WO2012126432A2 - 数据传输的方法、设备和系统 - Google Patents

数据传输的方法、设备和系统 Download PDF

Info

Publication number
WO2012126432A2
WO2012126432A2 PCT/CN2012/076069 CN2012076069W WO2012126432A2 WO 2012126432 A2 WO2012126432 A2 WO 2012126432A2 CN 2012076069 W CN2012076069 W CN 2012076069W WO 2012126432 A2 WO2012126432 A2 WO 2012126432A2
Authority
WO
WIPO (PCT)
Prior art keywords
encryption
decryption
security domain
key
security
Prior art date
Application number
PCT/CN2012/076069
Other languages
English (en)
French (fr)
Other versions
WO2012126432A3 (zh
Inventor
卢胜文
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to CN2012800004853A priority Critical patent/CN102907040A/zh
Priority to PCT/CN2012/076069 priority patent/WO2012126432A2/zh
Publication of WO2012126432A2 publication Critical patent/WO2012126432A2/zh
Publication of WO2012126432A3 publication Critical patent/WO2012126432A3/zh

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms

Definitions

  • the present invention relates to the field of communications and, more particularly, to a method, apparatus and system for data transmission. Background technique
  • End-to-end data encryption helps prevent information from being compromised. For example, when two networks are connected through an untrusted network, link encryption can be enabled on the ingress network devices of the two networks to ensure that data is encrypted when it passes through the untrusted network; therefore, when the client accesses the server Data encryption can be performed on the client and server to ensure that data is not eavesdropped when the client communicates with the server.
  • Embodiments of the present invention provide a data transmission method, device, and system, which can ensure data transmission security and reduce key negotiation pressure.
  • a data transmission method including: determining, according to a list of encryption and decryption devices in a security domain and an encryption and decryption algorithm supported by each encryption and decryption device, an encryption and decryption algorithm and a key for communication in a security domain, where the security domain is a communication encryption and decryption algorithm and a key for data transmission between the encryption and decryption device in the security domain; sending encryption and decryption information to each encryption and decryption device in the security domain, the encryption and decryption information including communication within the security domain And an encryption and decryption algorithm and a key, used by each of the encryption and decryption devices to encrypt or decrypt data transmitted between the other encryption and decryption devices in the security domain according to the encryption and decryption information.
  • a method for data transmission comprising: receiving encryption and decryption information sent by a security management device, where the encryption and decryption information includes an encryption and decryption algorithm and a key for data transmission between encryption and decryption devices in a security domain.
  • the encryption and decryption algorithm and the key are determined by the security management device according to the encryption and decryption device list in the security domain and the encryption and decryption algorithm supported by each encryption and decryption device; according to the encryption and decryption information, Data transmitted between other encryption and decryption devices is encrypted or decrypted.
  • a security management device including: a determining unit, configured to determine an encryption and decryption algorithm and a secret of communication in a security domain according to a list of encryption and decryption devices in a security domain and an encryption and decryption algorithm supported by each encryption and decryption device Key, the encryption and decryption algorithm and key of the communication in the security domain are used for data transmission between the encryption and decryption device in the security domain; the sending unit is configured to send the encryption and decryption information to each encryption and decryption device in the security domain,
  • the encryption and decryption information includes an encryption and decryption algorithm and a key for communication in the security domain determined by the determining unit, and each encryption and decryption device in the security domain is associated with other encryption and decryption devices in the security domain according to the encryption and decryption information.
  • the data transmitted between is encrypted or decrypted.
  • an encryption and decryption device including: a receiving unit, configured to receive encryption and decryption information sent by a security management device, where the encryption and decryption information includes other encryption and decryption in a security domain that includes the encryption and decryption device.
  • An encryption and decryption algorithm and a key for data transmission between devices, the encryption and decryption algorithm and the key are determined by the security management device according to the encryption and decryption device list in the security domain and the encryption and decryption algorithm supported by each encryption and decryption device; And means for encrypting or decrypting data transmitted between other encryption and decryption devices in the security domain according to the encryption and decryption information received by the receiving unit.
  • a system for data transmission comprising: a security management device and at least two encryption and decryption devices, wherein the security management device is configured to be in accordance with a security domain that includes the encryption and decryption device
  • the encryption and decryption device list and the encryption and decryption algorithm supported by each encryption and decryption device determine the encryption and decryption algorithm and key of the communication in the security domain, and the encryption and decryption algorithm and key of the communication in the security domain are used for encryption and decryption in the security domain.
  • the encryption and decryption device is configured to receive the security management device Encryption and decryption information, the encryption and decryption algorithm and a key for data transmission with other encryption and decryption devices in the security domain, and according to the encryption and decryption information, to other encryption and decryption devices in the security domain
  • the data transmitted between is encrypted or decrypted.
  • the data transmission method, device and system determine an encryption and decryption algorithm and a key for data transmission in a security domain through a security management device, and centrally negotiate and manage an encryption and decryption algorithm for data transmission in a security domain. And keys, reducing the pressure on key negotiation and management.
  • FIG. 1 shows a flow chart of a method of data transmission in accordance with an embodiment of the present invention.
  • FIG. 2 shows a flow chart of a method of data transmission in accordance with another embodiment of the present invention.
  • FIG. 3 shows a flow chart of a method of data transmission in accordance with another embodiment of the present invention.
  • FIG. 4 is a block diagram showing the structure of a security management device according to an embodiment of the present invention.
  • FIG. 5 is a block diagram showing the structure of a security management device according to another embodiment of the present invention.
  • FIG. 6 is a block diagram showing the structure of a security management device according to another embodiment of the present invention.
  • FIG. 7 is a block diagram showing the structure of an encryption/decryption apparatus according to an embodiment of the present invention.
  • FIG. 8 is a block diagram showing the structure of an encryption/decryption apparatus according to another embodiment of the present invention.
  • FIG. 9 is a block diagram showing the structure of a system for data transmission according to an embodiment of the present invention. detailed description
  • GSM Global System of Mobile communication
  • CDMA Code Division Multiple Access
  • WCDMA Wideband Code Division Multiple Access
  • GPRS General Packet Radio Service
  • LTE Long Term Evolution
  • FDD Frequency Division Duplex
  • TDD Time Division Duplex
  • UMTS Universal Mobile Telecommunication System
  • FIG. 1 is a flow chart of a method 100 of data transmission in accordance with an embodiment of the present invention. As shown in FIG. 1, the method 100 includes:
  • S110 Determine an encryption and decryption algorithm and a key for communication in the security domain according to the encryption and decryption device list in the security domain and the encryption and decryption algorithm supported by each encryption and decryption device.
  • the encryption and decryption algorithm and key of the communication in the security domain are used for the security.
  • S120 Send, to each encryption and decryption device in the security domain, encryption and decryption information, where the encryption and decryption information includes an encryption and decryption algorithm and a key for communication in the security domain, and the encryption and decryption device is used by each encryption and decryption device according to the encryption and decryption information.
  • Data transmitted between other encryption and decryption devices in the secure domain is encrypted or decrypted.
  • a security domain refers to a network, system, or device set that each device in the domain trusts each other, communication between devices is secure and trusted, and is often managed by the same security management device, for example, a virtual private device.
  • Virtual Private Network VPN
  • the encryption and decryption device of the security domain refers to an encryption and decryption device that performs encryption and decryption operations on devices in these domains, for example, multiple computers in the same VPN (encryption and decryption operations by the computer itself), or data communication in a company.
  • the configured network card in the computer (encrypted and decrypted by the network card) and the like.
  • the security management device may determine, according to the list of encryption and decryption devices included in the security domain and the encryption and decryption algorithm supported by each encryption and decryption device, encryption and decryption for encrypting and decrypting data transmitted between each encryption and decryption device in the security domain.
  • An algorithm and a key and respectively sending encryption and decryption information including the encryption and decryption algorithm and a key to each encryption and decryption device in the security domain, so that each of the encryption and decryption devices is in communication with other encryption and decryption devices in the security domain
  • the transmitted data is encrypted or decrypted using the encryption and decryption algorithm and the key.
  • the encryption and decryption algorithm and the key for encrypting and decrypting data used for communication in the secure domain are determined by the security management device, and the data can be securely negotiated while ensuring data transmission.
  • the encryption and decryption device in the embodiment of the present invention may be a computer device or a network card;
  • the network card is a specific communication interface device that can connect a computer, a workstation, a server, etc. to a network, or can be a network adapter (network adapter) or the like that implements similar functions.
  • the encryption/decryption device when the encryption/decryption device is a network card, the data is encrypted and decrypted by the network card, which can further avoid the tremendous pressure brought by the computer device to encrypt and decrypt the data to the CPU.
  • the security management device may obtain each encryption and decryption device in the security domain by receiving the respective supported encryption and decryption algorithms sent by each encryption and decryption device in the security domain.
  • the encryption and decryption algorithm is supported, wherein each encryption and decryption device sends the supported encryption and decryption algorithm to the security management device, which may be: each encryption and decryption device has a list of supported encryption and decryption algorithms, plus The decryption device sends relevant information to the security management device.
  • the encryption and decryption algorithm supported by each encryption and decryption device in the security domain may be directly configured by the security management device to obtain an encryption and decryption algorithm supported by each encryption and decryption device.
  • the security management device may configure the encryption and decryption device list in the security domain, and the specific method may be: directly configuring the encryption and decryption device list in the security domain, indicating that the encryption and decryption device included in a security domain may be
  • the encryption and decryption device is identified by the Internet Protocol ("IP") address, the media access control (“MAC”) address, the device identifier, and the like of the encryption and decryption device, as shown in Table 1.
  • the encryption and decryption device included in the security domain can pre-set the conditions of the encryption and decryption device included in the security domain, such as the range of the IP address, the virtual local area network (Virtual Local Area Network, referred to as "VLAN"), etc., and then configure the encryption and decryption of the security domain according to the corresponding conditions.
  • the device list for example, sets the security domain group 1 to a condition that the IP address ranges from 10.1.80.*, and then the encryption/decryption device that meets the IP range condition in the network is configured in the encryption/decryption device list.
  • the security management device may encrypt and decrypt each of the security domains according to the encryption and decryption device list in the security domain and the encryption and decryption algorithm supported by each encryption and decryption device.
  • the device selects the same communication encryption and decryption algorithm and key for the secure domain, and this encryption and decryption algorithm is supported by all encryption and decryption devices in the security domain.
  • the security management device may select a random or specified priority when multiple public encryption and decryption algorithms meet the selection requirements. Which algorithm is used to encrypt, as can be determined by configuring policies in the security management device.
  • the choice of the key generally selects a random number as the key, or generates a key from a random number.
  • the encryption and decryption algorithm and the key for encrypting and decrypting data used for communication in the secure domain are determined by the security management device, and the same encryption and decryption is uniformly selected for all the encryption and decryption devices in the security domain.
  • the algorithm and the key while ensuring the data transmission security between the encryption and decryption devices in the security domain, reduce the pressure of key negotiation by centrally negotiating and managing algorithms and keys for data transmission in the security domain.
  • the encryption and decryption device in the security domain can also configure the data transmission authority, that is, whether it can communicate with other devices outside the security domain. Specifically, it can be configured in the security management device, and the security is configured in the security management device.
  • the data transmission permission of the encryption and decryption device in the domain, the data transmission permission can be configured to be able to perform data transmission with the device outside the security domain, as shown in Table 2.
  • the security management device allocates the same encryption and decryption algorithm to each encryption and decryption device in the security domain and After the key, the encryption and decryption algorithm and the key for encrypting and decrypting data may be sent to each of the encryption and decryption devices.
  • Each of the encryption and decryption devices may receive the data or need to send the data according to the encryption and decryption algorithm.
  • the key encrypts or decrypts the transmitted data to implement communication; and if the encryption and decryption device in the security domain transmits data in addition to other encryption and decryption devices in the security domain, it can also transmit data with other devices outside the security domain.
  • the security management device also needs to send device identification information of other encryption and decryption devices in the security domain to each encryption and decryption device in the security domain, so that each encryption and decryption device encrypts and decrypts other security domains.
  • Equipment transmission When the input data is encrypted and decrypted, it can use the received device identifier to determine the corresponding encryption and decryption algorithm and key for correct encryption or decryption.
  • the security management device when the data transmission authority of the encryption and decryption device in the security domain is data transmission with the device outside the security domain, the security management device sends and decrypts to each encryption and decryption device in the security domain.
  • the information further includes a device identifier, where the encryption and decryption device determines, according to the device identifier, an encryption and decryption algorithm for communication within the security domain and other encryption and decryption devices in the security domain to which the key is applicable, where the device identifier includes: the security domain Internet Protocol (“IP”) address of other encryption and decryption equipment, Media Access Control (MAC) address of other encryption and decryption equipment in the security domain, and the security domain
  • IP Internet Protocol
  • MAC Media Access Control
  • the IP address and MAC address of the encryption and decryption device can be
  • the ID, VLAN ID, and packet feature information are used to determine other encryption and decryption devices in the security domain. It can be understood that the encryption and decryption algorithm is determined according to the IP address, MAC address, ID, VLAN ID, and feature information of the encryption and decryption device. And the key.
  • the manner of other encryption and decryption devices within the security domain may be determined according to a traffic classification policy.
  • the traffic classification policy described herein is preferably implemented by using an Access Control List (ACL) rule, that is, different flows are distinguished according to the feature information of the packet. It is usually possible to configure various feature information such as IP, MAC, VLAN, Layer 4 protocol, Layer 4 port, or other content that can be classified by the message, and then perform flow identification. Decryption processing.
  • the encryption and decryption information sent to each encryption and decryption device in the security domain at this time includes the feature information of the message.
  • each encryption and decryption device in the security domain can also establish a corresponding encryption and decryption algorithm and key for the intra-security communication sent by the security management device, and the feature information of the encryption and decryption algorithm and the key corresponding to the key.
  • An entry when each of the encryption and decryption devices needs to transmit data, each encryption and decryption device can obtain a corresponding encryption and decryption algorithm and a key through the established entry, and use the encryption and decryption algorithm and the key pair to transmit data. Perform encryption and decryption.
  • an encryption and decryption device may correspond to an IP address. (or MAC address), which may also correspond to multiple IP addresses (or MAC addresses), where, when corresponding to multiple IP addresses (or MAC addresses), multiple IP addresses (or MAC addresses) corresponding to the encryption and decryption device ) may belong to the same security domain, or may belong to different security domains, that is, the same encryption and decryption algorithm and key may be determined for the multiple IP addresses, and different algorithms and keys may be determined for the multiple IP addresses.
  • the specific IP address (or MAC address) of each encryption and decryption device in the security domain is also specifically refined.
  • an encryption and decryption device corresponds to an IP address (or a MAC address), and the one IP address (or MAC address) not only communicates with devices in the security domain, but also needs to be outside the security domain.
  • the IP address (or MAC address) of the other encryption and decryption device in the security domain needs to be sent to the encryption and decryption device.
  • the encryption and decryption device corresponds to multiple IP addresses.
  • the security management device not only needs to send the IP address (or MAC address) of other encryption and decryption devices in the security domain to the encryption and decryption device. And also sending an IP address (or MAC address) used by the encryption/decryption device in the communication in the secure domain, so that the encryption and decryption device can determine the received encryption and decryption algorithm and the key according to the received own IP address. It is used in the data transmission corresponding to which security domain (that is, the IP address).
  • the encryption/decryption device 1 corresponds to IP1 and IP2
  • the encryption/decryption device 2 corresponds to IP3 and IP4,
  • the encryption/decryption device 3 corresponds to IP5 and IP6.
  • the security management device determines that IP1, IP3, and IP5 belong to the same security domain, and determines the encryption and decryption algorithm and key corresponding to the security domain as an algorithm and a key (1); the security management device determines that IP2, IP4, and IP6 belong to the same a security domain, and the encryption and decryption algorithm and key corresponding to the security domain are an algorithm and a key (2); and determining that both security domains need to communicate with the respective security domain, and since one encryption and decryption device has two IPs Address, so the security management device needs to include IP1, IP3 and IP5 and algorithm and key (1), IP2, IP4 and IP6 and algorithm and key (2) in the encryption and decryption information sent to each encryption and decryption device.
  • each encryption and decryption device When each encryption and decryption device receives the encryption and decryption algorithm and the key sent by the security management device, and the IP address corresponding to the encryption and decryption algorithm and the key, the corresponding entry may be established. For example, for the encryption and decryption device 1, the following may be established. Entry:
  • the encryption and decryption information includes at least one of an IP address, a MAC address, an ID, an ID of a VLAN including the security domain, and a feature information of a packet of each encryption and decryption device in the security domain.
  • Each of the encryption and decryption devices in the security domain can perform a table lookup according to the longest match when transmitting and receiving data to obtain a corresponding encryption and decryption algorithm and a key.
  • each encryption and decryption device can be virtualized into one or more virtual encryption and decryption devices by the input and output virtualization technology of the encryption and decryption device, and one or more virtual encryption and decryption devices are allocated for each VM.
  • a VM includes a plurality of virtual encryption and decryption devices
  • the plurality of virtual encryption and decryption devices may be virtualized by an encryption and decryption device, or may be virtualized by multiple encryption and decryption devices.
  • each network card when the encryption/decryption device is a network card, each network card may be virtualized into one or more virtual network cards by using the input/output virtualization technology of the network card, and one or more VMs are allocated to each VM.
  • the virtual network card may also be referred to as a queue.
  • the ID of the virtual network card in the embodiment of the present invention may be referred to as a queue number.
  • the virtual switch can be offloaded to the network card, and the virtual machine traffic can be ensured to pass through the network card.
  • the encryption and decryption information when the virtual encryption/decryption device virtualized by the encryption and decryption device in the security domain is configured to perform data transmission with the device outside the security domain, the encryption and decryption information further includes a device identifier, and is used to determine the The encryption and decryption algorithm and the virtual encryption and decryption device virtualized by other encryption and decryption devices in the security domain corresponding to the key, the device identifier includes:
  • the IP address of the virtual encryption and decryption device virtualized by other encryption and decryption devices in the security domain, the MAC address of the virtual encryption and decryption device virtualized by other encryption and decryption devices in the security domain, and other encryption and decryption devices in the security domain are virtualized.
  • the ID of the virtual encryption/decryption device includes at least one of an ID of a VLAN of a virtual encryption/decryption device virtualized by each encryption/decryption device in the security domain, and feature information of a message. Wherein, the encryption and decryption information only includes the ID of the VLAN and does not include the virtual addition.
  • the VLAN includes only the virtual encryption and decryption device virtualized by the encryption and decryption device in the security domain.
  • an encryption and decryption device may be virtualized into multiple virtual encryption and decryption devices, and the multiple virtual encryption and decryption devices may belong to the same security domain or belong to different security domains.
  • each A virtual encryption and decryption device may correspond to different IP addresses (or MAC addresses), and multiple virtual IP addresses of one virtual encryption and decryption device may belong to the same security domain or may belong to different security domains.
