure offset of the accompanying data must be calculated at the network node transmitting the packet after the compression and encryption of the data is performed.

After the data compression and encryption operations, as well as the addition of the accompanying data structure to the packet, a new value for the packet length is calculated. For this, the following formula is used:

IpLen = IpLenOriginal - CompressDecBytes + EncryptIncBytes + TechHdrLen + ProtSubstLen,

where IpLen is the packet length in bytes after compression, encryption and increase by an amount equal to the sum of the sizes of the accompanying data structure and the masking header; IpLenOriginal is the initial length of the data packet in bytes obtained from the packet header before it is processed by the method according to the invention; CompressDecBytes - the number of bytes by which the size of the initial data packet is reduced as a result of compressing the packet data; EncryptIncBytes - the number of bytes by which the size of the processed data packet is increased as a result of encryption if it is necessary to supplement the packet data to an integer number of blocks; TechHdrLen - the length of the accompanying data structure added to the processed data packet according to the proposed method; and ProtSubstLen is the length of the header of the selected masking protocol in bytes.

The function for calculating the offset of the accompanying data structure relative to the beginning of the data packet being processed has four parameters:

TechHdrOffset = f _offset (IpLen, IpHdrLen, ProtSubstHdrLen, TechHdrLen, kOffset),

where TechHdrOffset is the offset of the accompanying data structure in bytes relative to the beginning of the processed data packet (as a non-limiting example, an IP packet); IpLen - the length of the processed data packet in bytes after compression, encryption and increase by an amount equal to the size of the accompanying data structure; IpHdrLen - the length of the processed data packet header in bytes, obtained from the packet header; ProtSubstHdrLen - length of the header of the selected emulation protocol in bytes; TechHdrLen - Length of the accompanying data structure (constant).

Then the data offset relative to the beginning of the processed data packet IpDataOffset = IpHdrLen + ProtSubstHdrLen, and the data size IpDataLen = IpLen- (IpHdrLen + ProtSubstHdrLen + TechHdrLen).

TechHdrOffset = IpDataOffset + IpDataLen-IpDataLen / kOffset,

where kOffset is an offset coefficient, which is a positive integer (can also be referred to in the context of this application as the offset coefficient of the structure of the padded data).

If k = 1, then the structure of the accompanying data is placed at the beginning of the processed data packet, after the header of the masking protocol. If kOffset> IpDataLen, then the accompanying data structure is placed at the end of the processed data packet. If it is necessary that the structure of accompanying data always be placed at the end of the processed data packet, kOffset must be greater than the maximum length of the processed data packet minus the minimum possible header sizes (65535 - (20 + 8 + TechHdrLen)). Before moving the data in the processed data packet to a new location based on the calculated offset factor, the processed data must be copied to a temporary buffer. After saving the processed data in a temporary buffer, the data of the processed data packet is transferred from the place where the processed data must be placed to the place freed from them. After transferring the processed data, the accompanying data structure is copied to a new location based on the calculated offset from the beginning of the processed data packet.

One of the key aspects of the method for isolating data packets according to the invention is the addition of data packets processed by the claimed method and transmitted over a data network with an accompanying data structure. This implies the addition of the packets processed according to the method, transmitted over the data transmission network, with data allowing the receiving party to check the integrity of the received data and to perform inverse transformations: identifying the application of the data packet isolation method according to the invention to the packet, identifying the sender of the data packet, decrypting and unpacking the data, converting the received data packet to its original state. To ensure these transformations, each package is supplemented with the following data included in the accompanying data structure:

- diversification data D used to calculate the data encryption key of the processed data packet. During initialization, it is filled with a value, the method of obtaining which will be described in more detail below;

- masked identifier of the feature of the application of the data isolation method according to the invention of IdTech _M. The calculation of the value of the masked identifier of the mentioned feature is carried out according to the formula, which should provide an irreversible transformation: IdTech _M = f _M (IdTech, PacketDataHash);

- connection identifier encrypted by the auxiliary algorithm IdCon _Enc .

An encryption key for obtaining said encrypted identifier is created on the basis of the identifier of the application feature of the method according to the invention IdTech, the masked identifier of the application feature of the method according to the invention IdTech _M and the diversification data D. The value of the encrypted connection identifier is calculated according to the following formula:

IdCon _Enc = ENC (IdCon, KEY (IdTech _M , IdTech, D)).

The initial value of the connection ID is calculated using the following formula:

IdCon = DEC (IdCon _Enc , KEY (IdTech _M , IdTech, D));

- a cryptographic checksum of the encrypted data of the packet processed by the data packet isolation method according to the invention, PacketDataHash. The cryptographic checksum value is calculated using the following formula:

PacketDataHash = HASH (IpDataEnc, IpLengthOrigin-IpHdrLen-CompressDecBytes + EncryptIncBytes).

In addition, according to one or more embodiments of the invention, encrypted values of the following elements of the accompanying data structure may be further included in the calculation of the cryptographic checksum of the PacketDataHash:

- the number of bytes added when encrypting the data of the packet of processed data EncryptIncBytes;

- the original size in bytes of the processed data packet obtained from the header of the original processed data packet before starting its transformation by the method according to the invention;

- the original type of the IP-protocol, obtained from the header of the packet of the processed data before starting the transformation of the packet by the method according to the invention; and

- identifier of the applied data compression method before encryption. If the identifier is "0", no data compression has been applied.

The structure of the accompanying data of the processed data packet in the method according to the invention is illustrated in Table 1 below. The right column of Table 1 shows whether the data is encrypted on the diversified connection key, as will be explained in more detail below.

Table 1. Structure of accompanying data of the package

Name Description Is the data encrypted? D Data used to diversify the original join key Not IdTech _M Conversion method masked identifier Not IdCon _Enc Encrypted connection identifier Not PacketDataHash Cryptographic checksum of encrypted packet data Not EncryptIncBytes The number of bytes added when encrypting data. Padding area size Yes IpLengthOrigin The original size in bytes of the IP packet taken from the header of the IP packet prior to conversion Yes IpProtocolOrigin The original type of the IP protocol, stripped from the header of the IP packet prior to conversion Yes IdCompress The identifier of the compression method used before encryption Yes

Before the packet is transmitted, the area including the elements of the accompanying data area described in 5-8 lines of Table 1 is encrypted using a connection key diversified for this particular packet of processed data. In this regard, it is necessary that the total size in bytes of this part of the accompanying data structure can be processed by the basic encryption algorithm without padding.

In accordance with one or more embodiments of the method according to the invention, processing data packets includes the following steps, illustrated in FIG. 2.

