WO2019137268A1 - Data transmission method and device, network apparatus, and storage medium - Google Patents

Data transmission method and device, network apparatus, and storage medium Download PDF

Info

Publication number
WO2019137268A1
WO2019137268A1 PCT/CN2018/125840 CN2018125840W WO2019137268A1 WO 2019137268 A1 WO2019137268 A1 WO 2019137268A1 CN 2018125840 W CN2018125840 W CN 2018125840W WO 2019137268 A1 WO2019137268 A1 WO 2019137268A1
Authority
WO
WIPO (PCT)
Prior art keywords
network
data packet
sent
received data
received
Prior art date
Application number
PCT/CN2018/125840
Other languages
French (fr)
Chinese (zh)
Inventor
齐旻鹏
刘福文
杨波
Original Assignee
中国移动通信有限公司研究院
中国移动通信集团有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国移动通信有限公司研究院, 中国移动通信集团有限公司 filed Critical 中国移动通信有限公司研究院
Publication of WO2019137268A1 publication Critical patent/WO2019137268A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Definitions

  • the present disclosure relates to the field of network security technologies, and in particular, to a data transmission method, apparatus, network device, and storage medium.
  • IPsec Internet Protocol Security
  • the connections between the two NEs in the network domain can be selected according to the actual deployment. Apply an IPsec connection.
  • IPsec Internet Protocol Security
  • the carrier network cannot be directly connected, there will be security risks, and when the non-adjacent carrier network attempts to transmit data, the network through which the data passes is not protected, and the information may be Was tampered with.
  • embodiments of the present disclosure provide a data transmission method, apparatus, network device, and storage medium.
  • the embodiment of the present disclosure provides a data transmission method, which is applied to a network device of an intermediate network, and includes:
  • the received data packet is a data packet sent by the source network and capable of reaching the target network through the at least one intermediate network;
  • the first network is a source network corresponding to the received data packet or An intermediate network of the at least one intermediate network;
  • the received data packet is a data packet signed by a border device in the first network;
  • the generating, according to the received data packet and the processed data packet, a data packet to be sent including:
  • the received data packet and the corresponding signature and the processed data packet are packaged to obtain the to-be-sent data packet.
  • the generating, according to the received data packet and the processed data packet, a data packet to be sent including:
  • the sending according to the information of the target network, the related processing of sending the received data packet, including:
  • the received data packet is sent and processed according to the information of the target network.
  • the embodiment of the present disclosure further provides a data transmission method, which is applied to a network device of a target network, and includes:
  • the received data packet is a data packet sent by the source network and reaching the target network through the at least one intermediate network; the second network is a last hop network of the target network; The received data packet is a data packet signed by at least a border device in each network;
  • the signatures in the received data packets are sequentially verified until the source network is verified.
  • the path of the received data packet transmission passes through N networks; N is an integer greater than or equal to 2; and the signature in the received data packet is sequentially verified from the second network. Until the source network is verified, including:
  • the second network is an Nth network of the path
  • the path of the received data packet transmission passes through N networks; N is an integer greater than or equal to 2; and the signature in the received data packet is sequentially verified from the second network. Until the source network is verified, including:
  • the second network is an Nth network of the path
  • comparison information and a signature corresponding to the N-1th network from the received data packet; the comparison information characterizing the data packet sent by the N-1th network and the Nth network based on the target network pair
  • the content of the data packet sent by the N-1th network is sent to the deviation ratio information of the data packet after the relevant processing;
  • the embodiment of the present disclosure further provides a data transmission apparatus, including:
  • a first receiving unit configured to receive a data packet sent by the first network;
  • the received data packet is a data packet sent by the source network and capable of reaching the target network through the at least one intermediate network;
  • the first network is the received a source network corresponding to the data packet or an intermediate network of the at least one intermediate network;
  • the received data packet is a data packet signed by a border device in the first network;
  • a first processing unit configured to: perform transmission related processing on content of the received data packet based on information of the target network; generate a to-be-sent data packet based on the received data packet and the processed data packet; and send the data packet to be sent
  • the data packet is signed;
  • the sending unit is configured to send the signed data packet to the next hop network.