  • the security management device determines that a certain encryption and decryption device is only virtualized into a virtual encryption and decryption device, and the virtual encryption and decryption device only corresponds to one IP address (or MAC address), then security management The device only needs to send the IP address (or MAC address) of the virtual encryption and decryption device virtualized by other encryption and decryption devices in the security domain corresponding to the encryption and decryption algorithm and the key to the encryption and decryption device, if a certain encryption and decryption device is virtualized into When a plurality of virtual encryption and decryption devices, or a virtualized one of the virtual encryption and decryption devices has a plurality of IP addresses (or MAC addresses), the encryption and decryption device is also required to send the encryption and decryption corresponding to the encryption and decryption algorithm and the key.
  • the IP address (or MAC address) of the virtual encryption and decryption device that the device virtualizes.
  • the encryption and decryption device here is exemplified by a network card.
  • the network card 1 is virtualized into a virtual network interface card (VNIC) vNIC1 and vNIC 2
  • the network card 2 is virtualized into a vNIC 3 and a vNIC 4
  • the network card 3 Virtualized into vNIC 5 and vNIC 6, and vNIC1 corresponds to IP1, vNIC2 corresponds to IP2, vNIC3 corresponds to IP3, vNIC4 corresponds to IP4, vNIC5 corresponds to IP5, vNIC6 corresponds to IP6;
  • security management device determines IP1, IP2 If IP3, IP4, IP5, and IP6 belong to the same security domain, an algorithm and a key (3) may be determined for the virtual network card in the security domain.
  • the The network card sends the algorithm and the key; if the virtual network card needs to communicate with the security domain, the IP address of the virtual network card virtualized by the other network card needs to be sent to each network card while sending the algorithm and the key, and each network card
  • the phase can be established.
  • the corresponding entry for example, for NIC 1, the entry created is:
  • IP6 -> algorithm and key (3) For example, if IP 1, IP3, and IP5 belong to the same security domain, the security management device can determine the encryption and decryption algorithm and key for the security domain as the algorithm and key (4); and set IP2, P4, and IP6. The security management device determines the encryption and decryption algorithm and the key for the security domain as the algorithm and the key (5). Although the security domains do not communicate with the security domain, the same network card virtualizes different virtual network cards. When encrypting the algorithm and the key to a certain network card, the IP address of the virtual network card of the virtual card corresponding to the security domain needs to be sent to the network card, and each network card receives the encryption and decryption algorithm and the secret sent by the security management device. After the key and the IP address of the virtualized virtual network card corresponding to the encryption and decryption algorithm and the key, the corresponding entry can be established. For example, for the network card 1, the established entry is:
  • the network card 1 is virtualized into the vNIC 1
  • the network card 2 is virtualized into the vNIC 2
  • the network card 3 is virtualized into the vNIC 3.
  • the IP address corresponding to the vNIC 1 is IP1 and IP2
  • the IP address corresponding to the vNIC 2 is IP3 and IP4,
  • the IP address corresponding to vNIC3 is IP5 and IP6;
  • the security management device can determine that IP1, P3 and IP5 belong to the same security domain, and the encryption and decryption algorithm and key determined for the security domain are algorithms and keys (6) , IP2, P4, and IP6 belong to the same security domain, and the encryption and decryption algorithm and key determined for the security domain are algorithms and keys (7), if the IP addresses in the two security domains need to be performed outside the respective security domains.
  • the network card sends the IP address of the virtualized virtual network card corresponding to the algorithm and the key; each network card receives the encryption and decryption algorithm and the key sent by the security management device, and Decryption algorithm and a key after the corresponding IP address, the corresponding entry can be established, e.g., for the card 1, the table entry is established:
  • each network card can obtain a corresponding encryption and decryption algorithm and a key through the established entry, and use the encryption and decryption algorithm and the key to add the data to be transmitted. Decrypt.
  • the security management device when encrypting and decrypting in a security domain, the security management device further encrypts and decrypts the information including the encryption and decryption algorithm and the key in the security domain to each encryption and decryption device in the security domain.
  • the device identifier including other encryption and decryption devices in the security domain can ensure that the encryption and decryption device can determine the encryption and decryption algorithm and key used when encrypting and decrypting data transmitted between other encryption and decryption devices in the security domain.
  • the security management device when the encryption and decryption algorithm supported by each encryption and decryption device is statically configured on the security management device, after one of the encryption and decryption device authentication authentication passes, the security management device sends the encryption and decryption device to the encryption and decryption device. While encrypting and decrypting the data encryption and decryption algorithm and the key, the IP address of all other encryption and decryption devices in the security domain may be sent to the encryption and decryption device, and only the authenticated authentication may be sent to the encryption and decryption device. The IP address of the encryption and decryption device is transmitted, and after the authentication and authentication of other encryption and decryption devices is passed, the IP addresses of other encryption and decryption devices are sent.
  • the security domain corresponding to an encryption and decryption algorithm and a key may be divided according to a specific situation. For example, all encryption/decryption devices or virtual encryption and decryption devices of an office or a company may be used to determine one for The encryption and decryption algorithm and the key of the encryption and decryption data.
  • the security management device may configure all the encryption and decryption devices or virtual encryption and decryption devices in the VLAN to belong to the same security domain according to the encryption and decryption device included in the VLAN, and Sending the encryption/decryption algorithm and the key to all the encryption/decryption devices corresponding to the encryption/decryption device or all the virtual encryption/decryption devices in the VLAN, and transmitting the ID of the VLAN.
  • the security domain for determining the encryption and decryption algorithm and the key for encrypting and decrypting data may be divided not only according to the encryption and decryption device, the virtual encryption and decryption device virtualized by the encryption and decryption device, or the VLAN, but also may be performed according to other situations.
  • the security management device can be configured with the security domain only corresponding to the specific data format sent by the encryption and decryption device, and may be determined according to the specific situation (such as the feature information of the packet). This is limited.
  • the security domain setting on the security management device may also be configured to be divided according to the source IP address (or MAC address) and the destination IP address (or MAC address) of the data, for example, the IP of the data sender.
  • the address is IP1.
  • IP address of the data receiver is IP2, it is determined to be a security domain.
  • IP address of the data sender is IP2 and the IP address of the data receiver is IP1, it is determined to be another security domain.
  • the algorithm and key used for encryption when sending data to another IP address may be different from those used when receiving data sent by another IP address for decryption. Algorithm and key.
  • IP1 and IP2 are just one embodiment, and IP1 and IP2 may correspond to one IP respectively.
  • the addresses may also correspond to multiple IP addresses, which are not limited by the embodiments of the present invention. That is, the security management device may configure a list of all encryption and decryption devices included in the security domain at the beginning; or may only configure conditions belonging to the security domain, for example, belonging to the same
  • VLAN sending a specific format (such as: feature information of the text), IP address (or MAC address) range, etc., and then configuring the qualified encryption and decryption device into the security domain encryption and decryption device list, preferably, Add the encryption and decryption device when it is initially added to the network for authentication.
  • a specific format such as: feature information of the text
  • IP address or MAC address range
  • the security management device may continuously update the encryption and decryption algorithm and the key used for encrypting and decrypting data, for example, the encryption and decryption algorithm and the key may be periodically replaced. And when the number of encryption and decryption devices corresponding to the encryption and decryption algorithm and the key is larger, the periodicity of replacing the encryption and decryption algorithm and the key is shorter, and the encryption and decryption algorithm and the key can be updated while the encryption and decryption algorithm and the key are replaced.
  • the encryption and decryption device or the virtual encryption and decryption device corresponding to the key is not limited in this embodiment of the present invention.
  • the encryption and decryption algorithm and the key determined in S110 may be an updated encryption and decryption algorithm and a key, or may be an encryption and decryption algorithm and a key determined for the first time after the authentication and authentication of the encryption and decryption device is determined.
  • each encryption and decryption device may record a new encryption and decryption algorithm and a key, and enable when the data needs to be transmitted to other encryption and decryption devices.
  • the new encryption and decryption algorithm and key encrypt the data that needs to be transmitted.
  • the encryption and decryption device may receive data encrypted by other encryption and decryption devices using the old encryption and decryption algorithm and the key, if the encryption and decryption device utilizes a new encryption and decryption algorithm. If the key is decrypted, the error will be decrypted. In order to ensure that the data can be decrypted correctly during the encryption and decryption algorithm and key switching, the encryption and decryption device needs to save the old and new encryption and decryption algorithms and keys.
  • the method 100 before sending the encryption and decryption information to each of the encryption and decryption devices in the security domain in S120, the method 100 may further include:
  • ID a version identifier
  • the encryption and decryption information sent by each of the encryption and decryption devices in the security domain may further include: an encryption and decryption algorithm corresponding to the communication in the security domain and a version identifier of the key, the version identifier being used for each of the
  • the encryption and decryption device carries the data when transmitting data to other encryption and decryption devices in the security domain, so that other encryption and decryption devices in the security domain use the encryption and decryption algorithm and key of the communication within the security domain corresponding to the version identifier to decrypt the data. data.
  • the security management device may determine the version identifier corresponding to the encryption and decryption algorithm and the key, and include the encryption and decryption algorithm in the encryption and decryption information sent to each encryption and decryption device. a key, and a version identifier corresponding to the encryption and decryption algorithm and the key.
  • Each encryption and decryption device when receiving the encryption and decryption information, saves the encryption and decryption algorithm and the key, and a version identifier corresponding to the encryption and decryption algorithm and the key.
  • any of the encryption and decryption devices in the security domain send data to other encryption and decryption devices in the security domain, according to the encryption and decryption algorithm and the key, the data sent to other encryption and decryption devices in the security domain Encrypting, and carrying the encrypted identifier corresponding to the encryption and decryption algorithm and the key in the message carrying the encrypted data sent to the other encryption and decryption device in the security domain; receiving the other in the security domain And acquiring, by the encryption and decryption device, the text carrying the version identifier corresponding to the encryption and decryption algorithm and the key, acquiring the encryption and decryption algorithm and the key according to the version identifier corresponding to the encryption and decryption algorithm and the key, and according to the The encryption and decryption algorithm and the key decrypt the encrypted data carried in the message sent by the other encryption and decryption devices in the security domain.
  • the following uses a network card as an encryption and decryption device for illustration.
  • the IP addresses of the vNIC 1 virtualized by the network card 1 , the vNIC 2 virtualized by the network card 2, and the vNIC 3 virtualized by the network card 3 are respectively IP1, P2, and IP3, wherein the three virtual network cards belong to the same security domain, and
  • the communication management device needs to communicate with the security domain.
  • the security management device sends the encryption and decryption algorithm and the key (the algorithm is 3DES, the key is key) to the network card 1, the network card 2, and the network card 3, and corresponds to the encryption and decryption algorithm and the key.
  • IP1, P2, and IP3 IP address
  • the network card 1 can respectively create an entry. If the network card 1, the network card 2, and the network card 3 are respectively virtualized into one virtual network card, the network card 1 can be Create the following entries:
  • IP2 (opposite) -> new 3DES + new Key + new version logo + old 3DES + old Key + old version
  • IP3 (opposite) -> new 3DES + new Key + new version logo + old 3DES + old Key + old version
  • NIC 2 can create the following entries:
  • IP1 (opposite) -> new 3DES + new Key + new version logo + old 3DES + old Key + old version
  • IP3 (opposite) -> New 3DES + New Key + New Version ID + Old 3DES + Old Key + Old Version ID NIC 3 can create the following entries:
  • IP1 (opposite) -> new 3DES + new Key + new version logo + old 3DES + old Key + old version
  • IP2 (opposite) -> new 3DES + new Key + new version logo + old 3DES + old Key + old version
  • the network card 1 can establish the following entries:
  • IP1 local
  • IP2 opposite
  • IP1 local
  • IP3 opposite
  • NIC 2 can create the following entries:
  • IP2 local
  • IP1 opposite
  • IP2 local
  • IP3 opposite
  • NIC 3 can create the following entries:
  • IP3 local
  • IP1 peer
  • IP3 local + IP2 (opposite) -> new 3DES + new Key + new version logo + old 3DES + old Key + old version logo
  • the encryption and decryption algorithm and key (3DES and Key) can be obtained according to the above items, and the data to be sent is encrypted by the encryption and decryption algorithm and the key, and the packet carrying the encrypted data is carried.
  • the new version identifier is added to the text, and the vNIC 1 sends the processed packet to the vNIC2.
  • the network card 2 receives the packet of the network card 1, the network card 2 can obtain the IP address IP1 of the vNIC1 (and the IP address IP2 of the vNIC2).
  • the security management device carries the encryption and decryption algorithm and the version identifier corresponding to the key in the encryption and decryption information sent to the encryption and decryption device, and the encryption and decryption device adds the information in the file carrying the encrypted data.
  • the encryption and decryption algorithm of the encrypted data and the version identifier corresponding to the key may be The other encryption and decryption device that conveniently receives the message determines the correct encryption and decryption algorithm and key by using the encryption and decryption algorithm carried in the message and the version identifier corresponding to the key, and decrypts the data to ensure that the data is correctly decrypted.
  • the encryption and decryption algorithm and the key can be periodically refreshed, thereby further ensuring the security of data transmission in the security domain, and the security management device uniformly performs the negotiation and management of the encryption and decryption algorithm and the key.
  • the method before determining the encryption and decryption algorithm and the key according to the encryption and decryption algorithm supported by each encryption and decryption device in the security domain in S120, the method further includes:
  • Each of the encryption and decryption devices in the security domain is authenticated and authenticated by a security management protocol, and the authentication authentication with each encryption and decryption device in the security domain is determined to pass.
  • each encryption and decryption device in the security domain is authenticated and authenticated, which is secure and credible.
  • the security management device only sends the encryption and decryption information including the encryption and decryption algorithm and the key to the encryption/decryption device that has passed the authentication authentication, thereby ensuring the security of communication in the security domain.
  • the security management protocol may be a Secure Sockets Layer (“SSL”) protocol or an Internet Protocol Security (IPSEC) protocol or a Key Security (Key Security, referred to as "Key”). Sec”), can also be other security management protocols.
  • SSL Secure Sockets Layer
  • IPSEC Internet Protocol Security
  • Key Security Key Security, referred to as "Key”).
  • Sec can also be other security management protocols.
  • the security management device performs authentication and authentication on each encryption and decryption device to ensure that the encryption and decryption devices in the security domain are secure and credible.
  • the encryption and decryption algorithm and the key for encrypting and decrypting data in the security domain are determined by the security management device, and the key can be negotiated and managed while ensuring data transmission security. , reduce the pressure of key negotiation.
  • the method for securing data transmission security according to an embodiment of the present invention has been described above from the security management device side.
  • the secure data transmission according to an embodiment of the present invention will be described from the encryption/decryption device side (any encryption/decryption device in the above-mentioned security domain).
  • method 200 includes:
  • S210 Receive encryption and decryption information sent by the security management device, where the encryption and decryption information includes an encryption and decryption algorithm and a key for data transmission between the encryption and decryption devices in the security domain, where the encryption and decryption algorithm and the key are the security management device. Determining according to the encryption and decryption device list in the security domain and the encryption and decryption algorithm supported by each encryption and decryption device;
  • S220 According to the encryption and decryption information, transmit to and from other encryption and decryption devices in the security domain.
  • the data is encrypted or decrypted.
  • any encryption and decryption device in the security domain may use the data when transmitting data with other encryption and decryption devices in the security domain.
  • the decryption algorithm and key are used to encrypt or decrypt the transmitted data.
  • the data transmission security method of the embodiment of the present invention receives an encryption and decryption algorithm and a key for encrypting and decrypting data in the security domain determined by the security management device, and the encryption and decryption algorithm and the key are security management devices according to the security domain.
  • the encryption and decryption algorithm supported by each of the encryption and decryption devices determines that when the data is transmitted between other encryption and decryption devices in the security domain, the encryption/decryption algorithm and the key are used to encrypt or decrypt the data, and the data can be guaranteed.
  • centralized negotiation and management of encryption and decryption algorithms and keys for communication within the secure domain reduce the pressure of key negotiation.
  • each encryption and decryption device in the security domain may be assigned the same encryption and decryption algorithm and key by the security management device for encryption and decryption of data transmission between the encryption and decryption devices in the security domain, and the encryption and decryption algorithm is The encryption and decryption algorithm supported by all encryption and decryption devices in the security domain.
  • the encryption and decryption algorithm supported by each encryption and decryption device can be configured by the security management device.
  • the method 200 before the security management device does not configure the encryption and decryption algorithm supported by the encryption and decryption device, the method 200 may also be performed before the S210 receives the encryption and decryption information including the encryption and decryption algorithm and the key sent by the security management device.
  • a supported encryption and decryption algorithm is sent to the security management device.
  • the security management device is configured with a list of encryption and decryption devices included in the security domain and data transmission authority information of the encryption and decryption device in the security domain.
  • the encryption and decryption information received by the encryption and decryption device further includes a device identifier, which is used to determine the communication in the security domain.
  • the other encryption and decryption device in the security domain corresponding to the encryption and decryption algorithm and the key, the device identifier includes:
  • the IP address of other encryption and decryption devices in the security domain the MAC address of other encryption and decryption devices in the security domain, the IDs of other encryption and decryption devices in the security domain, and the identification ID of the VLAN including the security domain, 4 ⁇ At least one of the feature information of the text.
  • the encryption and decryption information includes the ID of the VLAN and does not include the IP address, the MAC address, and the ID of the other encryption and decryption device, it indicates that the VLAN only includes the encryption and decryption device in the security domain.
  • the embodiment of the present invention may be applied to a physical machine application scenario, and may also be applied to a virtual machine application scenario.
  • VM application scenario you can use the input and output virtualization technology of the encryption and decryption device. To virtualize each encryption and decryption device into one or more virtual encryption and decryption devices, and for each
  • the VM allocates one or more virtual encryption and decryption devices.
  • the plurality of virtual encryption and decryption devices may be virtualized by one encryption and decryption device, or may be virtualized by multiple encryption and decryption devices.
  • the encryption and decryption information when the virtual encryption/decryption device virtualized by the encryption and decryption device in the security domain is configured to perform data transmission with the security domain, the encryption and decryption information further includes a device identifier, and is used to determine the addition.
  • a virtual encryption and decryption device virtualized by another encryption and decryption device in the security domain corresponding to the decryption algorithm and the key, the device identifier includes:
  • the IP address of the virtual encryption and decryption device virtualized by other encryption and decryption devices in the security domain, the MAC address of the virtual encryption and decryption device virtualized by other encryption and decryption devices in the security domain, and other encryption and decryption devices in the security domain are virtualized.
  • the ID of the virtual encryption/decryption device includes at least one of an ID of a VLAN of a virtual encryption/decryption device virtualized by each encryption/decryption device in the security domain, and feature information of a message.
  • the VLAN when the encryption and decryption information only includes the ID of the VLAN and does not include the IP address, the MAC address, and the ID of the virtual encryption and decryption device, the VLAN includes only the virtual encryption and decryption device virtualized by the encryption and decryption device in the security domain.
  • S210 receives the encryption and decryption information sent by the security management device, where the encryption and decryption information includes an encryption and decryption algorithm and a key for data transmission with other encryption and decryption devices in the security domain, and the encryption and decryption.
  • the algorithm and the key are determined by the security management device according to the encryption and decryption and the device list in the security domain and the encryption and decryption algorithm supported by each of the encryption and decryption devices, wherein the encryption and decryption information may further include:
  • the security management device can continuously update the encryption and decryption algorithm and the key for encrypting and decrypting data in order to ensure the security of the data, and send the encryption and decryption algorithm and the key corresponding to the key while transmitting the encryption and decryption algorithm and the key.
  • the encryption and decryption device can save the encryption and decryption algorithm and the key, and the version identifier corresponding to the encryption and decryption algorithm and the key when receiving the encryption and decryption information.
  • the encryption and decryption information includes a version identifier corresponding to the encryption and decryption algorithm and the key, in S220, according to the encryption and decryption algorithm and the key, and between other encryption and decryption devices in the security domain.
  • the transmitted data is encrypted or decrypted and may include:
  • the data When transmitting data to other encryption and decryption devices in the security domain, the data is encrypted according to the encryption and decryption algorithm and key of the communication in the security domain, and the encryption is transmitted to other encryption and decryption devices in the security domain.
  • the packet of the data carries the version identifier corresponding to the encryption and decryption algorithm and the key of the communication in the security domain.
  • the encryption and decryption device can easily receive the encryption and decryption algorithm of the encrypted data and the version identifier corresponding to the key in the packet carrying the data, so that the other encryption and decryption equipment of the "3 ⁇ 4 text" can be conveniently received.
  • the version identifier corresponding to the encryption and decryption algorithm and the key carried in the text determines the correct encryption and decryption algorithm and key, and decrypts the data, thereby ensuring that the data is correctly decrypted, and the encryption and decryption algorithm and the key are realized. It can be refreshed periodically, which further ensures the security of data transmission in the security domain.
  • the method 200 may further include:
  • the security management device is authenticated and authenticated by the security management protocol, and authenticated by the authentication.
  • the security management protocol may be the SSL protocol or the IPSEC protocol or the Key Security protocol, or may be other security management protocols.
  • the encryption and decryption device in the embodiment of the present invention may be a computer device or a network card.
  • the encryption/decryption device is a network card
  • the data is encrypted and decrypted by the network card, thereby further avoiding encrypting and decrypting data on the computer device to the CPU. The tremendous pressure brought.
  • an encryption and decryption algorithm and a key for encrypting and decrypting data in the security domain are determined by the security management device, and the encryption and decryption algorithm and the key are security management devices according to the security domain.
  • the encryption/decryption algorithm supported by each of the encryption and decryption devices determines that when the data is transmitted between other encryption and decryption devices in the security domain, the encryption and decryption device encrypts or decrypts the data by using the encryption and decryption algorithm and the key. While ensuring the security of data transmission, centrally negotiate and manage keys, reducing the pressure of key negotiation.
  • the encryption and decryption device is a network card as an example to describe a method for securing data transmission according to an embodiment of the present invention.
  • FIG. 3 is a flow diagram of a method 300 of securing data transmissions in accordance with an embodiment of the present invention. It is assumed below that the network card 1 and the security management device, the network card 2 and the security management device, and the network card 3 and the security management device have passed the authentication authentication, wherein the authentication can be completed through the SSL protocol and the IPSEC protocol.
  • the network card 1 is virtualized into vNIC1 and vNIC2, the network card 2 is virtualized into vNIC3, the network card 3 is virtualized into vNIC4, and the IP addresses corresponding to vNIC1, vNIC2, vNIC3 and vNIC4 are IP1, IP2, IP3 and IP4; and vNIC1, vNIC2, vNIC3, and vNIC4 correspond to VM1, VM2, VM3, and VM4, respectively.
  • the network card 1 sends a network card to the security management device.
  • 1 Supported encryption and decryption algorithms.
  • the network card 2 sends a network card 2 to the security management device to support the encryption and decryption algorithm.
  • the network card 3 sends the network card 3 to the security management device to support the encryption and decryption algorithm.
  • the security management device determines, according to an encryption and decryption algorithm supported by the network card 1, the network card 2, and the network card 3, data used for encrypting and decrypting transmission between vNIC1, vNIC3, and vNIC4, wherein vNIC1, vNIC3, and vNIC4 belong to the same security domain, and Each virtual network card needs to communicate with the security domain.
  • the selected encryption and decryption algorithm is 3DES, and the key is represented by a key; the security management device determines the IP address of each virtual network card.
  • the security management device sends the encryption and decryption information to the network card 1, where the encryption and decryption information includes the determined encryption and decryption algorithm and the key, and the IP addresses of the vNIC3 and the vNIC4, and one network card virtual 1 is virtualized into two virtual network cards, so
  • the decryption information also needs to include the IP address of the vNIC1.
  • the encryption and decryption information may further include a version identifier corresponding to the encryption and decryption algorithm and the key, for example, the version identifier is 2.
  • the network card 1 After receiving the encryption and decryption information sent by the security management device, the network card 1 can establish the following entries:
  • the security management device sends the encryption and decryption information to the network card 2, where the encryption and decryption information includes the determined encryption and decryption algorithm and a key, and an IP address of the vNIC1 and the vNIC4, and a version identifier corresponding to the encryption and decryption algorithm and the key. .
  • the security management device sends the determined encryption and decryption algorithm and key to the network card 3, and an IP address of the vNIC 1 and the vNIC3, and a version identifier corresponding to the encryption and decryption algorithm and the key.
  • the network card 3 After receiving the encryption and decryption information sent by the security management device, the network card 3 can establish the following entries because the network card 3 is only virtualized into a virtual network card:
  • the VM1 corresponding to the vNIC1 needs to send data to the VM3 corresponding to the vNIC4.
  • the NIC 1 obtains the encryption and decryption algorithm and key corresponding to the version identifier 2 by using the IP1+IP4->3DES+Key+ version identifier of the query entry, and The decryption algorithm and the key encrypt the data, and the ID is added to the packet carrying the data, where the packet can be encapsulated by SSL or encapsulated by IPSEC.
  • the encapsulated message can be:
  • the network card 1 sends the encapsulated packet to the network card 3.
  • the network card 3 After receiving the packet sent by the network card 1, the network card 3 obtains the final egress as vNIC4 after the exchange forwarding process, and the network card 3 obtains the IP1->3DES + Key+ version identifier according to the IP address of the vNIC1, and passes the ⁇ The version identifier carried in the text is obtained, so that the data can be decrypted by the corresponding encryption and decryption algorithm and the key, and sent to the VM3.
  • the security management device may determine the ID of the VLAN including only vNIC1, vNIC 2, vNIC3, and vNIC4, and send the same to each network card. ID of the VLAN, each NIC can establish an entry with the ID of the VLAN, and when determining to transmit data to the virtual network card included in the VLAN, encrypt the data by using an encryption and decryption algorithm and a key corresponding to the ID of the VLAN or Decrypt.
  • the method for securing data transmission by receiving an encryption and decryption algorithm and a key for encrypting and decrypting data in a security domain determined by a security management device, is associated with the security domain.
  • the encryption/decryption algorithm and the key are used to encrypt or decrypt the data, thereby ensuring the security of data transmission, centrally negotiating and managing keys, and reducing the pressure of key negotiation.
  • the security management device 400 includes:
  • the determining unit 410 is configured to determine, according to the encryption and decryption device list in the security domain and the encryption and decryption algorithm supported by each encryption and decryption device, an encryption and decryption algorithm and a key for communication in the security domain, and an encryption and decryption algorithm and a key for communication in the security domain. Used for data transfer between encryption and decryption devices in the secure domain.
  • the sending unit 420 is configured to send, to each of the encryption and decryption devices in the security domain, the encryption and decryption information, where the encryption and decryption information includes an encryption and decryption algorithm and a key for the communication in the security domain determined by the determining unit 410, and is used in the security domain.
  • Each of the encryption and decryption devices encrypts or decrypts data transmitted between the other encryption and decryption devices in the security domain based on the encryption and decryption information.
  • the security management device of the embodiment of the present invention determines the encryption and decryption algorithm and the key for the encryption and decryption data in the security domain by the determining unit, and can centrally negotiate and manage the key and reduce the key while ensuring the security of the data transmission.
  • the pressure of negotiation is the reason for which the encryption and decryption algorithm and the key for the encryption and decryption data is transmitted.
  • the determining unit 410 is specifically configured to: select, for each encryption and decryption device in the security domain, an encryption and decryption algorithm and a key for communication within the same security domain, where the encryption and decryption algorithm is all encryption and decryption devices in the security domain. Supported encryption and decryption algorithms.
  • the security management device 400 further includes:
  • the first configuration unit 430 is configured to configure a list of encryption and decryption devices included in the security domain.
  • the security management device 400 the security management device 400
  • the receiving unit 440 is further configured to receive the respective supported encryption and decryption algorithms sent by each of the encryption and decryption devices in the security domain, and send them to the determining unit 410;
  • the security management device 400 in addition to the determining unit 410, the sending unit 420, and the first configuration unit 430, the security management device 400 further includes a second configuration unit 450, configured to configure each encryption and decryption in the security domain.
  • the determining unit 410 is further configured to acquire the encryption and decryption algorithm from the second configuration unit 450.
  • the security management device 400 further includes: a third configuration unit 460, configured to configure data transmission authority of the encryption and decryption device in the security domain, where the data transmission permission is Whether data can be transferred to devices outside the security domain.
  • the sending unit 420 is further configured to acquire, by the third configuration unit 460, the data transmission authority of the encryption and decryption device in the security domain, where the data transmission permission of the encryption and decryption device in the security domain is
  • the encryption and decryption information sent by the sending unit 420 further includes a device identifier, and the encryption/decryption device determines, according to the device identifier, an encryption and decryption algorithm and a key for communication in the security domain.
  • the device identification includes:
  • the IP address of other encryption and decryption devices in the security domain the MAC address of other encryption and decryption devices in the security domain, the ID of other encryption and decryption devices in the security domain, the ID of the VLAN including the security domain, and the message. At least one of the feature information.
  • the encryption and decryption information includes the ID of the VLAN and does not include the IP address, MAC address, and ID of the other encryption and decryption device, the VLAN only includes the encryption and decryption device in the security domain.
  • the determining unit 410 of the security management device 400 is further configured to determine a version identifier corresponding to the encryption and decryption algorithm and the key of the communication in the security domain; and the encryption and decryption information sent by the sending unit 420 further includes: determining The unit 410 determines the version identifier corresponding to the encryption and decryption algorithm and the key of the communication in the secure domain, and the version identifier is used by each of the encryption and decryption devices to carry data when transmitting data to and from other encryption and decryption devices in the security domain. So that other encryption and decryption devices in the security domain decrypt the data using the encryption and decryption algorithm and key of the communication within the security domain corresponding to the version identifier.
  • the encryption and decryption device is a computer device.
  • the encryption and decryption device is a network card.
  • the encryption/decryption device when the encryption/decryption device is a network card, the data is encrypted and decrypted by the network card, which can further avoid the tremendous pressure brought by the computer device to encrypt and decrypt the data to the CPU.
  • the security management device 400 includes the receiving unit 430, the first configuration unit 440, and the third configuration unit 460, the receiving unit 440, the first configuration unit 430, and the third configuration unit 460 are both An optional unit, that is, the security management device 400 may include only the receiving unit 440, or only the first configuration unit 430 or only the third configuration unit 460. Of course, the receiving unit 440, the first configuration unit 430, and the receiving unit 430 may be included. The third configuration unit 460, or any two of them. Similarly, for FIG.
  • the security management device 400 includes the first configuration unit 430, the second configuration unit 450, and the third configuration unit 460, however, The first configuration unit 430, the second configuration unit 450, and the third configuration unit 460 are all optional units, that is, may include only the first configuration unit 430, or only the second configuration unit 450 or only the third configuration unit 460. Of course, the first configuration unit 430, the second configuration unit 450, and the third configuration unit 460 may be included at the same time, or any two of them may be included. It should also be understood that although the receiving unit 440 and the second configuration unit 450 belong to different diagrams, the security management device may have both the receiving unit 440 and the second configuration unit 450, and the security management device has both the receiving unit 440 and the second configuration.
  • a priority may be set for the two units, that is, under certain circumstances, the encryption and decryption algorithm received by the receiving unit 440 has a high priority, and in another case, the second configuration unit 450 configures encryption and decryption.
  • the priority of the algorithm is high, and it should be determined according to the specific situation, which is not limited by the embodiment of the present invention.
  • the security management device of the embodiment of the present invention can centrally negotiate and manage keys and reduce key negotiation while ensuring data transmission security by determining an encryption and decryption algorithm and a key for encrypting and decrypting data in the security domain. pressure.
  • Data transmission security methods 100 to 300 security management devices, and the above and other operations and/or functions of the various units in the security management device 400 are respectively implemented in order to implement the methods of Figs. 1 to 3
  • FIG. 7 is a structural block diagram of an encryption and decryption apparatus according to an embodiment of the present invention. As shown in FIG. 6, the encryption and decryption device 500 includes:
  • the receiving unit 510 is configured to receive the encryption and decryption information sent by the security management device, where the encryption and decryption information includes an encryption and decryption algorithm and a key for data transmission with other encryption and decryption devices in the security domain, the encryption and decryption algorithm and the secret
  • the key is determined by the security management device according to an encryption and decryption algorithm supported by each encryption and decryption device in the security domain.
  • the encryption/decryption unit 520 is configured to encrypt or decrypt data transmitted between other encryption and decryption devices in the security domain according to the encryption and decryption information received by the receiving unit 510.
  • the encryption and decryption device of the embodiment of the present invention can encrypt and decrypt the data by encrypting the encryption and decryption algorithm for encrypting and decrypting data of the encryption and decryption device in the security domain determined by the security management device, thereby ensuring the security of data transmission. Centralized negotiation and management of keys through security management devices to avoid pressure on nodes to negotiate keys.
  • the encryption and decryption device further includes:
  • the sending unit 530 is configured to send a supported encryption and decryption algorithm to the security management device.
  • the encryption and decryption information received by the receiving unit 510 further includes the device identifier.
  • the device identification includes:
  • the IP address of other encryption and decryption devices in the security domain the MAC address of other encryption and decryption devices in the security domain, other encryption and decryption device IDs in the security domain, the ID of the VLAN including the security domain, and the characteristics of the message. At least one of the information;
  • the encryption and decryption unit 520 is configured to determine, according to the device identifier included in the encryption and decryption information received by the receiving unit 510, the encryption and decryption algorithm included in the security domain and the security applicable to the key in the encryption and decryption information.
  • the encryption and decryption information received by the receiving unit 510 further includes:
  • the encryption and decryption unit 520 is specifically configured to:
  • the packet of the data carries the version identifier corresponding to the encryption and decryption algorithm and the key of the communication in the security domain.
  • the encryption and decryption device 500 is a computer device.
  • the encryption and decryption device 500 is a network card.
  • the encryption/decryption device when the encryption/decryption device is a network card, the data is encrypted and decrypted by the network card, which can further avoid the tremendous pressure brought by the computer device to encrypt and decrypt the data to the CPU.
  • the encryption/decryption apparatus 500 may correspond to the encryption/decryption apparatus in the methods 100 to 300 for securing data transmission in the embodiment of the present invention, and the above-described and other operations of the respective units in the encryption/decryption apparatus 500 and/or
  • the functions of the methods 100 to 300 of FIG. 1 to FIG. 3 are respectively omitted.
  • the encryption and decryption device of the embodiment of the present invention is determined by acquiring the security management device.
  • the encryption and decryption algorithm of the encryption and decryption data in the security domain and the key to encrypt and decrypt the data can ensure the data transmission security, and at the same time, the security management device centrally negotiates and manages the key, thereby avoiding the pressure of negotiating the key between the nodes.
  • FIG. 9 is a block diagram showing the structure of a system for data transmission according to an embodiment of the present invention.
  • the system 600 includes a security management device 610 and at least two encryption and decryption devices 620, wherein the security management device 610 is configured to list and decrypt the encryption and decryption devices according to the security domain including the encryption and decryption device 620.
  • An encryption and decryption algorithm supported by an encryption and decryption device 620 determines an encryption and decryption algorithm and a key for communication within the security domain, and an encryption and decryption algorithm and a key for communication within the security domain are used for data transmission between the encryption and decryption device 620, and Each encryption and decryption device 620 in the security domain sends encryption and decryption information, the encryption and decryption information including the encryption and decryption algorithm and a key;
  • the encryption and decryption device 620 is configured to receive the encryption and decryption information sent by the security management device 610, where the encryption and decryption information includes an encryption and decryption algorithm and a key for data transmission with other encryption and decryption devices 620 in the security domain, and according to The encryption and decryption information encrypts or decrypts data transmitted between other encryption and decryption devices 620 in the security domain.
  • the security management device 610 determines an encryption and decryption algorithm and a key for communication in the security domain, including:
  • the security management device 610 is configured to select, for each encryption and decryption device 620 in the security domain, the same encryption and decryption algorithm and key for communication within the security domain, where the encryption and decryption algorithm is all encryption and decryption devices 620 in the security domain. Supported encryption and decryption algorithms.
  • the security management device 610 is further configured to configure a list of encryption and decryption devices of the security domain.
  • the encryption and decryption device 620 is further configured to send the supported encryption and decryption algorithm to the security management device 610, or the security management.
  • the device 610 is also configured to configure an encryption and decryption algorithm supported by each of the encryption and decryption devices 620 in the security domain.
  • the security management device 610 is further configured to configure data transmission permission of the encryption and decryption device in the security domain, and the data transmission permission is whether data transmission can be performed with a device outside the security domain.
  • the encryption and decryption information sent by the security management device 610 to the encryption and decryption device further includes a device identifier, and the device Identifying other encryption and decryption devices in the security domain for the encryption and decryption device 620 to determine the encryption and decryption algorithm and the key, including: The IP address of the other encryption and decryption device 620 in the security domain, the MAC address of the other encryption and decryption device 620 in the security domain, the ID of the other encryption and decryption device 620 in the security domain, the ID of the VLAN including the security domain, At least one of the feature information of the message.
  • the security management device 610 before the security management device 610 sends the encryption and decryption information to each of the encryption and decryption devices, the security management device 610 is further configured to determine a version identifier corresponding to the encryption and decryption algorithm and the key of the communication in the security domain, and the The encryption and decryption information sent to the encryption and decryption device 620 further includes a version identifier corresponding to the encryption and decryption algorithm and the key of the communication in the secure domain;
  • the encryption and decryption device 620 is further configured to carry the version identifier when transmitting data to other encryption and decryption devices 620 in the security domain, and the other encryption and decryption devices 620 in the security domain use the encryption and decryption algorithm corresponding to the version identifier. And the key decrypts the data.
  • the encryption and decryption device 620 is a computer device or a network card.
  • Security management device 400, encryption and decryption device 620 can be used for the encryption and decryption device 500 in the device of the embodiment of the present invention, and the above and other operations and/or functions of the respective units in the security management device 610 and the encryption and decryption device 620 are respectively
  • FIG. 3 For brevity, details are not described herein again. It should also be understood that, for the sake of brevity, FIG.
  • FIG. 9 shows three encryption and decryption devices, which are merely examples of a specific embodiment, and the number of encryption and decryption devices in the system for data transmission according to the embodiment of the present invention may be determined according to specific conditions. This is not limited by the example of Figure 9.
  • the encryption and decryption algorithm for encrypting and decrypting data in the security domain and the key pair data are encrypted and decrypted by the security management device, thereby ensuring data transmission security while ensuring data transmission security.
  • the disclosed systems, devices, and The method can be implemented in other ways.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not executed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
  • the units described as separate components may or may not be physically separate, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solution of the embodiment.
  • each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the functions, if implemented in the form of software functional units and sold or used as separate products, may be stored in a computer readable storage medium.
  • the technical solution of the present invention which is essential or contributes to the prior art, or a part of the technical solution, may be embodied in the form of a software product, which is stored in a storage medium, including
  • the instructions are used to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present invention.
  • the foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk or an optical disk, and the like, which can store program codes. .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Storage Device Security (AREA)
  • Small-Scale Networks (AREA)