In step S1, a connection identifier is determined for the recipient of the data packet. This operation is performed for the client, partner and server nodes. The result of performing this operation is to retrieve from its own database, which will be described below, the identifier of the flag of the application to the data packet of the data packet isolation method according to the invention, as well as the connection identifier. If the recipient of the data packet is not identified, further processing of the data packet in accordance with the proposed method is not performed, and the packet can be transmitted as is (without isolation processing) or discarded, depending on the settings. The sequence for determining the connection identifier for the recipient of the data packet is as follows:

a) looking for the value of the connection identifier in the dynamic list of partners (TL) of its own database based on the IP address of the recipient of the packet. If the value of the connection identifier is found, the "partner" role is assigned to its node in the context of processing this packet;

b) the search for the value of the connection identifier in the dynamic server list (SL) of its own database based on the IP address of the recipient of the packet. If the value of the connection identifier is found, the "client" role is assigned to its node in the context of processing this package;

c) if there are no entries in the client table of its own database, the data packet can be transferred to the superior protocol or discarded, depending on the settings;

d) the search for the value of the connection identifier in the dynamic list of clients (CL) of its own database based on the IP address of the recipient (real or assigned). If the connection identifier is found, the "server" role is assigned to its node in the context of processing this package and the transition to point 2 below is carried out;

e) if the lookup in the client table of its own database was not successful, the packet can be transferred to the superior protocol or discarded, depending on the settings.

In step S2, in the case of fragmented data packet sending, complete assembly (defragmentation) of the entire data packet to be sent is performed.

In step S3, an offset is calculated from the start of the data packet being processed and the size of the original data for compression and / or encryption.

At step S4, a copy of the original packet is created with the addition of data areas to ensure its further processing. After the copy is created, the package contains four areas:

- packet area containing the original IP-header of the packet, 20 bytes or more. The size of the IP header depends on the version of the IP protocol and the protocol options used;

- The area of the packet following the IP header of the packet is left free of packet data. The size of the area is determined by the selected masking protocol and is 8 bytes for UDP and 20 bytes for TCP;

- package area for placing the structure of the accompanying data;

- the packet area containing the original packet data, equal to the size of the original IP packet minus the size of the IP header. In the case of using a constant block size encryption algorithm, this area is padded to a multiple of the encryption block size.

At step S5, the initial formation (initialization) of the accompanying data structure is carried out with the filling of the following structure elements:

- the area of data used to calculate the diversified key;

- identifier of the feature of this method;

- packet recipient identifier (connection identifier);

- field of the checksum of the encrypted packet data;

- the field of the initial size in bytes of the IP packet (Value from the IP header);

- field of the original type of the IP-protocol (Value from the IP-header);

- field of the used data compression type.

In step S6, if a data compression method is selected, the data is compressed. After the data is compressed, the number of bytes by which the data size has been reduced is calculated, and this value is written to the accompanying data structure.

In step S7, the padding size is calculated to support the encryption task, and the calculated value is written to the accompanying data structure. Padded bytes are initiated with a pseudo-random value.

In step S8, the diversified key is computed based on the key corresponding to the connection identifier and the value from the augmented data structure used to calculate the diversified key.

In step S9, the data is encrypted using the diversified key for each packet of data being processed.

In step S10, a part of the accompanying data structure is encrypted, except for the structure elements containing the diversification data, the method identifier, the connection identifier, and the checksum area of the encrypted data.

In step S11, a checksum of all encrypted data is calculated and placed in the accompanying data structure.

In step S12, the computation of the masked method identifier value according to the invention is performed based on the method identifier and the checksum values of the encrypted data. The computed value of the masked method identifier is placed in the accompanying data structure.

In step S13, an encryption key for the connection identifier is generated based on the values of the method identifier, the masked method identifier, and the value from data area D.

In step S14, the connection identifier is encrypted and the encrypted connection identifier value is placed in the accompanying data structure.

In step S15, a new UDP or TCP header is generated with a new checksum calculated for the selected protocol.

In step S16, an offset is calculated according to the method settings for the accompanying data structure in the processed data packet. If the current position of the accompanying data structure in the processed data packet does not correspond to the required one (kOffset is not equal to 1), the data of the accompanying data structure is transferred to the data area in accordance with the calculated offset. The data previously located in the considered area is transferred to the place that was previously occupied by the structure of the accompanying data.

In step S17, the packet is fragmented if it has been fully assembled (defragmented).

In step S18, the IP header checksum is recalculated, which is written in the structure of the processing data packet, after which one or more processed data packets are sent to the network adapter.

The native database used in the method according to the invention consists of static tables, dynamic tables and linked lists, which together provide information support for the method for isolating data packets according to the invention. The static tables are stored in the permanent memory of the data packet isolation module according to the invention. When the data packet isolation module is loaded according to the invention, the data from the static tables is transferred to the RAM of the data packet isolation module.

Table 2 below illustrates an example of parameters used in the method according to the invention, stored in a static table in its own database.

Table 2. Static parameter table

Name Description Data size AllowNotIp Enables or disables sending / receiving packets that do not belong to the TCP / IP protocol family (packets without an IP header, except for ARP and RARP) without conversion 2 bits AllowUnicastIP Allows or denies sending / receiving unidirectional packets belonging to the TCP / IP protocol family and having a specific IP address of the packet recipient, without conversion 2 bits AllowMulticastIp Allows or denies sending / receiving packets belonging to the TCP / IP protocol family and having a multicast address corresponding to a group of network nodes as the IP address of the packet recipient, without conversion 2 bits AllowBroadcastIP Allows or denies sending / receiving packets belonging to the TCP / IP protocol family and having a broadcast address corresponding to all network nodes of the subnet as the IP address of the packet recipient, without conversion 2 bits IpProtocolSubst Selected masking protocol 1 byte PortSubst Selected masking port 2 bytes TimerFunctionPeriod Periodic timer function call interval (in seconds) 2 bytes kOffset Coefficient of displacement of the structure of augmented data in a packet 2 bytes

Table 3 below illustrates an example of a peer node table in a peer subnet in accordance with the invention.

Table 3. Partner table

Name Description Data size IDcon Connection ID 4 or more bytes IP Partner IP address or partner subnets 4 bytes IPmask Significant bit mask, starting with the most significant, for the IP value (1-32). If set to a value outside the range of 1-32, then it is considered to be 32 6 bit Password or Key Password or original connection key Arbitrary or depends on the algorithm Description Connection name Arbitrary

Table 4 below illustrates an example of a server node table in a server subnet in accordance with the invention.

Table 4. Server table

Name Description Data size IDcon Connection ID 4 or more bytes IP Server IP address or server subnet 4 bytes IPmask Significant bit mask, starting with the most significant, for the IP value (1-32). If set to a value outside the range of 1-32, then it is considered to be 32 6 bit Password or Key Password or original connection key Arbitrary or depends on the algorithm Description Connection name Arbitrary

Table 5 below illustrates an example of a client node table in a client subnet in accordance with the invention.

Table 5. Customer table

Name Table Column Description Data size IDcon Connection ID 4 or more bytes IP Client IP address, may not be set (0.0.0.0) 4 bytes IPmask Significant bit mask, starting with the most significant, for the IP value (1-32). If set to a value outside the range of 1-32, then it is considered to be 32 6 bit Password or Key Password or original connection key Arbitrary or algorithm dependent Description Connection name Arbitrary

Dynamic data is generated during the loading, configuration and operation of the data packet isolation module according to the invention.

The IP Protocol Layer (PL) connection parameter list contains entries for each active connection. Records are added when connections are created (when a packet is received or sent with the values specified in the table record, except for the values of the receive and send times of the last packet) and are deleted when the connection inactivity timeout expires. The following is the list item (PLI) structure illustrated in Table 6.