  • the embodiment of the present disclosure further provides a data transmission apparatus, including:
  • a second receiving unit configured to receive a data packet sent by the second network;
  • the received data packet is a data packet sent by the source network and reaching the target network through the at least one intermediate network;
  • the second network is the target network a last hop network;
  • the received data packet is a data packet signed by at least a border device in each network;
  • the second processing unit is configured to, from the second network, verify the signatures in the received data packets in sequence until the source network is verified.
  • the embodiment of the present disclosure further provides a network device, including:
  • a first communication interface configured to receive a data packet sent by the first network;
  • the received data packet is a data packet sent by the source network and capable of reaching the target network through the at least one intermediate network;
  • the first network is the received a source network corresponding to the data packet or an intermediate network of the at least one intermediate network;
  • the received data packet is a data packet signed by a border device in the first network;
  • a first processor configured to perform a transmission related process on the content of the received data packet based on information of the target network; generate a to-be-sent data packet based on the received data packet and the processed data packet; and send the data packet to be sent
  • the data packet is signed;
  • the first communication interface is further configured to send the signed data packet to the next hop network.
  • the first processor is configured to:
  • the first processor is configured to:
  • the received data packet is sent and processed according to the information of the target network.
  • the embodiment of the present disclosure further provides a network device, including:
  • a second communication interface configured to receive a data packet sent by the second network;
  • the received data packet is a data packet sent by the source network and reaching the target network through the at least one intermediate network;
  • the second network is the target network a last hop network;
  • the received data packet is a data packet signed by at least a border device in each network;
  • the second processor is configured to, from the second network, verify the signatures in the received data packets in sequence until the source network is verified.
  • the path of the received data packet transmission passes through N networks; N is an integer greater than or equal to 2; and the second processor is configured to:
  • the second network is an Nth network of the path; and acquiring, by the received data packet, a data packet sent by the N-1th network and corresponding Signature; verify the correspondence between the data packet sent by the N-1th network and the corresponding signature; and so on, until the correspondence between the data packet sent by the source network and the corresponding signature is verified;
  • the second network is an Nth network of the path; obtaining comparison information from the received data packet and corresponding to the N-1th network Signing; the comparison information characterizing the data packet sent by the N-1th network and the data packet of the Nth network transmitting and processing the content of the data packet sent by the N-1 network based on the target network Deviation comparison information; data packets sent by N-1 networks obtained by using the comparison information; and verifying correspondence between data packets sent by the N-1th network and corresponding signatures; and so on until verification Correspondence between data packets sent by the source network and corresponding signatures.
  • An embodiment of the present disclosure also provides a network device, including: a first processor and a first memory configured to store a computer program executable on the processor,
  • the first processor is configured to perform the steps of any method on the network device side of the intermediate network when the computer program is run.
  • Embodiments of the present disclosure also provide a network device, including: a second processor and a second memory configured to store a computer program executable on the processor,
  • the second processor is configured to perform the step of any method on the network device side of the target network when the computer program is run.
  • the embodiment of the present disclosure further provides a storage medium on which a computer program is stored, and when the computer program is executed by the processor, the steps of any method of the network device side of the intermediate network are implemented, or the network device side of the target network is implemented. The steps of either method.
  • the data packet to be sent is signed and sent to the intermediate network; in the intermediate network, the information is received based on the information of the target network. Transmitting the content of the data packet; generating a to-be-sent data packet based on the received data packet and the processed data packet; signing the data packet to be sent; and transmitting the signed data packet to the next hop network;
  • the target network the data packet is received, and the signature of the received data packet is sequentially verified on the previous network until the source network is verified. Since the data packet has a signature corresponding to the network, the signature can be used for the corresponding The network is verified, so the security protection of the data packet can be realized.