Description

数据传输的方法、 设备和系统 技术领域
本发明涉及通信领域, 并且更具体地, 涉及数据传输的方法、 设备和系 统。 背景技术
随着计算机技术的飞速发展, 网络已经成为社会发展的重要保证。 如何保证数据不被泄密, 是影响网络发展的一个重要原因, 端到端的数 据加密有利于防止信息被泄密。 例如, 在两个网络通过不可信的网络连 接时, 可以在两个网络的入口网络设备上启用链路加密, 保证数据穿过 不可信网络时是加密的; 因此, 在客户端访问服务器端时, 可以在客户 端和服务器端进行数据加密, 保证客户端与服务器端通信时数据不被窃 听。
然而, 在两个主机间或者客户端和服务器端之间进行数据传输并对 数据加解密时, 需要在主机间或者客户端和服务器端之间进行密钥的协 商, 密钥的协商和管理会给设备的中央处理器 (Central Processing Unit, 简称 "CPU" )带来巨大的压力。
因此, 需要一种合适的方案, 在保证数据传输安全的同时, 减少密钥协 商和管理的压力。 发明内容
本发明实施例提供一种数据传输的方法、 设备和系统, 能够保证数据传 输的安全, 减少密钥协商的压力。
一方面, 提供了一种数据传输的方法, 包括: 根据安全域中的加解密设 备列表及每一个加解密设备支持的加解密算法,确定安全域内通信的加解密 算法和密钥, 该安全域内通信的加解密算法和密钥用于该安全域中的加解密 设备之间的数据传输; 向该安全域中的每一个加解密设备发送加解密信息, 该加解密信息包括该安全域内通信的加解密算法和密钥, 用于该每一个加解 密设备根据该加解密信息对与该安全域中的其他加解密设备之间传输的数 据进行加密或解密。 另一方面, 提供了一种数据传输的方法, 包括: 接收安全管理设备发送 的加解密信息, 该加解密信息包括用于安全域中的加解密设备之间数据传输 的加解密算法和密钥, 该加解密算法和密钥是该安全管理设备根据该安全域 中的加解密设备列表及每一个加解密设备支持的加解密算法确定的;根据该 加解密信息,对与该安全域中的其他加解密设备之间传输的数据进行加密或 解密。
另一方面, 提供了一种安全管理设备, 包括: 确定单元, 用于根据安全 域中的加解密设备列表及每一个加解密设备支持的加解密算法,确定安全域 内通信的加解密算法和密钥, 该安全域内通信的加解密算法和密钥用于该安 全域中的加解密设备之间的数据传输; 发送单元, 用于向该安全域中的每一 个加解密设备发送加解密信息,该加解密信息包括该确定单元确定的该安全 域内通信的加解密算法和密钥,用于该该安全域中每一个加解密设备根据该 加解密信息对与该安全域中的其他加解密设备之间传输的数据进行加密或 解密。
另一方面, 提供了一种加解密设备, 包括: 接收单元, 用于接收安全管 理设备发送的加解密信息, 该加解密信息包括用于与包含本加解密设备的安 全域中的其他加解密设备之间数据传输的加解密算法和密钥, 该加解密算法 和密钥是安全管理设备根据该安全域中的加解密设备列表及每一个加解密 设备支持的加解密算法确定的; 加解密单元, 用于根据该接收单元接收的该 加解密信息,对与该安全域中的其他加解密设备间传输的数据进行加密或解 密。
另一方面, 提供了一种用于数据传输的系统, 该系统包括: 一个安全管 理设备和至少两个加解密设备, 其中, 该安全管理设备用于根据包含所述加 解密设备的安全域中的加解密设备列表及每一个加解密设备支持的加解密 算法, 确定该安全域内通信的加解密算法和密钥, 该安全域内通信的加解密 算法和密钥用于该安全域中的加解密设备之间的数据传输, 并向该安全域中 的每一个加解密设备发送加解密信息, 该加解密信息包括该加解密算法和密 钥; 该加解密设备用于接收该安全管理设备发送的加解密信息, 该加解密信 息包括用于与安全域中的其他加解密设备之间数据传输的加解密算法和密 钥, 并根据该加解密信息, 对与该安全域中的其他加解密设备之间传输的数 据进行加密或解密。 基于以上技术方案, 本发明实施例的数据传输的方法、 设备和系统, 通 过安全管理设备确定用于安全域内数据传输的加解密算法和密钥, 集中协商 和管理安全域内数据传输的加解密算法和密钥, 减少密钥协商和管理的压 力。 附图说明
为了更清楚地说明本发明实施例的技术方案, 下面将对实施例或现有技 术描述中所需要使用的附图作简单地介绍, 显而易见地, 下面描述中的附图 仅仅是本发明的一些实施例, 对于本领域普通技术人员来讲, 在不付出创造 性劳动的前提下, 还可以根据这些附图获得其他的附图。
图 1示出了根据本发明实施例的数据传输的方法的流程图。
图 2示出了根据本发明另一实施例的数据传输的方法的流程图。
图 3示出了根据本发明另一实施例的数据传输的方法的流程图。
图 4示出了根据本发明实施例的安全管理设备的结构框图。
图 5示出了根据本发明另一实施例的安全管理设备的结构框图。
图 6示出了根据本发明另一实施例的安全管理设备的结构框图。
图 7示出了根据本发明实施例的加解密设备的结构框图。
图 8示出了根据本发明另一实施例的加解密设备的结构框图。
图 9示出了根据本发明实施例的数据传输的系统的结构框图。 具体实施方式
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行 清楚、 完整地描述, 显然, 所描述的实施例是本发明一部分实施例, 而不是 全部的实施例。 基于本发明中的实施例, 本领域普通技术人员在没有做出创 造性劳动前提下所获得的所有其他实施例, 都属于本发明保护的范围。
应理解, 本发明实施例的技术方案可以应用于各种通信系统, 例如: 全 球移动通讯( Global System of Mobile communication, 简称 "GSM" ) 系统、 码分多址(Code Division Multiple Access, 简称 "CDMA" ) 系统、 宽带码分 多址(Wideband Code Division Multiple Access, 简称 "WCDMA" )系统、 通 用分组无线业务(General Packet Radio Service, 简称 "GPRS" )、 长期演进 ( Long Term Evolution,简称 "LTE" )系统、 LTE频分双工( Frequency Division Duplex, 简称 "FDD" ) 系统、 LTE时分双工 ( Time Division Duplex, 简称 "TDD" )、 通用移动通信系统 ( Universal Mobile Telecommunication System, 简称 "UMTS" )、 因特网和数据通信领域等。
图 1是根据本发明实施例的数据传输的方法 100的流程图。如图 1所示, 该方法 100包括:
S110、根据安全域中的加解密设备列表及每一个加解密设备支持的加解 密算法, 确定安全域内通信的加解密算法和密钥, 该安全域内通信的加解密 算法和密钥用于该安全域中的加解密设备之间的数据传输;
S120、 向该安全域中的每一个加解密设备发送加解密信息, 该加解密信 息包括该安全域内通信的加解密算法和密钥, 用于该每一个加解密设备根据 该加解密信息对与该安全域中的其他加解密设备之间传输的数据进行加密 或解密。
在本发明实施例中, 安全域是指域内各设备相互信任、 设备之间的通信 是安全可信的, 且往往由同一安全管理设备进行安全管理的网络、 系统或设 备集合, 例如一个虚拟专用网络(Virtual Private Network , 简称 "VPN" )、 一个公司内部通信网络等、 或者一个 VPN 中的部分设备。 安全域的加解密 设备是指在这些域内设备上进行加解密操作的加解密设备, 例如, 同一个 VPN内的多台计算机 (由计算机自身进行加解密操作 ), 或一个公司内需要 进行数据通信的计算机内的配置的网卡(由网卡进行加解密操作)等。
通常, 在安全管理设备上会有安全域所包含的加解密设备的列表, 表明 哪些加解密设备是属于这个安全域的。安全管理设备可以根据安全域中所包 含的加解密设备的列表及每一个加解密设备支持的加解密算法,确定用于加 解密该安全域中每一个加解密设备之间传输的数据的加解密算法和密钥, 并 分别向安全域中每一个加解密设备发送包括该加解密算法和密钥的加解密 信息, 以便于该每一个加解密设备在与该安全域中的其他加解密设备间传输 相应数据时, 利用该加解密算法和密钥加密或解密传输的数据。
因此, 本发明实施例的保障数据传输安全的方法, 通过安全管理设备确 定用于安全域内通信的对数据进行加解密的加解密算法和密钥, 能够在保证 数据传输安全的同时, 集中协商和管理安全域内数据传输的算法和密钥, 减 少密钥协商的压力。
本发明实施例中的加解密设备, 可以为计算机设备, 也可以为网卡; 其 中, 网卡是一种具体的可以将计算机、 工作站、 服务器等设备连接到网络上 的通信接口装置, 也可以是网络适配器(network adapter )等实现类似功能 的装置。 在本发明实施例中, 在加解密设备为网卡时, 通过网卡对数据进行 加解密, 能够进一步避免在计算机设备上加解密数据给 CPU带来的巨大压 力。
优选的, 在安全管理设备确定加解密算法和密钥之前, 安全管理设备可 以通过接收安全域中的每一个加解密设备发送的各自支持的加解密算法, 来 获得安全域中每一个加解密设备支持的加解密算法, 其中, 每一个加解密设 备将所支持的加解密算法发送至该安全管理设备, 具体可以是: 在每个加解 密设备都有一个所支持的加解密算法的列表,加解密设备将相关信息发送给 该安全管理设备。 当然, 也可以由安全管理设备直接配置安全域中的每一个 加解密设备各自支持的加解密算法来获取每一个加解密设备支持的加解密 算法。
本发明实施例中, 安全管理设备可以配置安全域中的加解密设备列表, 具体方法可以为: 直接配置安全域中的加解密设备列表, 说明某个安全域内 所包含的加解密设备,可以釆用加解密设备的互联网协议( Internet Protocol, 简称 "IP" )地址、 媒体接入控制 (Media Access Control, 简称 "MAC" )地 址、 设备标识等标识加解密设备, 如表 1所示。
表 1
Figure imgf000007_0001
也可以预先设置安全域所包含的加解密设备的条件, 如 IP地址的范围、 归属的虚拟局域网 ( Virtual Local Area Network, 简称 "VLAN" )等, 再根 据相应的条件, 配置安全域的加解密设备列表, 例如, 设置安全域群 1的条 件为 IP地址的范围为如 10.1.80.* , 然后将网络内符合 IP范围条件的加解密 设备配置在加解密设备列表中。 通过配置安全域中的加解密设备列表, 可以 进一步灵活地明确哪些设备可以由安全管理设备集中协商和管理安全域内 数据传输的算法和密钥, 进而有效减少密钥协商的压力。
在本发明实施例中, 具体的, 安全管理设备可以根据安全域中的加解密 设备列表及每一个加解密设备支持的加解密算法, 为安全域中每一个加解密 设备选取相同的用于安全域内通信加解密算法和密钥, 而这个加解密算法是 该安全域中所有加解密设备都支持的。
具体可以为,安全管理设备在获取了安全域中每一个加解密设备支持的 加解密算法后, 在有多种公共加解密算法符合选择要求的情况下, 可以按随 机或者指定的优先级来选择釆用何种算法用来加密,如可以在安全管理设备 中配置策略来决定。 密钥的选择则一般选择一个随机数作为密钥, 或者由一 个随机数生成一个密钥。
因此, 本发明实施例的保障数据传输安全的方法, 通过安全管理设备确 定用于安全域内通信的加解密数据的加解密算法和密钥, 为安全域内的所有 加解密设备统一选择同样的加解密算法和密钥,在保证安全域内的加解密设 备间的数据传输安全的同时,通过集中协商和管理安全域内数据传输的算法 和密钥, 减少密钥协商的压力。
进一步的, 安全域中的加解密设备还可以配置数据传输权限, 即是否可 以与安全域外的其他设备进行通信, 具体优选的, 可以在安全管理设备中进 行配置, 在安全管理设备中配置该安全域中的加解密设备的数据传输权限, 数据传输权限可以配置为是否可以与该安全域外的设备进行数据传输,如表 2所示。
表 2
Figure imgf000008_0001
优选的, 当安全域中的每一个加解密设备只能与该安全域中的其他加解 密设备传输数据, 则安全管理设备为该安全域中的每一个加解密设备分配相 同的加解密算法和密钥后, 可以只向每一个加解密设备发送用于加解密数据 的加解密算法和密钥, 该每一个加解密设备在接收到数据或需要发送数据 时, 则可以根据该加解密算法和密钥对传输的数据进行加密或解密实现通 信; 而若安全域中的加解密设备除与该安全域中的其他加解密设备传输数据 之外, 还可以与该安全域以外的其他设备传输数据时, 则安全管理设备还需 向安全域内的每一个加解密设备发送该安全域中其他加解密设备的设备标 识信息, 以便于该每一个加解密设备在对与该安全域中的其他加解密设备传 输的数据进行加解密时, 能够釆用接收到的该设备标识确定所对应的加解密 算法和密钥进行正确加密或解密。
在本发明实施例中, 当该安全域中的加解密设备的数据传输权限为可以 与该安全域外的设备进行数据传输时, 安全管理设备向安全域中的每一个加 解密设备发送的加解密信息进一步包括设备标识, 用于加解密设备根据该设 备标识确定该安全域内通信的加解密算法和密钥适用的该安全域中的其他 加解密设备, 其中, 该设备标识包括: 该安全域中的其他加解密设备的互联 网协议(Internet Protocol, 简称 "IP" )地址、 该安全域中的其他加解密设备 的媒体接入控制 (Media Access Control, 简称 "MAC" )地址、 该安全域中 的其他加解密设备的标识(Identifier, 简称 "ID" )、 包括该安全域的虚拟局 域网 (Virtual Local Area Network, 简称 "VLAN" ) 的 ID、 才艮文的特征信息 中的至少一种。 其中, 在加解密信息中包括 VLAN的 ID而不包括其他加解 密设备的 IP地址、 MAC地址、 ID时, 说明该 VLAN只包括该安全域中的 加解密设备。
即, 本发明的实施例中, 可以通过加解密设备的 IP地址、 MAC地址、
ID、 VLAN ID, 报文的特征信息来确定安全域内的其他加解密设备, 即可以 理解为, 根据加解密设备的 IP地址、 MAC地址、 ID、 VLAN ID, 文的特 征信息等确定加解密算法和密钥。
本发明的实施例中, 例如, 可以按照流分类策略确定安全域内的其他加 解密设备的方式。 这里所说的流分类策略, 优选的, 可以釆用配置访问控制 列表(Access Control List, 简称 "ACL" )规则来实现, 即依据报文的特征 信息来区分不同的流。通常可以配置是>¾文的各种特征信息,例如 IP、 MAC, VLAN, 四层协议、 四层端口, 或其它可以进行报文分类的内容等进行流识 另' J , 然后按流进行加解密处理。 当然, 此时向安全域中的每一个加解密设备 发送的加解密信息中包括 ·艮文的特征信息。 相应的, 安全域中各个加解密设 备接收到安全管理设备发送的安全域内通信的加解密算法和密钥, 以及该加 解密算法和密钥对应的 ^¾文特征信息时, 也可以建立相应的表项, 当各个加 解密设备之间需要传输数据时,各个加解密设备可以通过已建立的表项获取 相应的加解密算法和密钥, 并利用该加解密算法和密钥对需要传输的数据进 行加解密。
应理解, 在本发明实施例中, 一个加解密设备可以对应于一个 IP地址 (或 MAC地址), 也可以对应于多个 IP地址(或 MAC地址), 其中, 在对 应于多个 IP地址(或 MAC地址 )时, 该加解密设备对应的多个 IP地址(或 MAC 地址)可以属于同一安全域, 也可以属于不同的安全域, 即可以为该 多个 IP地址确定相同的加解密算法和密钥, 也可以为该多个 IP地址确定不 同的算法和密钥。 当然, 此时安全设备上的安全域的配置信息中, 也会具体 细化到该安全域中每一个加解密设备的具体 IP地址(或 MAC地址)。