Table 6. Parameters of IP protocol layer connections

Name Description Pointer2NextItem Pointer to next block of connection parameters LocalIpAddr Local host IP RemoteIpAddr Remote host IP address IpProtocolSubst A masking protocol that replaces the original in the IP header of the packet used for this connection LocalPortSubst Masking protocol local host port RemotePortSubst Masking protocol remote computer port IpProtocolOrigin The original protocol of this connection, which is in the IP header of the packet being sent before it is converted by this method LocalPortOrigin Source protocol local host port RemotePortOrigin Source protocol remote computer port LastSystemTimeReceive The time at which the last packet was received LastSystemTimeSend The time at which the last packet was sent

Linked lists of partners, clients and servers are generated by loading data from static tables stored in the read-only memory (ROM) of the packet isolation module according to the invention into the random access memory (RAM) of the module according to the invention. The linked lists of partners, clients and servers can be modified during the operation of the data packet isolation module according to the invention.

Table 7 below illustrates the parameters that define the structure of the TLIs.

Table 7. Parameters of the partner list element

Name Description Pointer2NextItem Pointer to the next item in the list ID Partner ID Ipaddress Partner IP address (partner subnet) IPmask Partner subnet IP mask 1stRecvSysTime System time of reception of the first packet LastRecvSysTime System time of the last packet received Pointer2ConnectionsList Pointer to the linked list of connections for the specified partner ID Password Password for this partner (partner subnet). Based on the password, the initial encryption key is generated Key Pointer to the memory area that contains the encryption key for this partner (partner subnet). The key can be generated if it is necessary to convert a packet when sending or receiving and deleted if there is no interaction with this partner (partner subnet)

Table 8 below shows the structure of the Server List Item (SLI) (SLI).

Table 8. Parameters of the server list element structure (SLI)

Name Description Pointer2NextItem Pointer to the next item in the list ID Partner ID Ipaddress Server IP address (server subnet) IPmask Server subnet IP mask 1stRecvSysTime System time of reception of the first packet LstRecvSysTime System time of the last packet received Pointer2ConnectionsList Pointer to the linked list of connections for the given server ID Password Password for this server (server subnet). Based on the password, the initial encryption key is generated Key Pointer to the memory area that contains the encryption key for this server (server subnet). The key can be created when it is necessary to transform a packet when sending or receiving and deleted if there is no interaction with this server (server subnet)

Table 9 below shows the structure of the client (CLI) list item (CLI).

Table 9. Parameters of the structure of the client list item (CLI)

Name Description Pointer2NextItem Pointer to the next item in the list ID Client ID Ipaddress Client IP-address, real or assigned to it for identification during sending CurrentIPaddress The current IP address of the client node from which packets come to the server node and to which the server sends packets 1stRecvSysTime System time of reception of the first packet LstRecvSysTime System time of the last packet received Pointer2ConnectionsList Pointer to the linked list of connections for the given client ID Password Password for this client (client subnet). An initial encryption key is generated based on the password. Key Pointer to the memory area where the encryption key for this client (client subnet) is located. The key can be generated if it is necessary to transform a packet when sending or receiving and deleted if there is no interaction with this server (server subnet)

Table 10 below illustrates the associated packet fragment accumulation lists. Two isolated linked lists are used: for defragmenting packets on receiving and on sending.

Table 10. Parameters of the element of the list of accumulation of packet fragments

Name Description SystemTime The time at which the last fragment of the packet was processed Counter Counter of processed fragments BytesWritten Number of Packet Data Bytes Stored BytesNeeded Expected number of bytes of packet data IpHeader IP packet header IpDataSize Storage buffer size IpData IP packet data buffer

The following explains the encryption algorithm used in the method for isolating data packets according to the invention. It should be understood that the invention is not limited to the details of the characteristics of the encryption algorithm, and instead of the algorithm described by way of example, another similar or equivalent algorithm may be employed as will be apparent to those skilled in the art.

In the method for isolating data packets according to the invention, there are two purposes of applying cryptographic transformation algorithms:

a) the main encryption algorithm for packet data on a diversified connection key;

b) an auxiliary encryption algorithm for the value of the connection identifier in the area of supplemented data of the packet on the key generated using the identifier of the application feature of the method for isolating data packets according to the invention, the masked identifier of the feature of the application of the method according to the invention and the value from the accompanying data area of the packet D.

The general characteristics of the algorithms are as follows:

a) symmetric algorithm, i.e. when encrypting and decrypting data, the same cryptographic key is used;

b) block algorithm - the data is divided into parts (blocks) of the size determined by the algorithm and cryptographic transformations are performed with each part;

c) an algorithm with the ability to quickly diversify (modify) the key when encrypting and decrypting each new data packet. Each packet and connection identifier uses its own encryption key obtained by transforming the original key. The transformation must be reproducible on the receiving side of the packet.

The main encryption algorithm must additionally have one of the following properties:

1) carry out cryptographic data transformation in terms of a constant block size. In this case, the data area is encrypted in blocks of equal size, determined by the selected algorithm. If the size of the last piece of data is less than the block size, it is padded to the block size. The maximum padding size is equal to the block size reduced by 1. Therefore, it is advisable to use an algorithm with a block size of no more than 8 bytes. During decryption, the data area is decrypted in blocks, and then, if the last section was supplemented with a certain number of bytes, the size of the data area is reduced by this value,

2) to carry out cryptographic data transformation, operating with a variable block size, which allows operations with a data packet ranging in size from 20 to 65535 bytes without increasing the size of the encrypted data relative to the size of the original data or with a slight increase up to 8 bytes.

The following required characteristics are defined for the auxiliary encryption algorithm. There is a fast algorithm for creating a diversified key based on the values of the identifier of the method application indicator, the masked identifier of the method application indicator and the data used to diversify the key. The block size of the algorithm applied is constant and is always equal to or multiples of the byte size specified for the encrypted connection identifier.

To increase the strength of the cryptographic protection of the transmitted information, each transmitted block of information (packet) must be encrypted with a unique key. For this, the method of diversifying the original key is used. In accordance with the invention, the encryption algorithms used provide a variety of encryption keys using the following principle:

K _d = f _d (K, D), where

K _d is a diversified key for transmitting a packet between two nodes, K is the original key of the connection between two nodes, D is the data used to obtain a diversified key K _d ; f _d (…) - pseudo-random diversification function.

As the data used to obtain the diversified key, in accordance with the invention, it is proposed to use a pseudo-random value, the value of the current time, their combination or a checksum of values. The main task of the applied method of diversification of the original key is to ensure reliable variability of data D.

Next, we will consider the processing of packet data, isolated by the method according to the proposed invention, when receiving and transmitting data, respectively. To begin with, the procedure for processing data during transmission will be described.

When transmitting data packets processed by the method according to the invention, the following sequential steps are performed.

First, the connection identifier for the recipient of the data packet is determined. This operation is performed for the client, partner and server nodes. The result of performing this operation is to retrieve from the own database the identifier of the application to the transmitted packet of the method according to the invention and the identifier of the connection. If the recipient of the packet is not identified, further processing of the transmitted packet is not performed (that is, depending on the settings, the packet can be sent as is or discarded). The sequence of determining the connection identifier and the identifier of the application feature to the transmitted packet of the method according to the invention is as follows.

First, the IP address of the packet recipient is searched for the connection identifier value in the dynamic partner list (TL) of its own database. If the connection identifier is found, the "partner" role is assigned to its node in the context of processing this packet, and the transition to a complete assembly (defragmentation) of the entire sent data packet is performed in the event of a fragmented send.

Next, the IP address of the packet recipient is searched for the connection identifier value in the dynamic server list (SL) of its own database. If the connection identifier is found, the "client" role is assigned to its node in the context of processing this packet, after which, again, if necessary, a transition is made to complete assembly (defragmentation) of the entire sent data packet in case of fragmented sending.

If there are no entries in the client table of its own database, the processed data packet may be transferred to the higher-level protocol or discarded, depending on the settings.

Next, a search is performed by the recipient's IP address (real or assigned) for the connection identifier value in the dynamic client list (CL) of its own database. If the connection identifier is found, the "server" role is assigned to its node in the context of processing this packet, after which, again, if necessary, a transition is made to complete assembly (defragmentation) of the entire sent data packet in case of fragmented sending. If a lookup in the client table of its own database does not return a corresponding entry in the database, the packet may be passed to the higher protocol or discarded, depending on the configuration.

Then, in the case of fragmented sending, if necessary, a complete assembly (defragmentation) of the entire sent data packet is performed. After that, the offset relative to the beginning of the packet and the size of the original data for compression and (or) encryption are calculated. A copy of the original package is created with the addition of data areas to ensure its further processing. After the copy is created, the package contains four areas:

a) the packet area containing the original IP-header of the packet, 20 bytes or more. The size of the IP header depends on the version of the IP protocol and the protocol options used;

b) the area of the packet following the IP header of the packet is left free of packet data. The size of the area is determined by the selected masking protocol and is 8 bytes for UDP and 20 bytes for TCP;

c) the package area for placing the structure of the accompanying data;

d) the packet area containing the original data of the packet and having a size equal to the size of the original IP packet minus the size of the IP header. If a constant block size encryption algorithm is used, this area is padded to a multiple of the encryption block size.

Next, the primary formation (initialization) of the accompanying data structure is carried out with the filling of the following structure elements:

a) initialization of the data area used to calculate the diversified key;

b) recording the identifier of the feature of application to the transmitted packet of the method according to the invention;

c) record of the packet recipient's identifier (connection identifier);

d) initialization of the checksum field of the encrypted data of the packet;

e) record of the initial size in bytes of the IP packet (value from the IP header);

f) record of the original type of the IP-protocol (value from the IP-header);

g) a record of the type of data compression used.

Further, if the compression method is selected, the data of the processed packet is compressed, after which the number of bytes by which the size of the data of the processed packet has been reduced is calculated, and this value is written to the accompanying data structure. The padding size is then calculated to support the encryption task, and the calculated value is written to the accompanying data structure. In this case, padded bytes are initiated with a pseudo-random value.

The diversified encryption key is calculated based on the key corresponding to the connection identifier and the value from the accompanying data structure used to calculate the diversified key. Then the data of the processed packet is encrypted using a diversified key. In addition, a part of the accompanying data structure is encrypted, with the exception of the structure elements containing diversification data, an identifier of an application of the method according to the invention, a connection identifier and an area for the checksum of the encrypted data.

A checksum is calculated for all encrypted data and placed in the accompanying data structure. In addition, the value of the masked identifier of the application feature of the method according to the invention is calculated based on the values of the identifier of the application feature of the method according to the invention and the encrypted data checksum calculated above. The computed value of the masked identifier of the application feature of the method according to the invention is placed in the accompanying data structure of the packet being processed.

An encryption key is then generated for the connection identifier based on the values of the identifier of the application feature of the method according to the invention, the masked identifier of the application feature of the method according to the invention, and the value from data area D.

Next, the connection identifier is encrypted. The encrypted connection identifier value is placed in the accompanying data structure. Then a new UDP or TCP header is formed with the calculation of a new checksum for the selected protocol. In addition, for the structure of the accompanying data in the processed data packet, an offset is calculated according to the specific settings of the method according to the invention for the given case of data transmission. If the current position of the structure in the packet does not correspond to the required one (kOffset is not equal to 1), the data of the accompanying data structure is transferred to the data area in accordance with the calculated offset. The data that was in this area earlier is transferred to the place that was previously occupied by the structure of the accompanying data.

Then, if a complete assembly (defragmentation) of the processed data packet was previously performed, its fragmentation is performed. The checksum of the IP header is recalculated and written. Finally, the data packet (s) to be processed (s) in accordance with the method according to the invention are sent for sending to the network adapter.

When receiving data, the data is processed in the reverse order, namely, the following sequence of operations is performed.

First, the type and identifier of the connection through which the processed data packet was received is determined. For this, the following operations are performed. The IP address of the sender is searched for the connection ID value in the partner table of its own database. If the connection identifier is found, the "partner" role is assigned to its node in the context of processing this packet of processed data and the transition is made to receive the entire received packet of processed data.

The IP address of the sender is searched for the connection ID value in the server table of its own database. If the connection identifier is found, the "client" role is assigned to its node in the context of processing this packet and, again, the transition is made to receive the entire received packet of processed data.

If there are no entries in the client table of its own database, the packet can be forwarded to the superior protocol or dropped, depending on the settings.

Next, the "server" role is assigned to its node in the context of processing the received packet of processed data. For this, the entire received data packet is obtained, the location of the accompanying data structure in the received packet is determined according to the given parameters, the masked identifier of the application of the method according to the invention and the checksum of the encrypted data are extracted from the accompanying data structure.

The expected value of the masked feature identifier of the application feature of the method according to the invention is obtained on the basis of the predetermined feature identifier of the application feature of the method according to the invention and the checksum of the encrypted data. The computed value of the masked feature identifier of the application of the method according to the invention is compared with the value extracted from the received data packet. If the mentioned values do not match, no further processing of the packet is performed (the packet can be forwarded to the superior protocol or discarded, depending on the specific settings).

Next, an encryption key for the connection identifier is generated on the basis of the values of the identifier of the application feature of the method according to the invention, the masked identifier of the application feature of the method according to the invention, and the diversification data.

An encrypted connection identifier is extracted from the accompanying data structure, which is decrypted after extraction. In the case of the "client" and "partner" roles, the received connection identifier is compared with the one found in the table by the IP address. If there is a mismatch, the packet is dropped.

Next, a search is carried out in its own database for the encryption key used for the previously defined connection identifier. If there is no entry for the connection identifier, further processing and reception of the packet is not performed (the packet must be discarded).

If necessary (if kOffset is not equal to 1), an operation is performed that is the opposite of the one described above in the context of transmitting processed data packets, namely, copying data with a size equal to the size of the accompanying data structure from the beginning of the packet data to the place occupied by the accompanying data structure. The structure of the accompanying data is copied to the beginning of the data area of the package. Next, a checksum of all encrypted data is calculated, and the calculated checksum is compared with the checksum extracted from the accompanying data structure. If the values of the compared checksums do not match, the packet is discarded.

The diversified key is then computed based on the key corresponding to the connection identifier and the value from the accompanying data structure used to compute the diversified key. Part of the structure of the accompanying data, with the exception of the elements of the structure of the accompanying data, containing the identifier of the application of the method according to the invention, the connection identifier and the area for the checksum of the encrypted data on the diversified connection key, is decrypted. The data is decrypted using a diversified connection key.