在本发明实施例中,在某一加解密设备对应于一个 IP地址(或 MAC地 址), 且该一个 IP地址(或 MAC地址) 不仅与安全域中的设备进行通信, 还需要与安全域外的设备进行通信时, 则需要向该加解密设备发送该安全域 中的其他加解密设备的 IP地址(或 MAC地址); 在本发明实施例中, 在某 一加解密设备对应于多个 IP地址(或 MAC地址), 且该多个 IP地址(或 MAC 地址)属于不同的安全域时, 安全管理设备不仅需要向该加解密设备 发送安全域中其他加解密设备的 IP地址(或 MAC地址), 还需要发送该加 解密设备在该安全域中通信中使用的 IP地址(或 MAC地址), 以便该加解 密设备能够根据接收到的自身 IP地址, 确定该接收到的加解密算法和密钥 具体用在哪个安全域(也就是 IP地址)所对应的数据传输中。
例如,加解密设备 1对应于 IP1和 IP2,加解密设备 2对应于 IP3和 IP4, 加解密设备 3对应于 IP5和 IP6。 其中, 安全管理设备确定 IP1、 IP3和 IP5 属于同一安全域, 并将该安全域对应的加解密算法和密钥确定为算法和密钥 ( 1 ); 安全管理设备确定 IP2、 IP4和 IP6属于同一安全域, 并将该安全域对 应的加解密算法和密钥为算法和密钥(2 ); 并且确定该两个安全域都需要与 各自安全域外通信, 并且由于一个加解密设备具有两个 IP地址, 所以安全 管理设备在向各个加解密设备发送的加解密信息中需要包括 IP1、 IP3和 IP5 以及算法和密钥 (1 ), IP2、 IP4和 IP6以及算法和密钥 (2 )。 各个加解密设 备接收到安全管理设备发送的加解密算法和密钥以及加解密算法和密钥对 应的 IP地址时, 可以建立相应的表项, 例如, 对于加解密设备 1 而言, 可 以建立如下表项:
ΙΡ1+ΙΡ3->算法和密钥 (1 )
ΙΡ1+ΙΡ5->算法和密钥 (1 )
IP2+IP4->算法和密钥 (2 )
IP2+IP6->算法和密钥 (2 ) 从而, 各个加解密设备之间需要传输数据时, 可以通过已建立的表项获 取相应的加解密算法和密钥, 并利用该加解密算法和密钥对该需要传输的数 据进行加解密。
在本发明实施例中,在加解密信息包括该安全域中每一个加解密设备的 IP地址、 MAC地址、 ID以及包括该安全域的 VLAN 的 ID、 报文的特征信 息中的至少一种时, 则可以建立以下表项:
C IP地址 /MAC地址 /ID (本端 ) + IP地址 /MAC地址 /ID (对端)〕 /VLAN 艮文的特征信息- >算法和密钥
其中, 该安全域中的每一个加解密设备在收发数据时, 可以按照最长匹 配的方式进行查表, 以获取相应的加解密算法和密钥。
应理解, 本发明实施例可以应用于物理机应用场景, 也可以应用于虚拟 机( Virtual Machine , 简称 " VM" )应用场景。 在 VM应用场景下, 可以通 过加解密设备的输入输出虚拟化技术,将每一个加解密设备虚拟成一个或多 个虚拟加解密设备,并为每一个 VM分配一个或多个虚拟加解密设备。其中, 当一个 VM包括多个虚拟加解密设备时,该多个虚拟加解密设备可以是由一 个加解密设备虚拟化而成的, 也可以是由多个加解密设备虚拟化而成的。 例 如, 在本发明实施例中, 当加解密设备为网卡时, 可以通过网卡的输入输出 虚拟化技术, 将每一个网卡虚拟成一个或多个虚拟网卡, 并为每一个 VM分 配一个或多个虚拟网卡。 虚拟网卡也可以称之为队列, 则本发明实施例的虚 拟网卡的 ID可以称之为队列号。 在本发明实施例中, 当加解密设备为网卡 时, 在虚拟机应用场景中, 可以将虚拟交换卸载到网卡上, 可以保证虚拟机 流量经过网卡。
在本发明实施例中, 当该安全域中的加解密设备虚拟化的虚拟加解密设 备配置为可以与该安全域外的设备进行数据传输时, 该加解密信息进一步包 括设备标识, 用于确定该加解密算法和密钥所对应的该安全域中的其他加解 密设备虚拟化的虚拟加解密设备, 该设备标识包括:
该安全域中的其他加解密设备虚拟化的虚拟加解密设备的 IP地址、 该 安全域中的其他加解密设备虚拟化的虚拟加解密设备的 MAC地址、 该安全 域中的其他加解密设备虚拟化的虚拟加解密设备的 ID、 包括该安全域中的 每一个加解密设备虚拟化的虚拟加解密设备的 VLAN的 ID、 报文的特征信 息中的至少一种。 其中, 在加解密信息只包括 VLAN的 ID而不包括虚拟加 解密设备的 IP地址、 MAC地址、 ID时, 则该 VLAN只包括该安全域中加 解密设备虚拟化的虚拟加解密设备。
在本发明实施例中, 一个加解密设备可以虚拟成多个虚拟加解密设备, 该多个虚拟加解密设备可以属于同一个安全域, 也可以属于不同的安全域; 在本发明实施中,每一个虚拟加解密设备可以对应于不同的 IP地址(或 MAC 地址), 并且一个虚拟加解密设备虚拟的多个 IP地址可以属于同一安全域, 也可以属于不同的安全域。
在本发明实施例中,安全管理设备在确定某一加解密设备只虚拟化成为 一个虚拟加解密设备, 且该一个虚拟加解密设备只对应于一个 IP地址(或 MAC 地址) 时, 则安全管理设备只需向该加解密设备发送与该加解密算法 和密钥对应的安全域内的其他加解密设备虚拟化的虚拟加解密设备的 IP地 址(或 MAC地址), 若某一加解密设备虚拟化成多个虚拟加解密设备, 或者 虚拟化的一个虚拟加解密设备具有多个 IP地址(或 MAC地址)时, 则还需 要向该加解密设备发送与该加解密算法和密钥对应的该加解密设备虚拟化 的虚拟加解密设备的 IP地址(或 MAC地址)。
此处的加解密设备以网卡为例说明, 例如, 网卡 1被虚拟化成虚拟网卡 ( Virtual Network Interface Card, 简称 "vNIC" ) vNICl和 vNIC 2, 网卡 2 被虚拟化成 vNIC 3和 vNIC 4,网卡 3被虚拟化成 vNIC 5和 vNIC 6,且 vNICl 对应于 IP1 , vNIC2对应于 IP2, vNIC3对应于 IP3 , vNIC4对应于 IP4, vNIC5 对应于 IP5, vNIC6对应于 IP6; 假设, 安全管理设备确定 IP 1、 IP2、 IP3、 IP4、 IP5和 IP6属于同一安全域, 则可以为该安全域中的虚拟网卡确定算法 和密钥(3 ), 如果该虚拟网卡不与该安全域外进行通信, 则可以只向该各个 网卡发送算法和密钥即可; 如果该虚拟网卡需要与安全域外进行通信, 则在 发送算法和密钥的同时,还需要向各个网卡发送其他网卡虚拟化的虚拟网卡 的 IP地址, 并且各个网卡接收到安全管理设备发送的加解密算法和密钥, 以及该加解密算法和密钥对应的 IP地址时, 可以建立相应的表项, 例如, 对于网卡 1而言, 建立的表项为:
IP3 ->算法和密钥 (3 )
IP4 ->算法和密钥 (3 )
IP5 ->算法和密钥 (3 )
IP6 ->算法和密钥 (3 ) 例如, 再^^设 IP 1、 IP3和 IP5属于同一安全域, 安全管理设备可以为 该安全域确定加解密算法和密钥为算法和密钥 (4 ); 且^^设 IP2、 P4和 IP6 属于同一安全域,安全管理设备为该安全域确定加解密算法和密钥为算法和 密钥(5 ), 虽各个安全域不与安全域外进行通信, 则由于同一网卡虚拟化不 同的虚拟网卡, 则在向某一网卡加解密算法和密钥的同时, 还需要向该网卡 发送该安全域对应的该网卡虚拟的虚拟网卡的 IP地址, 各个网卡接收到安 全管理设备发送的加解密算法和密钥以及加解密算法和密钥对应的本身虚 拟化的虚拟网卡的 IP地址之后, 可以建立相应的表项, 例如, 对于网卡 1 而言, 建立的表项为:
IP1>算法和密钥 (4 )
IP2>算法和密钥 (5 )
再例如, 网卡 1被虚拟化成为 vNIC 1 , 网卡 2被虚拟化成为 vNIC 2, 网卡 3被虚拟化成为 vNIC 3 , 其中, vNIC 1对应的 IP地址为 IP1和 IP2, vNIC 2对应的 IP地址为 IP3和 IP4, vNIC3对应的 IP地址为 IP5和 IP6; 安 全管理设备可以确定 IP1、 P3和 IP5属于同一安全域, 并且为该安全域确定 的加解密算法和密钥为算法和密钥 (6 ), IP2、 P4和 IP6属于同一安全域, 且为该安全域确定的加解密算法和密钥为算法和密钥(7 ), 如果该两个安全 域中的 IP地址都需要与各自安全域外进行通信, 所以需要向各个网卡发送 加解密算法和密钥的同时,还需要发送算法和密钥对应的其他虚拟网卡的 IP 地址, 并且由于一个虚拟网卡对应于不同的 IP地址, 所以还需向各个网卡 发送该算法和密钥对应的本身虚拟化的虚拟网卡的 IP地址; 各个网卡接收 到安全管理设备发送的加解密算法和密钥以及加解密算法和密钥对应的 IP 地址之后, 可以建立相应的表项, 例如, 对于网卡 1而言, 建立的表项为:
ΙΡ1+ ΙΡ3->算法和密钥 (6 )
ΙΡ1+ ΙΡ5->算法和密钥 (6 )
IP2+ IP4->算法和密钥 (7 )
IP2+ IP6->算法和密钥 (7 )
从而, 各个网卡之间的虚拟网卡需要传输数据时, 各个网卡可以通过已 建立的表项获取相应的加解密算法和密钥, 并利用该加解密算法和密钥对该 需要传输的数据进行加解密。
因此, 本发明实施例的保障数据传输安全的方法, 当安全域内的加解密 设备配置为可以与安全域外的设备进行数据传输时, 安全管理设备在向安全 域内的每一个加解密设备发送包含安全域内的加解密算法和密钥的加解密 信息时, 进一步在加解密信息中包含安全域内其他加解密设备的设备标识, 可以保障加解密设备能够确定对与安全域内其他加解密设备间传输的数据 进行加解密时所使用的加解密算法和密钥。
在本发明实施例中,在每一个加解密设备支持的加解密算法是在安全管 理设备上静态配置时, 在其中一个加解密设备鉴权认证通过后, 安全管理设 备在向该加解密设备发送用于加解密数据的加解密算法和密钥的同时,可以 向该加解密设备发送该安全域中所有其他加解密设备的 IP地址, 也可以向 该加解密设备只发送已鉴权认证通过的加解密设备的 IP地址, 并在其他加 解密设备鉴权认证通过后, 再发送其他加解密设备的 IP地址。
在本发明实施例中,对应于一个加解密算法和密钥的安全域可以是根据 具体情况划分的, 例如, 可以为某一办公室或公司的所有加解密设备或虚拟 加解密设备确定一个用于加解密数据的加解密算法和密钥, 再例如, 安全管 理设备可以根据 VLAN所包括的加解密设备, 将该 VLAN下的所有加解密 设备或虚拟加解密设备配置为属于同一安全域,并在向该 VLAN下的所有加 解密设备或所有虚拟加解密设备对应的加解密设备发送加解密算法和密钥 的同时, 发送该 VLAN的 ID。
应理解,确定用于加解密数据的加解密算法和密钥的安全域不仅可以根 据加解密设备、加解密设备虚拟化而成的虚拟加解密设备或者 VLAN进行划 分, 也可以根据别的情况进行划分, 例如, 安全管理设备上可以配置安全域 只对应于某些加解密设备下发送特定数据格式的情况, 可以根据具体情况 (如: 报文的特征信息) 而定, 本发明实施例并不对此进行限定。
在本发明实施例中,安全管理设备上的安全域设置也可以配置为根据数 据的源 IP地址 (或 MAC地址 )和目的 IP地址 (或 MAC地址 )进行划分, 例如, 在数据发送方的 IP地址为 IP1 , 数据接收方的 IP地址为 IP2时确定 为一个安全域, 在数据发送方的 IP地址为 IP2, 数据接收方的 IP地址为 IP1 时确定为另一个安全域, 即可以理解为, 对于两个 IP地址进行相互信息交 互时, 对于某一 IP地址来说, 向另一个 IP地址发送数据时加密使用的算法 和密钥可以不同于接收另一 IP地址发送的数据进行解密时使用的算法和密 钥。 应理解, IP1和 IP2只是一个实施例, IP1和 IP2可以分别对应于一个 IP 地址, 也可以分别对应于多个 IP地址, 本发明实施例并不对此进行限定。 即,安全管理设备可以在开始就配置一个该安全域中所包含的所有加解 密设备的列表; 也可以仅配置属于该安全域的条件, 如, 归属于同一个
VLAN、发送特定^艮文格式(如: 文的特征信息)、 IP地址(或 MAC地址) 范围等, 然后将符合条件的加解密设备配置到安全域的加解密设备列表中, 优选的, 可以在加解密设备初始加入网络, 进行鉴权认证时添加。
进一步的, 在本发明实施例中, 为了保证数据的安全性, 安全管理设备 可以不断更新用于加解密数据的加解密算法和密钥, 例如, 可以周期性的更 换加解密算法和密钥, 并在当加解密算法和密钥对应的加解密设备数量越多 时, 更换加解密算法和密钥的周期性越短, 也可以在更换加解密算法和密钥 的同时, 更新加解密算法和密钥对应的加解密设备或虚拟加解密设备, 本发 明实施例并不对此进行限定。应理解, S110中确定的加解密算法和密钥, 可 以为更新的加解密算法和密钥, 也可以是确定加解密设备鉴权认证通过后, 首次确定的加解密算法和密钥。
在本发明实施例中, 在获得安全管理设备更新的加解密算法和密钥之 后, 各加解密设备可以记录新的加解密算法和密钥, 并在需要向其他加解密 设备传输数据时, 启用新的加解密算法和密钥对需要传输的数据进行加密。
由于加解密设备在收到新的加解密算法和密钥的之后,可能会收到其他 加解密设备利用旧的加解密算法和密钥进行加密的数据,如果加解密设备利 用新的加解密算法和密钥进行解密, 则会解密错误, 为了保证加解密算法和 密钥切换过程中, 数据能够被正确解密, 加解密设备需要保存新旧加解密算 法和密钥。
在本发明实施例中, S120 中向该安全域中的每一个加解密设备发送加 解密信息之前, 方法 100还可以还包括:
确定对应于该安全域内通信的加解密算法和密钥的版本标识( Identifier, 简称 "ID" );
贝' J S120中向该安全域中的每一个加解密设备发送的加解密信息还可以 包括: 对应于该安全域内通信的加解密算法和密钥的版本标识, 该版本标识 用于该每一个加解密设备在向该安全域中的其他加解密设备之间传输数据 时携带, 以便该安全域中的其他加解密设备使用该版本标识对应的该安全域 内通信的加解密算法和密钥解密该数据。 即, 安全管理设备在确定加解密算法和密钥时, 可以确定对应于该加解 密算法和密钥的版本标识, 并在向每一个加解密设备发送的加解密信息中包 括该加解密算法和密钥, 以及对应于该加解密算法和密钥的版本标识。 每一 个加解密设备在收到该加解密信息时, 保存该加解密算法和密钥, 以及对应 于该加解密算法和密钥的版本标识。
并且, 该安全域中的任一加解密设备在向该安全域中的其他加解密设备 发送数据时, 根据该加解密算法和密钥, 对向该安全域中的其他加解密设备 发送的数据进行加密, 并在向该安全域中的其他加解密设备发送的携带加密 的数据的报文中, 携带该对应于该加解密算法和密钥的版本标识; 在接收到 该安全域中的其他加解密设备发送的携带该对应于该加解密算法和密钥的 版本标识的 文时, 根据该对应于该加解密算法和密钥的版本标识, 获取该 加解密算法和密钥, 并根据该加解密算法和密钥, 对该安全域中的其他加解 密设备发送的该报文中携带的加密数据进行解密。
下面以网卡作为加解密设备进行举例说明。 例如, 由网卡 1 虚拟化的 vNIC 1、 由网卡 2虚拟化的 vNIC2以及由网卡 3虚拟化的 vNIC3的 IP地址 分别为 IP1、 P2和 IP3 , 其中, 该三个虚拟网卡属于同一安全域, 且需要与 安全域外进行通信, 安全管理设备分别向网卡 1、 网卡 2以及网卡 3发送包 括加解密算法和密钥 ( 没算法为 3DES, 密钥为 key )、 对应于该加解密算 法和密钥的新版本标识以及该加解密算法和密钥对应的 IP地址 ( IP1、 P2和 IP3 )的加解密信息。 网卡 1、 网卡 2和网卡 3接收到安全管理设备发送的加 解密信息之后, 可以分别建立表项, 其中, 若网卡 1、 网卡 2和网卡 3分别 只虚拟化成为一个虚拟网卡, 则网卡 1可以建立以下表项:
IP2 (对端) ->新 3DES+新 Key+新版本标识 +旧 3DES+旧 Key+ 旧版 本标识