The size of the data after decryption is determined as follows:

IpDataLen = IpLen-ProtSubstHdrLen + TechHdrLen + EncryptIncBytes

If you need to unpack the data of the processed data packet, the required buffer size is determined in accordance with the following expression:

CompressDecBytes = IpLenOrigin + ProtSubstHdrLen + TechHdrLen + EncryptIncBytes-IpLength

After determining the required buffer size, if the data of the processed packet has been compressed, the data is unpacked. Before unpacking, it is necessary to increase the size of the packet buffer by the amount:

IpDataIncLen = CompressDecBytes- EncryptIncBytes.

Further, the IP-header of the packet is edited to restore the field of the original packet length with the value IpLengthOrigin and the field of the protocol with the value IpProtocolOrigin from the structure of the accompanying data of the data packet being processed. Further, the area of the structure of the accompanying data and the area of the header of the masking protocol are removed from the packet. The TCP / UDP and IP checksums are recalculated and written. After that, the processed data packet (s) is transmitted (transmitted) for reception to the network protocol module of the receiving node of the packet (s).

In accordance with the method according to the invention, the following requirements are imposed on the calculation of checksums. The algorithm for calculating the cryptographic checksum should provide a low probability of collisions (the same values for different data sets), cryptographic strength and data integrity control.

As noted above, in order to increase the safety and security of data exchange using the method according to the invention, a feature of applying the data packet isolation method according to the invention to the data packet is included in the processed data packet. To make it difficult for a potential external observer to identify a packet transformed by the data packet isolation method in accordance with the invention by a potential external observer (the conditional party that intercepts the packets), it is necessary to avoid transmitting a sequence of bytes repeated in each packet. To this end, the method according to the invention uses the method of masking that part of the transmitted information that cannot be encrypted, namely the above-mentioned identifier of the feature of applying the method of isolating data packets according to the invention to a packet. Masking is implemented according to the following principle:

IdTech _M = f _M (IdTech, PacketDataHash), where

IdTech _M is the computed value of the masked identifier of the transformation method, f _M (...) is the masking function, IdTech is the initial value of the identifier of the feature of application to the package of the method according to the invention, PacketDataHash is the cryptographic checksum (hash) of the encrypted data.

The party sending the processed data packet, based on the specified IdTech and the PacketDataHash value calculated after data encryption, calculates the IdTech _M value, places it and PacketDataHash in the accompanying data structure of the data packet being processed and sends it to the recipient. The receiving party of the processed packet extracts the PacketDataHash checksum from the accompanying data structure, calculates the IdTech _M value and compares the received value with the value placed by the sender in the accompanying data structure. If the obtained values match, it means that a packet has been received that has been transformed by the data packet isolation method according to the invention. If the obtained values do not coincide, this means that a normal packet is received that has not been processed by the method according to the invention, or data corruption has occurred during transmission over communication channels.

In accordance with the invention, in the structure of the data packet being processed, a spare area for complementing the original data to a size equal to the minimum size of the encrypted data block is provided. During initialization, the padding area of the initial data is filled with a random value. The required number of bytes from the spare area is added to the data area of the packet to be encrypted. If the size of the encrypted data is equal to the size of the data before encryption, there is no spare area.

The following will describe the procedures used to identify the received packets by the parties to the network exchange in accordance with the method according to the invention.

In order for the initiating party (client node or partner node) to initiate a network interaction using the data packet isolation method in accordance with the invention, it must know the IP address of the receiving party. In this case, the server node or partner node must have a permanent (static or dynamic with redundancy) IP address, known to the client node, by which identification occurs. The client node may not have a permanent or known IP address. A server node does not need to "know" its IP address to identify a client. If a server or partner node has a local IP address and is published on the wide area network (WAN) by routing network equipment using a network address translation (NAT) method, the other side of the network communication (client node or other partner node, respectively), only the global IP address on which they are published should be known. Table 11 below shows possible variants of IP addresses for different roles of a network node in the framework of the method according to the invention.

Table 11. Types of IP addresses for different roles of a network host

Role of the network node IP address type Local (LAN) Global (WAN) Static Dynamic redundant Dynamic without redundancy Static Customer Yes Yes Yes Yes Server Yes Yes Not Yes Partner Yes Yes Not Yes

The identification of packets by the server node is based on assigning a conditional IP address to the client of the connection when it receives the first packet from it. Assignment consists in changing the source IP address of the packet to the assigned conditional address. Sending packets to the client until this moment (until the packet is received from the client and identified) is not possible. The assignment of a conditional address to a client can be done both in advance and from a pool of addresses reserved for these purposes from the internal database of the data packet isolation module, which implements the data packet isolation method according to the invention. Each identified client must have a unique IP address. In addition, you need to be able to reverse the mapping of the destination address from a conditional IP address to a real IP address when sending a packet to a client.

The identification of the packets by the server upon receipt is performed by extracting from the accompanying data structure of the data packet processed by the data packet isolation method according to the invention, the connection identifier ID. The found connection identifier ID is used to search for the corresponding list item in the linked list of clients. After identifying the client, the data packet isolation module implementing the method according to the invention in the server node updates the connection block (CLI) and generates a connection parameter block (PLI) for the linked list of connection parameters (PL) as follows:

a) Before converting the packet to its original state (including decrypting data and restoring the IP header) in the connection block corresponding to the found identifier, the value of the current value of the client's IP address CurrentIPaddress and the time when the last LastRecvSysTime packet was received is updated or obtained for the first time. In the absence of a cryptographic connection key, a cryptographic connection key is generated,

b) Before converting the packet to its original state (including decryption, unpacking and restoring the IP header), the values of the IP masking protocol in IpProtocolSubst and the port pair (source in RemotePortSubst and receiver in LocalPortSubst) are saved in the generated block of connection parameters, if the protocol is masking protocol TCP or UDP was used,

c) The masked protocol area is removed from the packet,

d) Part of the accompanying structure of the package is deciphered,

e) The packet data is decrypted. The size of the decrypted area is determined by the formula:

BytesForDecrypt = IpLen-IpHdrLen-ProtSubstHdrLen-TechHdrLen,

f) If compression was used during transmission of the data packet being processed, the packet data is decompressed. The size of the data to be unpacked is determined by the formula:

BytesForDecompress = BytesForDecrypt-EncryptIncBytes,

g) In the generated block of connection parameters, the values of the IP source in RemoteIpAddr, the IP destination in LocalIpAddr, the real IP protocol in IpProtocolOrigin, and pairs of ports (source in RemotePortOrigin and destination in LocalPortOrigin) are stored if this protocol is TCP or UDP,

h) Editing of the IP-header is performed, which includes the following operations:

- the original value of the IP packet length in the IP header is restored. The initial value of the packet length is determined by the value of IpLengthOrigin, which is located in the accompanying data structure of the data packet being processed;

- replacing the source IP address with the conditional IP address IPaddress from the CLI connection block, assigned in advance or assigned from the pool to the client, as described above. The client's real IP address remains in the connection parameter block as RemoteIpAddr;

- if the protocol on the basis of which the network interaction is carried out is the TCP or UDP protocol, the source port is replaced with the source port of the masking protocol RemotePortSubst from the connection parameters block. The original source port remains in the connection parameter block as RemotePortOrigin,

i) A search is made through the list of blocks of connection parameters PL of the PLI block with data equivalent to the data of the newly formed block, except for the data on the time of receiving and sending. If the block is not found, the list of parameter blocks is supplemented with the newly formed block. Then the last receive time field in the LastSystemTimeReceive block is updated from the LastRecvSysTime field of the CLI connection block.

j) The packet is sent to receive the protocol part of the system.