IP3 (对端) ->新 3DES+新 Key+新版本标识 +旧 3DES+旧 Key+ 旧版 本标识
网卡 2可以建立以下表项:
IP1 (对端)- >新 3DES+新 Key+新版本标识 +旧 3DES+旧 Key+ 旧版 本标识
IP3 (对端) ->新 3DES+新 Key+新版本标识 +旧 3DES+旧 Key+ 旧版 本标识 网卡 3可以建立以下表项:
IP1 (对端)- >新 3DES+新 Key+新版本标识 +旧 3DES+旧 Key+ 旧版 本标识
IP2 (对端) ->新 3DES+新 Key+新版本标识 +旧 3DES+旧 Key+ 旧版 本标识
若网卡 1、 网卡 2以及网卡 3都不只虚拟化成为一个虚拟网卡, 则网卡 1可以建立以下表项:
IP1 (本端 ) +IP2 (对端 ) ->新 3DES+新 Key+新版本标识 +旧 3DES+ 旧 Key+ 旧版本标识
IP1 (本端 ) +IP3 (对端 ) ->新 3DES+新 Key+新版本标识 +旧 3DES+ 旧 Key+ 旧版本标识
且网卡 2可以建立以下表项:
IP2 (本端) +IP1 (对端 ) ->新 3DES+新 Key+新版本标识 +旧 3DES+ 旧 Key+ 旧版本标识
IP2 (本端 ) +IP3 (对端 ) ->新 3DES+新 Key+新版本标识 +旧 3DES+ 旧 Key+ 旧版本标识
且网卡 3可以建立以下表项:
IP3 (本端) +IP1 (对端)- >新 3DES+新 Key+新 ID+旧 3DES+旧 Key+ 旧 ID
IP3 (本端 ) +IP2 (对端 ) ->新 3DES+新 Key+新版本标识 +旧 3DES+ 旧 Key+ 旧版本标识
假设 vNICl需要向 vNIC2发送数据, 可以根据以上表项获取加解密算 法和密钥 (3DES 和 Key ), 通过该加解密算法和密钥对需要发送的数据进 行加密, 并在携带该加密数据的报文中加入该新版本标识, vNIC 1向 vNIC2 发送处理后的报文, 网卡 2接收到网卡 1 的报文时, 可以通过该报文获取 vNICl的 IP地址 IP1 (和 vNIC2的 IP地址 IP2 ), 并通过 IP1 (和 IP2 )确定 表项, 并根据该新版本标识在该表项中获取加解密算法和密钥, 从而可以通 过该加解密算法和密钥对数据进行解密。
因此, 本发明实施例中, 安全管理设备在向加解密设备发送的加解密信 息中携带加解密算法和密钥所对应的版本标识,加解密设备通过在携带加密 数据的 4艮文中加入用于加密数据的加解密算法和密钥对应的版本标识,可以 方便接收到该报文的其他加解密设备通过报文中携带的该加解密算法和密 钥对应的版本标识, 确定正确的加解密算法和密钥, 对数据进行解密, 能够 保证数据被正确解密, 也就实现了加解密算法和密钥能够周期性的刷新, 从 而进一步保障了安全域内的数据传输安全,且由安全管理设备统一进行加解 密算法和密钥的协商和管理。
在本发明实施例中, 在 S120中根据安全域中每一个加解密设备支持的 加解密算法, 确定加解密算法和密钥之前, 该方法还包括:
分别与该安全域中的每一个加解密设备通过安全管理协议进行鉴权认 证, 确定与该安全域中的每一个加解密设备的该鉴权认证通过。
即, 保障安全域内的每一个加解密设备都是通过鉴权认证, 是安全可信 的。 此时, 安全管理设备只会对已经鉴权认证通过的加解密设备发送包含加 解密算法和密钥的加解密信息, 保障安全域内通信的安全性。。
其中, 该安全管理协议可以为安全套接层( Secure Sockets Layer, 简称 "SSL" )协议或因特网协议安全性( Internet Protocol Security ,简称 "IPSEC" ) 协议或密钥安全协议( Key Security , 简称 "Key Sec" ), 也可以为其它安全 管理协议。
在本发明实施例中,安全管理设备对每一个加解密设备进行鉴权认证,, 以保障安全域内的加解密设备都是安全可信的。
因此, 本发明实施例的保障数据传输安全的方法, 通过安全管理设备确 定用于安全域内的加解密数据的加解密算法和密钥, 能够在保证数据传输安 全的同时, 集中协商和管理密钥, 减少密钥协商的压力。
以上已从安全管理设备侧描述根据本发明实施例的保障数据传输安全 的方法, 以下将从加解密设备侧(上述安全域中的任一加解密设备)描述根 据本发明实施例的保障数据传输安全的方法。
图 2是根据本发明实施例的数据传输安全的方法 200的流程图。 如图 2 所示, 方法 200包括:
S210、接收安全管理设备发送的加解密信息, 该加解密信息包括用于安 全域中的加解密设备之间数据传输的加解密算法和密钥, 该加解密算法和密 钥是该安全管理设备根据该安全域中的加解密设备列表及每一个加解密设 备支持的加解密算法确定的;
S220、根据该加解密信息, 对与该安全域中的其他加解密设备之间传输 的数据进行加密或解密。
安全域中的任一加解密设备在接收到安全管理设备发送的包括加解密 算法和密钥的加解密信息之后, 当与该安全域中的其他加解密设备间传输数 据时, 可以利用该加解密算法和密钥, 对该传输的数据进行加密或解密。
因此, 本发明实施例的数据传输安全的方法, 接收安全管理设备确定的 用于安全域内的加解密数据的加解密算法和密钥, 该加解密算法和密钥是安 全管理设备根据该安全域中的每一个加解密设备支持的加解密算法确定的, 当与该安全域中的其他加解密设备间传输数据时, 利用该加解密算法和密钥 对数据进行加密或解密, 能够在保证数据传输安全的同时, 集中协商和管理 安全域内通信的加解密算法和密钥, 减少密钥协商的压力。
在本发明实施例中,该安全域中每一个加解密设备可以由安全管理设备 分配相同的加解密算法和密钥用于安全域内加解密设备间数据传输的加解 密, 并且该加解密算法是该安全域中所有加解密设备都支持的加解密算法。
可以由安全管理设备配置各个加解密设备支持的加解密算法。在安全管 理设备没有配置各个加解密设备支持的加解密算法时, 本发明实施例中, 也 可以在 S210接收安全管理设备发送的包括加解密算法和密钥的加解密信息 之前, 方法 200还可以包括:
向该安全管理设备发送支持的加解密算法。
在本发明实施例中, 优选的, 安全管理设备中配置有安全域所包含的加 解密设备列表以及安全域中加解密设备的数据传输权限信息。 当该安全域中 的加解密设备的数据传输权限配置为可以与该安全域外的设备进行数据传 输时, 则加解密设备接收的加解密信息, 进一步包括设备标识, 用于确定该 安全域内通信的加解密算法和密钥所对应的所述安全域中的其他加解密设 备, 该设备标识包括:
该安全域中的其他加解密设备的 IP地址、 该安全域中的其他加解密设 备的 MAC地址、该安全域中的其他加解密设备的 ID、包括该安全域的 VLAN 的标识 ID、 4艮文的特征信息中的至少一种。 其中, 在加解密信息包括 VLAN 的 ID而不包括其他加解密设备的 IP地址、 MAC地址、 ID时, 表明 VLAN 只包括该安全域中的加解密设备。
应理解, 本发明实施例可以应用于物理机应用场景, 也可以应用于虚拟 机应用场景。 在 VM应用场景下, 可以通过加解密设备的输入输出虚拟化技 术, 将每一个加解密设备虚拟成一个或多个虚拟加解密设备, 并为每一个
VM分配一个或多个虚拟加解密设备。 其中, 当一个 VM对应于多个虚拟加 解密设备时, 该多个虚拟加解密设备可以由一个加解密设备虚拟而成的, 也 可以由多个加解密设备虚拟而成的。
在本发明实施例中, 当该安全域中的加解密设备虚拟化的虚拟加解密设 备配置为可以与该安全域外进行数据传输时, 该加解密信息, 进一步包括设 备标识,用于确定该加解密算法和密钥所对应的该安全域中的其他加解密设 备虚拟化的虚拟加解密设备, 该设备标识包括:
该安全域中的其他加解密设备虚拟化的虚拟加解密设备的 IP地址、 该 安全域中的其他加解密设备虚拟化的虚拟加解密设备的 MAC地址、 该安全 域中的其他加解密设备虚拟化的虚拟加解密设备的 ID、 包括该安全域中的 每一个加解密设备虚拟化的虚拟加解密设备的 VLAN的 ID、 报文的特征信 息中的至少一种。 其中, 在加解密信息只包括 VLAN的 ID而不包括虚拟加 解密设备的 IP地址、 MAC地址、 ID时, 则该 VLAN只包括该安全域中的 加解密设备虚拟化的虚拟加解密设备。
在本发明实施例中, S210 中接收安全管理设备发送的加解密信息, 该 加解密信息包括用于与安全域中的其他加解密设备之间数据传输的加解密 算法和密钥, 该加解密算法和密钥是安全管理设备根据该安全域中的加解密 和设备列表及每一个加解密设备支持的加解密算法确定的, 其中, 该加解密 信息还可以包括:
对应于该安全域内通信的加解密算法和密钥的版本标识。
即, 安全管理设备为了保证数据的安全性, 可以不断更新用于加解密数 据的加解密算法和密钥, 并在发送该加解密算法和密钥的同时, 发送该加解 密算法和密钥对应的版本标识。
从而, 加解密设备在收到该加解密信息时, 可以保存该加解密算法和密 钥, 以及对应于该加解密算法和密钥的版本标识。
在本发明实施例中,在加解密信息包括对应于该加解密算法和密钥的版 本标识时, S220 中根据该加解密算法和密钥, 对与该安全域中的其他加解 密设备之间传输的数据进行加密或解密, 可以包括:
在接收到该安全域中的其他加解密设备发送的携带对应于该安全域内 通信的加解密算法和密钥的版本标识的报文时, 根据该版本标识, 获取该安 全域内通信的加解密算法和密钥, 并根据该安全域内通信的加解密算法和密 钥,对该安全域中的其他加解密设备发送的该报文中携带的加密数据进行解 密;
在向该安全域中的其他加解密设备发送数据时,根据该安全域内通信的 加解密算法和密钥, 对该数据进行加密, 并在向该安全域中的其他加解密设 备发送的携带加密的该数据的报文中,携带该对应于该安全域内通信的加解 密算法和密钥的版本标识。
因此, 在本发明实施例中, 加解密设备通过在携带数据的报文中加入加 密数据的加解密算法和密钥对应的版本标识, 可以方便接收到该 "¾文的其他 加解密设备通过报文中携带的对应于该加解密算法和密钥的版本标识,确定 正确的加解密算法和密钥, 并对数据进行解密, 能够保证数据被正确解密, 也就实现了加解密算法和密钥能够周期性的刷新,从而进一步保障了安全域 内的数据传输安全。
在本发明实施例中, 在 S210确定安全管理设备发送的包括加解密算法 和密钥的加解密信息之前, 方法 200还可以包括:
通过安全管理协议与该安全管理设备进行鉴权认证, 并通过该鉴权认 证。
其中,安全管理协议可以为 SSL协议或 IPSEC协议或 Key Security协议, 也可以为其它安全管理协议。
从而可以保障安全域内的所有加解密设备均为安全可信的,增加了安全 域内的通信安全性。
同样, 本发明实施例中的加解密设备, 可以为计算机设备, 也可以为网 卡, 在加解密设备为网卡时, 通过网卡对数据进行加解密, 能够进一步避免 在计算机设备上加解密数据给 CPU带来的巨大压力。
因此, 本发明实施例的保障数据传输安全的方法, 通过安全管理设备确 定用于安全域内的加解密数据的加解密算法和密钥, 该加解密算法和密钥是 安全管理设备根据该安全域中的每一个加解密设备支持的加解密算法确定 的, 当与该安全域中的其他加解密设备间传输数据时, 加解密设备利用该加 解密算法和密钥对数据进行加密或解密, 能够在保证数据传输安全的同时, 集中协商和管理密钥, 减少密钥协商的压力。
为了更加方便地理解本发明, 下面将结合图 3以虚拟机应用场景, 以及 加解密设备为网卡为例描述根据本发明实施例的保障数据传输安全的方法
300。
图 3是根据本发明实施例的保障数据传输安全的方法 300的流程图。 下面假定网卡 1和安全管理设备、 网卡 2和安全管理设备、 以及网卡 3 和安全管理设备已经相互通过鉴权认证,其中, 可以通过 SSL协议和 IPSEC 协议完成该鉴权认证。 并 4叚定网卡 1被虚拟化成为 vNICl和 vNIC2, 网卡 2 被虚拟化成为 vNIC3 , 网卡 3被虚拟化成为 vNIC4, 且 vNICl、 vNIC2 、 vNIC3和 vNIC4对应的 IP地址分别为 IP1、 IP2、 IP3和 IP4; 且 vNICl、 vNIC2 、 vNIC3和 vNIC4分别对应于 VM1、 VM2 、 VM3和 VM4。
S301、 网卡 1向安全管理设备发送网卡 1支持的加解密算法。
5302、 网卡 2向安全管理设备发送网卡 2支持的加解密算法。
5303、 网卡 3向安全管理设备发送网卡 3支持的加解密算法。
5304、 安全管理设备根据网卡 1、 网卡 2和网卡 3支持的加解密算法, 确定用于加解密 vNICl、 vNIC3 、 vNIC4之间传输的数据的,其中, vNICl、 vNIC3和 vNIC4属于同一安全域,并且各个虚拟网卡需要与安全域外进行通 信, 例如, 选择的加解密算法为 3DES, 密钥用 key表示; 该安全管理设备 并确定各个虚拟网卡的 IP地址。
S305、 安全管理设备向网卡 1发送加解密信息, 该加解密信息包括已 确定的加解密算法和密钥, 以及 vNIC3 和 vNIC4的 IP地址, 一个网卡虚拟 1虚拟化成了两个虚拟网卡, 所以加解密信息中还需要包括 vNICl的 IP地 址, 另外, 在该加解密信息中还可以包括对应于该加解密算法和密钥的版本 标识, 例如版本标识为 2。
5306、 网卡 1在接收到安全管理设备发送的加解密信息之后, 可以建立 以下表项:
IP1+IP3->3DES + Key+版本标识
IP1+IP4->3DES + Key+版本 1D
5307、 安全管理设备向网卡 2发送加解密信息, 该加解密信息包括该已 确定的加解密算法和密钥 , 以及 vNICl和 vNIC4的 IP地址, 以及对应于该 加解密算法和密钥的版本标识。
S308、 网卡 2在接收到安全管理设备发送的加解密信息之后, 因为网卡
2只虚拟化成为一个虚拟网卡, 则可以建立以下表项: IP1->3DES + Key+版本标识
IP4->3DES + Key+版本标识
5309、 安全管理设备向网卡 3发送该已确定的加解密算法和密钥, 以及 vNIC 1和 vNIC3的 IP地址 , 以及对应于该加解密算法和密钥的版本标识。
5310、 网卡 3在接收到安全管理设备发送的加解密信息之后, 因为网卡 3只虚拟化成为一个虚拟网卡, 则可以建立以下表项:
IP1->3DES + Key+版本标识
IP3->3DES + Key+版本标识
5311、 vNICl对应的 VM1需要向 vNIC4对应的 VM3发送数据, 网卡 1 通过查询表项 IP1+IP4->3DES + Key+版本标识,获取版本标识为 2对应的加 解密算法和密钥, 并通过该加解密算法和密钥对数据进行加密, 并在携带该 数据的报文中加入该 ID, 其中该报文可以通过 SSL进行封装, 也可以利用 IPSEC进行封装。 封装后的报文可以为:
Figure imgf000023_0001
S312、 网卡 1向网卡 3发送该封装的报文。
S313、 网卡 3接收到网卡 1发送的报文之后, 经过交换转发处理之后, 获知最终的出口为 vNIC4,网卡 3根据 vNICl的 IP地址获取表项 IP1->3DES + Key+版本标识, 并通过 ^艮文中携带的版本标识获取, 从而可以通过对应的 加解密算法和密钥对该数据进行解密, 并送至 VM3。
应理解, 图 3所示的方法只是本发明的一个实施例, 例如, 安全管理设 备可以确定只包括 vNICl、 vNIC 2、 vNIC3和 vNIC4的 VLAN的 ID, 并在 向各个网卡发送的同时, 发送该 VLAN的 ID, 各个网卡可以建立与 VLAN 的 ID的表项, 并在确定向该 VLAN包括的虚拟网卡传输数据时, 通过利用 该 VLAN的 ID对应的加解密算法和密钥对该数据进行加密或解密。
还应理解, 在本发明的各种实施例中, 上述各过程的序号的大小并不意 味着执行顺序的先后, 各过程的执行顺序应以其功能和内在逻辑确定, 而不 应对本发明实施例的实施过程构成任何限定。
因此, 本发明实施例的保障数据传输安全的方法, 通过接收安全管理设 备确定的用于安全域内的加解密数据的加解密算法和密钥, 当与该安全域中 的其他加解密设备间传输数据时, 利用该加解密算法和密钥对数据进行加密 或解密, 能够在保证数据传输安全的同时, 集中协商和管理密钥, 减少密钥 协商的压力。
以上已结合图 1至图 3描述根据本发明实施例的保障数据传输安全的方 法, 以下将结合图 4至图 8描述根据本发明实施例的安全管理设备和加解密 设备。
图 4是根据本发明实施例的安全管理设备的结构框图。 如图 4所示, 安 全管理设备 400包括:
确定单元 410, 用于根据安全域中的加解密设备列表及每一个加解密设 备支持的加解密算法, 确定安全域内通信的加解密算法和密钥, 该安全域内 通信的加解密算法和密钥用于该安全域中的加解密设备之间的数据传输。
发送单元 420, 用于向该安全域中每一个加解密设备发送加解密信息, 该加解密信息包括该确定单元 410确定的该安全域内通信的加解密算法和密 钥, 用于该安全域中的每一个加解密设备根据该加解密信息对与该安全域中 的其他加解密设备之间传输的数据进行加密或解密。
因此, 本发明实施例的安全管理设备, 通过确定单元确定用于安全域内 的加解密数据的加解密算法和密钥, 能够在保证数据传输安全的同时, 集中 协商和管理密钥, 减少密钥协商的压力。
可选地, 该确定单元 410具体用于: 为该安全域中每一个加解密设备选 取相同的安全域内通信的加解密算法和密钥, 该加解密算法是该安全域中所 有加解密设备都支持的加解密算法。
可选地, 如图 5和如图 6所示, 除确定单元 410和发送单元 420, 该安 全管理设备 400还包括:
第一配置单元 430, 用于配置该安全域包含的加解密设备列表。
可选地, 如图 5所示, 该安全管理设备 400,
还包括接收单元 440, 用于分别接收该安全域中的每一个加解密设备发 送的各自支持的加解密算法, 并发送给该确定单元 410;
或者, 如图 6所示, 除确定单元 410, 发送单元 420, 第一配置单元 430 之外, 该安全管理设备 400还包括第二配置单元 450, 用于配置该安全域中 的每一个加解密设备所支持的加解密算法, 则该确定单元 410还用于从该第 二配置单元 450获取该加解密算法。 可选的, 如图 5和如图 6所示, 该安全管理设备 400, 还包括: 第三配置单元 460,用于配置该安全域中的加解密设备的数据传输权限, 该数据传输权限为是否可以与该安全域外的设备进行数据传输。
当然, 可选地, 该发送单元 420, 还用于从该第三配置单元 460获取该 安全域中的加解密设备的该数据传输权限, 当该安全域中的加解密设备的数 据传输权限为可以与该安全域外的设备进行数据传输时, 该发送单元 420发 送的该加解密信息进一步包括设备标识, 用于所述加解密设备根据该设备标 识确定该安全域内通信的加解密算法和密钥适用的该安全域中的其他加解 密设备, 该设备标识包括:
该安全域中的其他加解密设备的 IP地址、 该安全域中的其他加解密设 备的 MAC地址、该安全域中的其他加解密设备的 ID、包括该安全域的 VLAN 的 ID、 报文的特征信息中的至少一种。 其中, 在加解密信息包括 VLAN的 ID而不包括其他加解密设备的 IP地址、 MAC地址、 ID时, 该 VLAN只包 括该安全域中的加解密设备。
可选地, 该安全管理设备 400的确定单元 410, 还用于确定对应于该安 全域内通信的加解密算法和密钥的版本标识; 则发送单元 420发送的该加解 密信息, 还包括: 确定单元 410确定的该对应于该安全域内通信的加解密算 法和密钥的版本标识, 该版本标识用于该每一个加解密设备在向该安全域中 的其他加解密设备之间传输数据时携带, 以便该安全域中的其他加解密设备 使用该版本标识对应的该安全域内通信的加解密算法和密钥解密该数据。
可选地, 该加解密设备为计算机设备。
可选地, 该加解密设备为网卡。
在本发明实施例中, 在加解密设备为网卡时, 通过网卡对数据进行加解 密, 能够进一步避免在计算机设备上加解密数据给 CPU带来的巨大压力。
应理解, 对于图 5而言, 安全管理设备 400虽然包含了接收单元 430, 第一配置单元 440和第三配置单元 460, 但是接收单元 440, 第一配置单元 430和第三配置单元 460均为可选单元, 即, 安全管理设备 400可以只包括 接收单元 440, 或只包括第一配置单元 430或只包括第三配置单元 460, 当 然, 也可以同时包含接收单元 440、 第一配置单元 430和第三配置单元 460, 或者包括其中的任两个单元。 同样, 对于图 6而言, 安全管理设备 400虽然 包含了第一配置单元 430、 第二配置单元 450和第三配置单元 460, 但是, 第一配置单元 430、 第二配置单元 450和第三配置单元 460均为可选单元, 即, 可以只包括第一配置单元 430, 或只包括第二配置单元 450或只包括第 三配置单元 460, 当然, 也可以同时包含第一配置单元 430, 第二配置单元 450和第三配置单元 460, 或者包括其中的任两个单元。 还应理解, 虽然接 收单元 440和第二配置单元 450属于不同的图中,但是安全管理设备可以同 时具有接收单元 440和第二配置单元 450, 在安全管理设备同时具有接收单 元 440和第二配置单元 450时, 可以为该两个单元设置一个优先级, 即在一 定情况下,接收单元 440接收的加解密算法的优先级高,并在另外的情况下, 第二配置单元 450配置的加解密算法的优先级高, 应根据具体情况而定, 本 发明实施例并不对此进行限定。
因此, 本发明实施例的安全管理设备, 通过确定用于安全域内的加解密 数据的加解密算法和密钥, 能够在保证数据传输安全的同时, 集中协商和管 理密钥, 减少密钥协商的压力。 数据传输安全的方法 100至 300中的安全管理设备, 并且安全管理设备 400 中的各个单元的上述和其它操作和 /或功能分别为了实现图 1 至图 3的方法
100至 300的相应流程, 为了简洁, 在此不再赘述。
以上已结合图 4至图 6描述根据本发明实施的安全管理设备。 以下将结 合图 7和图 8描述根据本发明实施例的加解密设备。
图 7是根据本发明实施例的加解密设备的结构框图。 如图 6所示, 加解 密设备 500包括:
接收单元 510, 用于接收安全管理设备发送的加解密信息, 该加解密信 息包括用于与安全域中的其他加解密设备之间数据传输的加解密算法和密 钥, 该加解密算法和密钥是安全管理设备根据该安全域中的每一个加解密设 备支持的加解密算法确定的。
加解密单元 520, 用于根据该接收单元 510接收的该加解密信息, 对与 该安全域中的其他加解密设备间传输的数据进行加密或解密。
因此, 本发明实施例的加解密设备, 通过获取安全管理设备确定的用于 安全域内的加解密设备加解密数据的加解密算法和密钥对数据进行加解密, 能够在保证数据传输安全的同时, 通过安全管理设备集中协商和管理密钥, 避免节点间协商密钥的压力。 可选地, 如图 8所示, 该加解密设备还包括:
发送单元 530, 用于向该安全管理设备发送支持的加解密算法。
可选地, 当该包含本加解密设备的安全域中的加解密设备的数据传输权 限为可以与该安全域外的设备进行数据传输时, 该接收单元 510接收的该加 解密信息进一步包括设备标识, 该设备标识包括:
该安全域中的其他加解密设备的 IP地址、 该安全域中的其他加解密设 备的 MAC地址、 该安全域中的其他加解密设备 ID、 包括该安全域的 VLAN 的 ID、 报文的特征信息中的至少一种;
则, 该加解密单元 520, 用于根据该接收单元 510接收的该加解密信息 中包括的设备标识,确定该加解密信息中包括该安全域内通信的加解密算法 和密钥所适用的该安全域中的其他加解密设备, 并根据该加解密算法和密钥 对与该安全域中的其他加解密设备间传输的数据进行加密或解密。
可选地, 该接收单元 510接收的加解密信息, 进一步包括:
对应于该安全域内通信的加解密算法和密钥的版本标识;
则该加解密单元 520, 具体用于:
根据该接收单元 510接收的加解密信息中包括的该版本标识, 获取该安 全域内通信的加解密算法和密钥, 并根据该安全域内通信的加解密算法和密 钥对该报文中的加密数据进行解密;
或者,根据该接收单元 510接收的该加解密信息中包括的该安全域内通 信的加解密算法和密钥, 对该数据进行加密, 并在向该安全域中的其他加解 密设备发送的携带加密的该数据的报文中携带该对应于该安全域内通信的 加解密算法和密钥的版本标识。
可选地, 该加解密设备 500为计算机设备。
可选地, 该加解密设备 500为网卡。
在本发明实施例中, 在加解密设备为网卡时, 通过网卡对数据进行加解 密, 能够进一步避免在计算机设备上加解密数据给 CPU带来的巨大压力。
根据本发明实施例的加解密设备 500可对应于本发明实施例中的保障数 据传输安全的方法 100至 300中的加解密设备, 并且加解密设备 500中的各 个单元的上述和其它操作和 /或功能分别为了实现图 1至图 3的方法 100至 300的相应流程, 为了简洁, 在此不再赘述。
因此, 本发明实施例的加解密设备, 通过获取安全管理设备确定的用于 安全域内的加解密数据的加解密算法和密钥对数据进行加解密, 能够在保证 数据传输安全的同时, 通过安全管理设备集中协商和管理密钥, 避免节点间 协商密钥的压力。
图 9示出了根据本发明实施例的数据传输的系统的结构框图。如图 9所 示, 该系统 600包括安全管理设备 610和至少两个加解密设备 620, 其中, 该安全管理设备 610用于根据包含该加解密设备 620的安全域中的加解密设 备列表及每一个加解密设备 620支持的加解密算法,确定该安全域内通信的 加解密算法和密钥, 该安全域内通信的加解密算法和密钥用于该加解密设备 620之间的数据传输, 并向该安全域中的每一个加解密设备 620发送加解密 信息, 该加解密信息包括该加解密算法和密钥;
该加解密设备 620用于接收该安全管理设备 610发送的加解密信息,该 加解密信息包括用于与安全域中的其他加解密设备 620之间数据传输的加解 密算法和密钥,并根据该加解密信息,对与该安全域中的其他加解密设备 620 之间传输的数据进行加密或解密。
可选地, 该安全管理设备 610确定安全域内通信的加解密算法和密钥, 包括:
该安全管理设备 610, 用于为该安全域中的每一个加解密设备 620选取 相同的该安全域内通信的加解密算法和密钥,该加解密算法是该安全域中所 有加解密设备 620都支持的加解密算法。
可选地, 该安全管理设备 610还用于配置该安全域的加解密设备列表。 可选地,在该安全管理设备 610确定该安全域内通信的加解密算法和密 钥之前, 该加解密设备 620, 还用于向该安全管理设备 610发送支持的加解 密算法, 或者该安全管理设备 610还用于配置该安全域中的每一个加解密设 备 620各自支持的加解密算法。
可选地,该安全管理设备 610还用于配置该安全域中的加解密设备的数 据传输权限, 该数据传输权限为是否可以与该安全域外的设备进行数据传 输。
当该安全域中的加解密设备 620的数据传输权限为可以与该安全域外的 设备进行数据传输时, 该安全管理设备 610向该加解密设备发送的该加解密 信息进一步包括设备标识,该设备标识用于该加解密设备 620确定该加解密 算法和密钥所适用的该安全域中的其他加解密设备, 包括: 该安全域中的其他加解密设备 620的 IP地址、 该安全域中的其他加解 密设备 620的 MAC地址、 该安全域中的其他加解密设备 620的 ID、 包括该 安全域的 VLAN的 ID、 报文的特征信息中的至少一种。
可选地,该安全管理设备 610向该每一个加解密设备发送加解密信息之 前, 该安全管理设备 610还用于确定对应于该安全域内通信的加解密算法和 密钥的版本标识, 则该向该加解密设备 620发送的该加解密信息还包括对应 于该安全域内通信的加解密算法和密钥的版本标识;
该加解密设备 620, 还用于在向该安全域中的其他加解密设备 620传输 数据时携带该版本标识,供该安全域中的其他加解密设备 620使用该版本标 识对应的该加解密算法和密钥解密该数据。
可选地, 该加解密设备 620为计算机设备或网卡。 的安全管理设备 400, 加解密设备 620可对于本发明实施例的装置中的加解 密设备 500, 并且该安全管理设备 610以及加解密设备 620中的各个单元的 上述和其它操作和 /或功能分别为了实现图 1至图 3中的方法 100至 300的相 应流程, 为了简洁, 在此不再赘述。 还应理解, 为了简洁, 图 9示出了三个 加解密设备, 仅是作为一个具体的实施例的示例, 本发明实施例的数据传输 的系统中的加解密设备的数量可以根据具体情况而定,不受图 9示例的限制。
因此, 本发明实施例的保障数据传输安全的系统, 通过安全管理设备确 定的用于安全域内的加解密数据的加解密算法和密钥对数据进行加解密, 能 够在保证数据传输安全的同时, 通过安全管理设备集中协商和管理密钥, 避 免节点间协商密钥的压力。
本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各 示例的单元及算法步骤, 能够以电子硬件、 或者计算机软件和电子硬件的结 合来实现。 这些功能究竟以硬件还是软件方式来执行, 取决于技术方案的特 法来实现所描述的功能, 但是这种实现不应认为超出本发明的范围。
所属领域的技术人员可以清楚地了解到, 为描述的方便和简洁, 上述描 述的系统、 装置和单元的具体工作过程, 可以参考前述方法实施例中的对应 过程, 在此不再赘述。
在本申请所提供的几个实施例中, 应该理解到, 所揭露的系统、 装置和 方法, 可以通过其它的方式实现。 例如, 以上所描述的装置实施例仅仅是示 意性的, 例如, 所述单元的划分, 仅仅为一种逻辑功能划分, 实际实现时可 以有另外的划分方式, 例如多个单元或组件可以结合或者可以集成到另一个 系统, 或一些特征可以忽略, 或不执行。 另一点, 所显示或讨论的相互之间 的耦合或直接耦合或通信连接可以是通过一些接口, 装置或单元的间接耦合 或通信连接, 可以是电性, 机械或其它的形式。
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作 为单元显示的部件可以是或者也可以不是物理单元, 即可以位于一个地方, 或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或 者全部单元来实现本实施例方案的目的。
另外, 在本发明各个实施例中的各功能单元可以集成在一个处理单元 中, 也可以是各个单元单独物理存在, 也可以两个或两个以上单元集成在一 个单元中。
所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使 用时, 可以存储在一个计算机可读取存储介质中。 基于这样的理解, 本发明 的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部 分可以以软件产品的形式体现出来, 该计算机软件产品存储在一个存储介质 中, 包括若干指令用以使得一台计算机设备(可以是个人计算机, 服务器, 或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。 而前 述的存储介质包括: U盘、移动硬盘、只读存储器( ROM, Read-Only Memory )、 随机存取存储器 ( RAM, Random Access Memory ), 磁碟或者光盘等各种可 以存储程序代码的介质。
以上所述, 仅为本发明的具体实施方式, 但本发明的保护范围并不局限 于此, 任何熟悉本技术领域的技术人员在本发明揭露的技术范围内, 可轻易 想到变化或替换, 都应涵盖在本发明的保护范围之内。 因此, 本发明的保护 范围应以所述权利要求的保护范围为准。