Packets are identified by the server when they are sent to the client based on the conditional IP address assigned to the client. This searches for a match of the recipient's IP address with the conditional IP address IPaddress of the CLI connection block in the entire list of CLI connection blocks. If the search did not return any results, no further processing is performed. The packet can be dropped or sent for sending, depending on the settings. In addition, for the found CL connection block, the connection parameter block is searched for in the PL block list. A block is considered to belong to a given connection if all of the following conditions are met:

- IP-protocol in the packet header is equal to the IP-protocol IpProtocolOrigin in the block of connection parameters;

- source port in the packet header is equal to LocalPortOrigin in the block of connection parameters;

- the receiver port in the packet header is equal to RemotePortSubst in the connection parameters block.

Next, the value of the LastSystemTimeSend field in the found block is updated with the connection parameter with the current time value. The IP packet header is edited, namely: in the IP header, the receiver's IP address is replaced with the RemoteIpAddr value from the found block of connection parameters. If the IP protocol used in the implementation of the method for isolating data packets according to the invention is a TCP or UDP protocol, the protocol header is also edited, namely: the receiver port is replaced with the RemotePortOrigin value from the found block of connection parameters. Next, a block of accompanying data is generated. Then the data is compressed, if it is provided by the settings of the implemented method. Data encryption is in progress. The IP header of the packet is edited by the following operations:

- The receiver's IP address is replaced by the CurrentIpAddress value from the CLI connection block;

- The IP protocol is replaced by the IpProtocolSubst value from the connection parameter block.

Directly following the IP header of the packet, a protocol header is generated according to the IpProtocolSubst value, 8 or 20 bytes in size. To do this, the receiver port is replaced with the RemotePortSubst value from the connection parameter block. The source port is replaced with the LocalPortSubst value from the connection parameter block. The checksum for the IpProtocolSubst protocol is also calculated and written to the protocol header. The IP checksum is recalculated and written to the IP header. Thereafter, the processed data packet is sent for sending in accordance with the data packet isolation method according to the invention.

The identification of packets by the client node consists in determining the identifier of the connection to the server for the given data packet being processed. Identification of packets upon receipt is based on the search by the IP address of the sender of the packet in the IP header in the linked list of servers (SL) of the connection unit (SLI) with the desired value of the IP address in the IPaddress field. After identifying the connection to the server, the data packet isolation module implementing the method according to the invention on the client side updates the connection block (SLI) and generates the connection parameter block (PLI).

Before converting the packet to its original state (decrypting the data and restoring the IP header) in the connection block corresponding to the found identifier, the value of the time of receiving the last LstRecvSysTime packet is updated. In the absence of a cryptographic connection key, a cryptographic connection key is generated.

Before converting the packet to its original state (decrypting data and restoring the IP header) in the generated block of connection parameters, the values of the IP masking protocol in IpProtocolSubst and port pairs (source in RemotePortSubst and receiver in LocalPortSubst) are saved if TCP was used as the masking protocol, or UDP.

The structure of the accompanying data is decrypted on the diversified connection key. After returning the transferred data from the area of the accompanying data structure to the IP header, decrypting and unpacking the packet data in the generated block of connection parameters, the values of the IP source in RemoteIpAddr, the IP receiver in LocalIpAddr, the real IP protocol in IpProtocolOrigin and port pairs (source in RemotePortOrigin and destination to LocalPortOrigin) if this protocol is TCP or UDP.

A search is made through the list of blocks of connection parameters PL of the PLI block with data equivalent to the data of the newly formed block, except for the data on the time of receiving and sending the processed data packet. If the block is not found, the packet is discarded. connection initiator can only be the client and the block must be formed when sending the first processed data packet to this server. The last receive time field in the LastSystemTimeReceive block is updated from the LastRecvSysTime field in the CLI connection block. After that, the processed data packet is transmitted for reception.

The identification of packets when sending is based on the search by the IP address of the recipient of the packet, which is in the IP header. To do this, the entire list of SLI connection blocks is searched for a match between the destination IP address and the IP address of the connection block (SLI). If the search does not return any results, no further processing of the package is performed. The packet can be dropped or sent for sending, depending on the settings. Then the block of connection parameters is searched for in the list of PL blocks for the found connection block CL. A block is considered to belong to a given connection if all of the following conditions are met:

a) the IP-protocol in the packet header is equal to the IP-protocol IpProtocolOrigin in the block of connection parameters;

b) if the IP protocol is TCP or UDP, the following condition is checked: the source port in the header of the processed data packet is equal to LocalPortOrigin in the block of connection parameters;

c) if the IP protocol is a TCP or UDP protocol, the following condition is checked: the receiver port in the packet header is equal to RemotePortOrigin in the connection parameters block;

d) if the block of connection parameters related to this connection is not found, then such a block is created and added to the list of blocks of connection parameters for this connection. For the newly created block, the following parameters are initialized:

- masking protocol IpProtocolSubst with the current value from the internal base of the module;

- receiver port RemotePortSubst with the current value from the internal base of the module;

- the source port LocalPortSubst is assigned from the pool of valid dynamic ports in the internal database of the data packet isolation module in accordance with the invention.

Further, the value of the LastSystemTimeSend field in the found or created block of connection parameters is updated with the current time value. The data packet being processed is supplemented with an accompanying data area. The accompanying data area is initialized. Further, if necessary, if it is provided by the method settings, the packet data is compressed. The packet data and the accompanying data area are encrypted.

Then the IP header of the packet is edited: the IP protocol is replaced with the IpProtocolSubst value from the connection parameters block.

In the piece of data following the IP header, a protocol header is generated that matches the IpProtocolSubst value. The receiver port is replaced by the RemotePortSubst value from the connection parameter block. The source port is replaced with the LocalPortSubst value from the connection parameter block. The checksum for the IpProtocolSubst protocol is calculated and written into the protocol header. Next, the IP checksum is recalculated and written into the IP header, after which the packet of processed data is sent for sending.

The identification of packets by the partner node occurs on the basis of a search, by the IP address of the recipient of the packet when sending a packet of processed data and by the IP address of the sender when receiving a packet of processed data, the connection identifier in the internal database to obtain information that allows processing the packet of processed data by according to the invention.

Identification of packets upon receipt is based on the search by the IP address of the sender of the packet in the IP header in the linked list of partners (TL) of the connection unit (TLI) with the desired value of the IP address in the IPaddress field. After identifying the connection to the server, the method module updates the connection block (TLI) and generates the connection parameter block (PLI).

Before converting the packet to its original state (decrypting data and restoring the IP header) in the connection block corresponding to the found connection identifier, the value of the current value of the client's IP address CurrentIPaddress and the time of receiving the last LastRecvSysTime packet are updated. In the absence of a cryptographic connection key, a cryptographic connection key is generated.