Claims

权利要求
1、 一种数据传输的方法, 其特征在于, 包括:
根据安全域中的加解密设备列表及每一个所述加解密设备支持的加解 密算法, 确定安全域内通信的加解密算法和密钥, 所述安全域内通信的加解 密算法和密钥用于所述安全域中的加解密设备之间的数据传输;
向所述安全域中的每一个加解密设备发送加解密信息, 所述加解密信息 包括所述安全域内通信的加解密算法和密钥, 用于所述每一个加解密设备根 据所述加解密信息对与所述安全域中的其他加解密设备之间传输的数据进 行加密或解密。
2、 根据权利要求 1 所述的方法, 其特征在于, 所述确定安全域内通信 的加解密算法和密钥, 包括:
为所述安全域中的每一个加解密设备选取相同的安全域内通信的加解 密算法和密钥, 所述加解密算法是所述安全域中所有加解密设备都支持的加 解密算法。
3、 根据权利要求 1或 2所述的方法, 其特征在于, 所述根据安全域中 的加解密设备列表及每一个所述加解密设备支持的加解密算法,确定安全域 内通信的加解密算法和密钥之前, 所述方法还包括:
配置所述安全域的加解密设备列表。
4、 根据权利要求 1至 3中任一项所述的方法, 其特征在于, 所述根据 安全域中的加解密设备列表及每一个所述加解密设备支持的加解密算法,确 定安全域内通信的加解密算法和密钥之前, 所述方法还包括:
接收所述安全域中的每一个加解密设备发送的各自支持的加解密算法; 或者
配置所述安全域中的每一个加解密设备各自支持的加解密算法。
5、 根据权利要求 1至 4中任一项所述的方法, 其特征在于, 所述根据 安全域中的加解密设备列表及每一个所述加解密设备支持的加解密算法,确 定安全域内通信的加解密算法和密钥之前, 所述方法还包括:
配置所述安全域中的加解密设备的所述数据传输权限, 所述数据传输权 限为是否可以与所述安全域外的设备进行数据传输;
则, 当所述安全域中的加解密设备的数据传输权限为可以与所述安全域 外的设备进行数据传输时, 所述加解密信息进一步包括设备标识, 用于所述 加解密设备根据所述设备标识确定所述安全域内通信的加解密算法和密钥 适用的所述安全域中的其他加解密设备, 所述设备标识包括所述安全域中的 其他加解密设备的 IP地址、 所述安全域中的其他加解密设备的 MAC地址、 所述安全域中的其他加解密设备的 ID、 包括所述安全域的 VLAN的 ID、 报 文的特征信息中的至少一种。
6、 根据权利要求 1至 5中任一项所述的方法, 其特征在于, 在所述向 所述每一个加解密设备发送加解密信息之前, 所述方法还包括:
确定对应于所述安全域内通信的加解密算法和密钥的版本标识; 则所述 加解密信息, 还包括: 所述对应于所述安全域内通信的加解密算法和密钥的 版本标识, 所述版本标识用于所述每一个加解密设备在向所述安全域中的其 他加解密设备传输数据时携带, 以便所述安全域中的其他加解密设备使用所 述版本标识对应的所述安全域内通信的加解密算法和密钥解密所述数据。
7、 根据权利要求 1至 6中任一项所述的方法, 其特征在于, 所述加解 密设备为计算机设备或网卡。
8、 一种数据传输的方法, 其特征在于, 包括:
接收安全管理设备发送的加解密信息, 所述加解密信息包括用于安全域 中的加解密设备之间数据传输的加解密算法和密钥, 所述加解密算法和密钥 是所述安全管理设备根据所述安全域中的加解密设备列表及每一个加解密 设备支持的加解密算法确定的;
根据所述加解密信息,对与所述安全域中的其他加解密设备之间传输的 数据进行加密或解密。
9、 根据权利要求 8所述的方法, 其特征在于, 所述安全域中的每一个 加解密设备由所述安全管理设备选取相同的加解密算法和密钥, 所述加解密 算法是所述安全域中所有加解密设备都支持的加解密算法。
10、 根据权利要求 8或 9中所述的方法, 其特征在于, 所述接收安全管 理设备发送的加解密信息之前, 所述方法还包括:
向所述安全管理设备发送支持的加解密算法。
11、 根据权利要求 8至 10任一项所述的方法, 其特征在于, 所述安全 域中的加解密设备的所述数据传输权限在所述安全管理设备上进行配置, 所 述数据传输权限为是否可以与所述安全域外的设备进行数据传输; 则, 当所述安全域中的加解密设备的数据传输权限为可以与所述安全域 外的设备进行数据传输时, 所述加解密信息进一步包括设备标识, 用于确定 所述安全域内通信的加解密算法和密钥适用的所述安全域中的其他加解密 设备, 所述设备标识包括: 所述安全域中的其他加解密设备的 IP地址、 所 述安全域中的其他加解密设备的 MAC地址、 所述安全域中的其他加解密设 备的 ID、 包括所述安全域的 VLAN的 ID、 报文的特征信息中的至少一种。
12、 根据权利要求 8至 11 中任一项所述的方法, 其特征在于, 所述加 解密信息, 还包括:
对应于所述安全域内通信的加解密算法和密钥的版本标识;
则, 所述根据所述加解密信息, 对与所述安全域中的其他加解密设备之 间传输的数据进行加密或解密, 包括:
在接收到所述安全域中的其他加解密设备发送的携带所述对应于所述 安全域内通信的加解密算法和密钥的版本标识的报文时, 根据所述版本标 识, 获取所述安全域内通信的加解密算法和密钥, 并根据所述安全域内通信 的加解密算法和密钥, 对所述报文中的加密数据进行解密;
在向所述安全域中的其他加解密设备发送所述数据时,根据所述安全域 内通信的加解密算法和密钥, 对所述数据进行加密, 并在向所述安全域中的 其他加解密设备发送的携带加密的所述数据的报文中,携带所述对应于所述 安全域内通信的加解密算法和密钥的版本标识。
13、 根据权利要求 8至 12中任一项所述的方法, 其特征在于, 所述加 解密设备为计算机设备或网卡。
14、 一种安全管理设备, 其特征在于, 包括:
确定单元,用于根据安全域中的加解密设备列表及每一个加解密设备支 持的加解密算法, 确定安全域内通信的加解密算法和密钥, 所述安全域内通 信的加解密算法和密钥用于所述安全域中的加解密设备之间的数据传输; 发送单元, 用于向所述安全域中每一个加解密设备发送加解密信息, 所 述加解密信息包括所述确定单元确定的所述安全域内通信的加解密算法和 密钥, 用于所述安全域中的每一个加解密设备根据所述加解密信息对与所述 安全域中的其他加解密设备之间传输的数据进行加密或解密。
15、 根据权利要求 14所述的安全管理设备, 其特征在于, 所述确定单 元具体用于: 为所述安全域中每一个加解密设备选取相同的安全域内通信的加解密 算法和密钥, 所述加解密算法是所述安全域中所有加解密设备都支持的加解 密算法。
16、 根据权利要求 14或 15所述的安全管理设备, 其特征在于, 所述安 全管理设备还包括:
第一配置单元, 用于配置所述加解密设备列表;
17、根据权利要求 14至 16中任一项所述的安全管理设备,其特征在于, 所述安全管理设备还包括:
接收单元,用于分别接收所述安全域中的每一个加解密设备发送的各自 支持的加解密算法, 并发给所述确定单元;
或者,
第二配置单元,用于配置所述安全域中的每一个加解密设备所支持的加 解密算法, 则, 所述确定单元还用于从所述第二配置单元获取所述加解密算 法。
18、根据权利要求 14至 17中任一项所述的安全管理设备,其特征在于, 所述安全管理设备还包括:
第三配置单元,用于配置所述安全域中的加解密设备的所述数据传输权 限, 所述数据传输权限为是否可以与所述安全域外的设备进行数据传输; 贝' J , 所述发送单元, 还用于从所述第三配置单元获取所述安全域中的加 解密设备的所述数据传输权限, 当所述安全域中的加解密设备的数据传输权 限为可以与所述安全域外的设备进行数据传输时, 所述发送单元发送的所述 加解密信息进一步包括设备标识, 用于所述加解密设备根据所述设备标识确 定所述安全域内通信的加解密算法和密钥适用的所述安全域中的其他加解 密设备, 所述设备标识包括: 所述安全域中的其他加解密设备的 IP地址、 所述安全域中的其他加解密设备的 MAC地址、 所述安全域中的其他加解密 设备的 ID、 包括所述安全域的虚拟局域网的 ID、 报文的特征信息中的至少 一种。
19、根据权利要求 14至 18中任一项所述的安全管理设备,其特征在于, 所述确定单元,还用于确定对应于所述安全域内通信的加解密算法和密钥的 版本标识;
则所述发送单元发送的所述加解密信息, 还包括: 所述确定单元确定的 所述对应于所述安全域内通信的加解密算法和密钥的版本标识, 所述版本标 识用于所述每一个加解密设备在向所述安全域中的其他加解密设备传输数 据时携带, 以便所述安全域中的其他加解密设备使用所述版本标识对应的所 述安全域内通信的加解密算法和密钥解密所述数据。
20、根据权利要求 14至 19中任一项所述的安全管理设备,其特征在于, 所述加解密设备为计算机设备或网卡。
21、 一种加解密设备, 其特征在于, 包括:
接收单元, 用于接收安全管理设备发送的加解密信息, 所述加解密信息 包括用于与包含本加解密设备的安全域中的其他加解密设备之间数据传输 的加解密算法和密钥, 所述加解密算法和密钥是所述安全管理设备根据所述 安全域中的加解密设备列表及每一个加解密设备支持的加解密算法确定的; 加解密单元, 用于根据所述接收单元接收的所述加解密信息, 对与所述 安全域中的其他加解密设备间传输的数据进行加密或解密。
22、 根据权利要求 21 中所述的加解密设备, 其特征在于, 所述加解密 设备还包括:
发送单元, 用于向所述安全管理设备发送支持的加解密算法。
23、 根据权利要求 21或 22所述的加解密设备, 其特征在于, 当所述包 含本加解密设备的安全域中的加解密设备的数据传输权限为可以与所述安 全域外的设备进行数据传输时, 所述接收单元接收的所述加解密信息进一步 包括设备标识, 所述设备标识包括:
所述安全域中的其他加解密设备的 IP地址、 所述安全域中的其他加解 密设备的 MAC地址、 所述安全域中的其他加解密设备 ID、 包括所述安全域 的 VLAN的 ID、 报文的特征信息中的至少一种;
贝' J , 所述加解密单元, 用于根据所述接收单元接收的所述加解密信息中 包括的设备标识,确定所述加解密信息中包括所述安全域内通信的加解密算 法和密钥所适用的所述安全域中的其他加解密设备, 并根据所述加解密算法 和密钥对与所述安全域中的其他加解密设备间传输的数据进行加密或解密。
24、 根据权利要求 21至 23中任一项所述的加解密设备, 其特征在于, 所述接收单元接收的加解密信息, 进一步包括:
对应于所述安全域内通信的加解密算法和密钥的版本标识;
贝' J , 所述加解密单元, 具体用于: 根据所述接收单元接收的加解密信息中包括的所述版本标识, 获取所述 安全域内通信的加解密算法和密钥, 并根据所述安全域内通信的加解密算法 和密钥对所述 文中的加密数据进行解密; 或者
根据所述接收单元接收的所述加解密信息中包括的所述安全域内通信 的加解密算法和密钥, 对所述数据进行加密, 并在向所述安全域中的其他加 解密设备发送的携带加密的所述数据的报文中携带所述对应于所述安全域 内通信的加解密算法和密钥的版本标识。
25、 根据权利要求 21至 24中任一项所述的加解密设备, 其特征在于, 所述加解密设备为计算机设备或网卡。
26、 一种数据传输的系统, 其特征在于, 包括: 一个安全管理设备和至 少两个加解密设备, 其中,
所述安全管理设备用于根据包含所述加解密设备的安全域中的加解密 设备列表及每一个加解密设备支持的加解密算法,确定所述安全域内通信的 加解密算法和密钥, 所述安全域内通信的加解密算法和密钥用于所述加解密 设备之间的数据传输, 并向所述安全域中的每一个加解密设备发送加解密信 息, 所述加解密信息包括所述加解密算法和密钥;
所述加解密设备用于接收所述安全管理设备发送的加解密信息,所述加 解密信息包括用于与安全域中的其他加解密设备之间数据传输的加解密算 法和密钥, 并根据所述加解密信息, 对与所述安全域中的其他加解密设备之 间传输的数据进行加密或解密。
27、 根据权利要求 26所述的数据传输的系统, 其特征在于, 所述安全 管理设备确定安全域内通信的加解密算法和密钥, 包括:
所述安全管理设备,用于为所述安全域中的每一个加解密设备选取相同 的所述安全域内通信的加解密算法和密钥, 所述加解密算法是所述安全域中 所有加解密设备都支持的加解密算法。
28、 根据权利要求 26或 27所述的数据传输的系统, 其特征在于, 所述 安全管理设备还用于配置所述安全域的加解密设备列表。
29、 根据权利要求 26至 28中任一项所述的数据传输的系统, 其特征在 于, 在所述安全管理设备确定所述安全域内通信的加解密算法和密钥之前, 所述加解密设备, 还用于向所述安全管理设备发送支持的加解密算法, 或者 所述安全管理设备还用于配置所述安全域中的每一个加解密设备各自支持 的加解密算法。
30、 根据权利要求 26至 29中任一项所述的数据传输的系统, 其特征在 于, 所述安全管理设备还用于配置所述安全域中的所述加解密设备的所述数 据传输权限, 所述数据传输权限为是否可以与所述安全域外的设备进行数据 传输;
则, 当所述安全域中的加解密设备的数据传输权限为可以与所述安全域 外的设备进行数据传输时, 所述安全管理设备向所述加解密设备发送的所述 加解密信息进一步包括设备标识, 用于所述加解密设备确定所述加解密算法 和密钥所适用的所述安全域中的其他加解密设备, 所述设备标识包括: 所述安全域中的其他加解密设备的 IP地址、 所述安全域中的其他加解 密设备的 MAC地址、 所述安全域中的其他加解密设备的 ID、 包括所述安全 域的 VLAN的 ID、 报文的特征信息中的至少一种。
31、 根据权利要求 26至 30中任一项所述的数据传输的系统, 其特征在 于:
所述安全管理设备向所述每一个加解密设备发送加解密信息之前,所述 版本标识, 则所述向所述加解密设备发送的所述加解密信息还包括对应于所 述安全域内通信的加解密算法和密钥的版本标识;
所述加解密设备,还用于在向所述安全域中的其他加解密设备传输数据 时携带所述版本标识,供所述安全域中的其他加解密设备使用所述版本标识 对应的所述加解密算法和密钥解密所述数据。
32、 根据权利要求 26至 31中任一项所述的数据传输的系统, 其特征在 于, 所述加解密设备为计算机设备或网卡。
PCT/CN2012/076069 2012-05-29 2012-05-29 数据传输的方法、设备和系统 WO2012126432A2 (zh)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN2012800004853A CN102907040A (zh) 2012-05-29 2012-05-29 数据传输的方法、设备和系统
PCT/CN2012/076069 WO2012126432A2 (zh) 2012-05-29 2012-05-29 数据传输的方法、设备和系统

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2012/076069 WO2012126432A2 (zh) 2012-05-29 2012-05-29 数据传输的方法、设备和系统

Publications (2)

Publication Number Publication Date
WO2012126432A2 true WO2012126432A2 (zh) 2012-09-27
WO2012126432A3 WO2012126432A3 (zh) 2013-05-02

Family

ID=46879808

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2012/076069 WO2012126432A2 (zh) 2012-05-29 2012-05-29 数据传输的方法、设备和系统

Country Status (2)

Country Link
CN (1) CN102907040A (zh)
WO (1) WO2012126432A2 (zh)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111355680B (zh) * 2018-12-04 2022-10-21 李舒云 密钥的分发、领取方法、电子终端及存储介质
CN110620792A (zh) * 2019-10-24 2019-12-27 福建星网视易信息系统有限公司 通信加密方法、通信设备、系统及计算机可读存储介质
CN111711612B (zh) * 2020-05-25 2022-07-12 数篷科技(深圳)有限公司 通信控制方法、对通信请求进行处理的方法及其装置
CN112118134B (zh) * 2020-09-11 2023-03-21 成都明途科技有限公司 一种消息推送方法及系统
CN112422277B (zh) * 2020-11-04 2022-03-25 郑州信大捷安信息技术股份有限公司 差动保护组内差动单元之间加密数据传输系统及方法
CN113114640B (zh) * 2021-03-29 2022-05-27 新华三大数据技术有限公司 一种认证方法及装置

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1731720A (zh) * 2005-08-31 2006-02-08 北京电子科技学院 一种透明的全向安全网络方法
CN101374153A (zh) * 2007-08-23 2009-02-25 中国移动通信集团公司 安全激活第三方应用的方法、第三方服务器、终端及系统
US7594262B2 (en) * 2002-09-04 2009-09-22 Secure Computing Corporation System and method for secure group communications
WO2010033353A2 (en) * 2008-09-22 2010-03-25 Motorola, Inc. Method of automatically populating a list of managed secure communications group members
CN101764742A (zh) * 2009-12-30 2010-06-30 福建星网锐捷网络有限公司 一种网络资源访问控制系统及方法

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101222322B (zh) * 2008-01-24 2010-06-16 中兴通讯股份有限公司 一种超级移动宽带系统中安全能力协商的方法

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7594262B2 (en) * 2002-09-04 2009-09-22 Secure Computing Corporation System and method for secure group communications
CN1731720A (zh) * 2005-08-31 2006-02-08 北京电子科技学院 一种透明的全向安全网络方法
CN101374153A (zh) * 2007-08-23 2009-02-25 中国移动通信集团公司 安全激活第三方应用的方法、第三方服务器、终端及系统
WO2010033353A2 (en) * 2008-09-22 2010-03-25 Motorola, Inc. Method of automatically populating a list of managed secure communications group members
CN101764742A (zh) * 2009-12-30 2010-06-30 福建星网锐捷网络有限公司 一种网络资源访问控制系统及方法

Also Published As

Publication number Publication date
CN102907040A (zh) 2013-01-30
WO2012126432A3 (zh) 2013-05-02

Similar Documents

Publication Publication Date Title
CN109150688B (zh) IPSec VPN数据传输方法及装置
US10250571B2 (en) Systems and methods for offloading IPSEC processing to an embedded networking device
US9596077B2 (en) Community of interest-based secured communications over IPsec
JP2022023942A (ja) クライアント-クラウドまたはリモートサーバーの安全なデータまたはファイル・オブジェクト暗号化ゲートウェイ
US6996842B2 (en) Processing internet protocol security traffic
US11316837B2 (en) Supporting unknown unicast traffic using policy-based encryption virtualized networks
EP2357763B1 (en) Methods apparatuses for crossing virtual firewall to transmit and receive data
EP3461097B1 (en) Encrypted content detection method and apparatus
US10291651B1 (en) Unified secure socket layer decryption
EP1396979A2 (en) System and method for secure group communications
EP2951948B1 (en) Network controller provisioned macsec keys
US9794237B2 (en) Secured networks and endpoints applying internet protocol security
WO2004107646A1 (en) System and method for application-level virtual private network
WO2012126432A2 (zh) 数据传输的方法、设备和系统
US20140189357A1 (en) Encryption and authentication based network management method and apparatus
US20230396597A1 (en) Partial packet encryption for encrypted tunnels
CN117254976B (zh) 基于VPP的国标IPsec VPN实现方法、装置、系统及电子设备
US11095619B2 (en) Information exchange for secure communication
KR20130077202A (ko) IPSec VPN 장치들 사이의 보안 정책을 결정하기 위한 방법 및 시스템
WO2023024540A1 (zh) 处理报文、获取sa信息的方法、装置、系统及介质
CN110995564B (zh) 一种报文传输方法、装置及安全网络系统
CN104104569A (zh) 建立vpn隧道的方法及服务器
US20240106647A1 (en) Methods and systems of a packet orchestration to provide data encryption at the ip layer, utilizing a data link layer encryption scheme
US20230403260A1 (en) Computer and Network Interface Controller Offloading Encryption Processing to the Network Interface Controller and Using Derived Encryption Keys
CN115941228A (zh) 处理报文、获取sa信息的方法、装置、系统及介质

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 201280000485.3

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12760258

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase in:

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12760258

Country of ref document: EP

Kind code of ref document: A2