Before converting the processed data packet to its original state (decrypting the data and restoring the IP header), the values of the IP masking protocol in IpProtocolSubst and the port pair (source in RemotePortSubst and receiver in LocalPortSubst) are stored in the generated block of connection parameters if the protocol was used as the masking protocol TCP or UDP.

Next, a part of the accompanying data structure, encrypted by the sender on the diversified connection key, is decrypted. After returning the transferred data from the area of the accompanying data structure to the IP header, decrypting and unpacking the packet data in the generated block of connection parameters, the values of the IP source in RemoteIpAddr, the IP receiver in LocalIpAddr, the real IP protocol in IpProtocolOrigin and port pairs (source in RemotePortOrigin and destination in LocalPortOrigin) if the protocol being used is TCP or UDP.

A search is made through the list of blocks of connection parameters PL of the PLI block with data equivalent to the data of the newly formed block, except for the data on the time of receiving and sending. If the block is not found, the packet is discarded. only the client can initiate the connection, and the block must be formed when the first packet is sent to this server. The Last Receive Time field in the LastSystemTimeReceive block is updated from the LastRecvSysTime field in the CLI connection block. After that, the packet is sent to receive.

When sending packets, identification of packets is carried out based on the search by the IP address of the recipient of the packet, which is in the IP header. It does this by first looking for a match between the destination IP address and the IP address of the connection block (TLI) in the entire list of TL connection blocks. If the search did not return any results, no further processing is performed. The packet can be dropped or sent for sending, depending on the settings.

Then, the connection parameter block is searched for in the PL block list for the found TLI connection block. A block is considered to belong to a given connection if all of the following conditions are met:

- IP-protocol in the packet header is equal to the IP-protocol IpProtocolOrigin in the block of connection parameters;

- if the IP protocol is TCP or UDP, the condition is checked:

a) the source port in the packet header is equal to LocalPortOrigin in the block of connection parameters;

b) the port of the receiver in the packet header is equal to RemotePortOrigin in the block of connection parameters.

If a connection parameter block related to this connection is not found, then such a block is created and added to the list of connection parameter blocks for this connection. For the newly created block, the following parameters are initialized:

1) protocol of masking IpProtocolSubst with the current value from the internal base of the module;

2) the port of the receiver RemotePortSubst with the current value from the internal base of the module;

3) the source port LocalPortSubst is assigned from the pool of values of valid dynamic ports in the internal base of the module.

Next, the value of the LastSystemTimeSend field in the found or created block is updated with the connection parameter with the current time value. The package is complemented by an accompanying data area. The accompanying data area is initialized as described above. The packet data following the IP header is then compressed, if provided.

Next, the packet data following the IP header is encrypted. Part of the data in the accompanying data area of the packet is encrypted.

Editing the IP header of the packet: the IP protocol is replaced by the IpProtocolSubst value from the connection parameters block. In the piece of data following the IP header, a protocol header is generated that matches the IpProtocolSubst value. The receiver port is replaced by the RemotePortSubst value from the connection parameter block. The source port is replaced with the LocalPortSubst value from the connection parameter block. The checksum for the IpProtocolSubst protocol is calculated and written to the protocol header. Then the IP checksum is recalculated and written into the IP header, after which the packet is sent for sending.

It should be noted that an important feature of the method for isolating data packets according to the invention is that this method involves changing the parameters of the masking protocol in the course of network interaction. This makes it even more difficult for an outside observer to determine whether the network exchange parties are using the data packet isolation method according to the invention. Based on the given common data, the client or partner node can pseudo-randomly change the destination port of the masking protocol, as well as the masking protocol itself.

In addition, when implementing the method for isolating data packets according to the invention, periodic operations are performed related to the need to clear the dynamic lists of the internal database from unused list items. The time of connection inactivity, after which information about it can be deleted, is set as a parameter in the internal database. The frequency of the cleaning function is also set as a parameter in the internal database. The frequency with which the cleanup function is called must be related to the value of the connection inactivity time after which the dynamic connection data is deleted.

The processing of requests from the layer of network protocols to the layer of network adapters in accordance with the method according to the invention is as follows.

The main request to be processed is a request for the maximum packet size that can be sent through the network adapter. The data received in response to this request must be edited before it reaches the initiator of the request. The value of the maximum packet size should be reduced by the sum of three values: the size of the accompanying data structure, the maximum possible size of the data padding during encryption, and the size of the masking protocol header. In accordance with the invention, there are several types of requests for the maximum size: the maximum size of the packet, including the header of the link layer and without it.

The method for isolating data packets according to the invention provides for freeing the data packet isolation module from calculating IP, TCP and UDP checksums in outgoing packets, if the network adapter has the capability of such calculations.

The application of the data packet isolation method carried out by the data packet isolation module according to the invention provides at least the following technical effects that increase the security of data exchange:

- concealment of real data about the true protocols of interaction between nodes (parties) of network data exchange and about all parameters that allow an outside observer to make a conclusion about the source and receiver of data and how to influence them;

- protection against scanning of ports of servers connecting to the network by computer criminals with further destructive purposes;

- increased resistance to DoS and DDoS attacks;

- checking the integrity of the original data by the receiving party by calculating and storing the cryptographic checksum of the encrypted data by the sending party;

- confidentiality of data transmitted to the link layer protocols by transforming them using symmetric block encryption algorithms;

- isolation of network nodes using the method of isolating data packets according to the invention from ordinary network nodes;

- compression of the original data;

- data transmission from the sender to the recipient through standard network routing devices and in public networks and local networks;

- creation of two types of connection between transceiver devices in the network:

a) connection of the "Client-Server" type, providing a connection initiated by the client; and

b) a connection of the "Server-Server" type ("Partner-Partner"), providing a connection initiated by any of the parties.

In addition, the above-described method for isolating data packets according to the invention, implemented by the data packet isolation module, is characterized by the following properties:

1) scalability: the method provides the ability to build an isolated environment for network interaction both in a local system and in a system interacting through a global network (distributed system);

2) opacity: there is no possibility of collecting data by external observers analyzing intercepted network packets about real protocols of interaction between nodes and system segments;

3) stealth: it is not possible to collect data about a network node configured to work in isolation mode using any port scanning method;

4) security: packets transmitted over the network, processed by the method according to the invention, do not have unencrypted parts of real data;

5) reliability: the integrity of the received data is checked using a cryptographic checksum;

6) manageability: on the basis of this method, it is possible to deploy a secure system of administration and management of network nodes in the network;

7) flexibility: using the method according to the invention, it is possible to process both unidirectional packets (addressed to one computer) and broadcast (addressed to computers located in the same subnet) and multicast (addressed to computers united in a group according to the principle of working with a certain common program or service );

8) adaptability: the implementation of the method according to the invention for specific purposes can have a number of distinctive features, including algorithms for encryption, data compression, calculation of cryptographic checksums and others, as described in detail above;

9) universality (multipurpose): not being a VPN method, the method according to the invention adds its properties to any VPN; not being a firewall, the method (module) according to the invention effectively solves the main problems of intrusion protection; while not being a means of remote control, the method (module) according to the invention makes it possible to use securely most of these means;

10) multi-platform (cross-platform): analysis of the architecture of network subsystems in various operating systems suggests that it is possible to create implementations of the method according to the invention for most of them; both hardware and software implementation of the method according to the invention is possible, the scope of the invention is not limited to a specific combination of software and hardware, as described above, and can be implemented by means of any suitable combinations of hardware and software, as will be obvious to specialists in the art based on the information provided in the present description of the invention.

Specialists in the art will understand that the above described and shown in the drawings are only some of the possible examples of techniques and material and technical means, which can be implemented in the embodiments of the present invention. The foregoing detailed description of embodiments of the invention is not intended to limit or define the scope of the present invention.

Other embodiments that may fall within the scope of the present invention may be contemplated by those skilled in the art upon carefully reading the above description with reference to the accompanying drawings, and all such obvious modifications, changes and / or equivalent substitutions are considered to be within the scope of the present invention. All prior art sources cited and discussed herein are hereby incorporated into this description by reference as applicable.

While the present invention has been described and illustrated with reference to various embodiments, it will be understood by those skilled in the art that various changes may be made in its form and specific details without departing from the scope of the present invention, which is defined only the following claims and their equivalents.

Claims (64)

1. The module for isolating data packets transmitted over public networks and / or over local networks, characterized in that the module for isolating data packets is built-in between the network adapter and the module of the link layer protocols, At the same time, the data packet isolation module is configured to process data packets transmitted from the network protocol layer to the network adapter layer and from the network adapter layer to the network protocol layer to convert data packets, while the transformation of data packets contains: determining the identifier of the sign of the application of isolation of data packets for the recipient of the data packet; determining the connection identifier for the recipient of the processed data packet; determining the location of the connection identifier in the data packet by calculating an offset from the beginning of the data packet and the size of the original data for compression and / or encryption; creating a copy of the original package with the addition of data areas to ensure its further processing; initialization and filling of the accompanying data structure for the processed data packet; calculating a diversified key based on the key corresponding to the connection identifier and the value from the augmented data structure; data encryption using a diversified key for each package of processed data; encryption of part of the accompanying data structure; calculating a checksum of all encrypted data and placing the calculated checksum in the accompanying data structure; calculating the masked identifier value of the data packet isolation application flag based on the values of the data packet isolation application flag identifier and the encrypted data checksum, and placing the computed value of the masked data packet isolation application flag identifier in the accompanying data structure; generating an encryption key for the connection identifier based on the values of the identifier of the sign of using isolation of data packets, the masked identifier of the sign of using the isolation of data packets, and values from the data area; encrypting the connection identifier and placing the encrypted connection identifier value in the accompanying data structure; determination of the location of the structure of accompanying data in the package of processed data; recalculating the checksum of the IP header and writing the recalculated checksum in the structure of the processed data packet; and The data packet isolation module is configured to transmit data from the sender to the receiver through standard network routing devices in public networks and / or local networks, while the transmitted data contains data packets converted by the data packet isolation module. 2. The module according to claim 1, characterized in that the structure of the accompanying data contains: - the area of data used to calculate the diversified key; - identifier of the sign of the application of isolation of data packets; - packet recipient identifier (connection identifier); - field of the checksum of the encrypted packet data; - the field of the initial size in bytes of the IP packet (Value from the IP header); - field of the original type of the IP-protocol (Value from the IP-header); - field of the used data compression type. 3. The module according to claim 1, characterized in that the data packet isolation module further comprises a block for processing information requests and control commands, configured to intercept and modify control commands and information requests sent to the network adapters level. 4. The module according to claim 1, characterized in that the module is configured to transmit information about reducing the maximum packet size to the network protocols layer to reduce the payload of the packet. 5. The module according to claim 1, characterized in that the module is configured to mask and / or disable the capabilities of at least one network adapter from the level of network adapters. 6. The module of claim 1, wherein the module is configured to create embedding instances for each network adapter at the network adapter level. 7. The module according to claim 1, additionally containing a block for processing sent packets and a block for processing received packets, while: the outgoing packet processing unit is configured to create copies of the original data packets and then convert the data packets to isolate the data packets; the received packet processing unit is configured to directly transform the original data packets. 8. The module according to claim 1, characterized in that the data packet isolation module is configured to isolate network nodes transmitting and / or receiving processed data packets from other network nodes. 9. A method for isolating data packets transmitted over public networks and / or over local networks, and the method contains the stages at which: receive, by means of the data packet isolation module built between the network adapter and the link layer protocol module, data packets transmitted from the network protocol layer to the network adapter layer and from the network adapter layer to the network protocol layer; by means of the data packet isolation module, the received data packets are converted into a format in which the data packets do not give an outside observer information about the true communication protocols between the parties to the network exchange and about the source and the receiver of data and how to influence them, while converting the data packets contains the steps, where: determine the connection identifier for the recipient of the processed data packet; calculate the offset and size of the data processed by compression and / or encryption relative to the beginning of the complete data packet; create a copy of the original package with the addition of data areas to ensure its further processing; initialize and fill the structure of the accompanying data for the processed data packet; calculating a diversified key based on the key corresponding to the connection identifier and the value from the structure of the augmented data; performing data encryption using a diversified key for each package of processed data; encrypting a portion of the accompanying data structure; calculating a checksum of all encrypted data and placing the calculated checksum in the accompanying data structure; calculating the value of the masked identifier of the data packet isolation application flag based on the values of the identifier of the data packet isolation application flag and the encrypted data checksum, and placing the calculated value of the masked data packet isolation application flag identifier in the accompanying data structure; generating an encryption key for the connection identifier based on the values of the identifier of the sign of using data packet isolation, the masked identifier of the sign of using the isolation of data packets and the values from the data area; encrypting the connection identifier and placing the encrypted connection identifier value in the accompanying data structure; determining the location for embedding the structure of the accompanying data in the packet of the processed data by calculating an offset from the beginning of the processed data; recalculating the checksum of the IP header and writing the recalculated checksum in the structure of the processed data packet; and transmit data from the sender to the recipient through standard network routing devices in public networks and / or local networks, while the transmitted data contains data packets converted by the data packet isolation module. 10. The method of claim 9, wherein the accompanying data structure comprises: - the area of data used to calculate the diversified key; - identifier of the sign of the application of isolation of data packets; - packet recipient identifier (connection identifier); - field of the checksum of the encrypted packet data; - the field of the initial size in bytes of the IP packet (Value from the IP header); - field of the original type of the IP-protocol (Value from the IP-header); - field of the used data compression type. 11. The method of claim 9, further comprising the step of intercepting and modifying control commands and requests directed to the network adapter layer. 12. The method according to claim 9, further comprising the step of transmitting to the network protocols layer information about reducing the maximum packet size to reduce the payload of the packet. 13. The method according to claim 9, further comprising the step of masking and / or disabling the capabilities of at least one network adapter from the level of network adapters. 14. The method of claim 9, further comprising the step of making copies of the original data packets before converting the data packets to isolate the data packets. 15. The method according to claim 9, further comprising the step of isolating, by means of the data packet isolation module, the network nodes transmitting and / or receiving the processed data packets from other network nodes. 16. The method according to claim 9, further comprising the step of verifying the checksum of the data containing the data packets converted by the data packet isolation module sent by the party sending the processed data packets.

Images