  • FIG. 1 is a schematic diagram of a connection relationship between two networks in the related art
  • FIG. 2 is a schematic diagram of a connection relationship between multiple networks in an embodiment of the present disclosure
  • FIG. 3 is a schematic flowchart of a data transmission method according to an embodiment of the present disclosure.
  • FIG. 4 is a schematic flow chart of another data transmission method according to an embodiment of the present disclosure.
  • FIG. 5 is a schematic flowchart of a third data transmission method according to an embodiment of the present disclosure.
  • FIG. 6 is a schematic flowchart of a data transmission process according to an application embodiment of the present disclosure.
  • FIG. 7 is a schematic structural diagram of a data transmission apparatus according to an embodiment of the present disclosure.
  • FIG. 8 is a schematic structural diagram of another data transmission apparatus according to an embodiment of the present disclosure.
  • FIG. 9 is a schematic structural diagram of a network device according to an embodiment of the present disclosure.
  • FIG. 10 is a schematic structural diagram of another network device according to an embodiment of the present disclosure.
  • FIG. 11 is a schematic structural diagram of a data transmission system according to an embodiment of the present disclosure.
  • the network security between the operators adopts an IP-based network domain security protection method (NDS/IP (Network Domain Security: IP network layer security)), and the method mainly divides the communication network into different network security. Domain, then place a secure network at the boundary of the security domain.
  • IPsec needs to be applied on the border gateways of the two domains.
  • a secure network needs to be placed on the border gateway (ie, SEG A ) and the border gateway (ie, SEG B ).
  • an IPsec connection can be optionally applied according to the actual deployment situation.
  • this security protection method is well adapted to the realistic scenario of centralized deployment of communication network operators, and on the other hand, it can flexibly provide security protection between the network domain and the network domain, thereby ensuring two adjacent network domains. The security between.
  • end-to-end security cannot meet the security requirements of the communication network, because when the data packet passes through the intermediate network, the intermediate network needs to modify part of the content of the data packet, such as the source address and the destination address, to facilitate routing. If end-to-end protection is performed, the intermediate network cannot modify the contents of the packet, and the packets will not be forwarded normally, resulting in communication interruption.
  • multiple networks are connected together, and communication between all networks can be directly or indirectly transmitted through other networks, and there is no direct connection between some networks, one
  • the edge devices in the network have the ability to sign data packets, apply integrity protection to the data packets and provide signatures for the network; interconnected networks whose boundaries sign the packets are mutually trustworthy.
  • the embodiment of the present disclosure provides a data transmission method, which is applied to a network device of an intermediate network. As shown in FIG. 3, the method includes:
  • Step 301 Receive a data packet sent by the first network.
  • the received data packet is a data packet transmitted by the source network and capable of reaching the target network through at least one intermediate network.
  • the received data packet is a data packet signed by a border device in the first network.
  • the first network is a source network corresponding to the received data packet or an intermediate network of the at least one intermediate network.
  • Step 302 Perform a transmission related process on the content of the received data packet based on the information of the target network.
  • the transmission related processing may include modifying a source address, a target address, and the like in the data packet to perform routing.
  • the intermediate network can verify the signature of the received data packet (also can be understood as verification).
  • step 302 the signature of the received data packet is verified
  • the received data packet is sent and processed according to the information of the target network.
  • an error message is returned to the first network, and the received data packet is not sent based on the information of the target network.
  • Step 303 Generate a to-be-sent data packet based on the received data packet and the processed data packet.
  • the received data packet, the corresponding signature, and the processed data packet are packaged to obtain the data packet to be sent;
  • the received data packet is compared with the processed data packet to obtain comparison information.
  • one of the two methods may be selected according to the need to implement.
  • the received data packet, the corresponding signature, and the processed data packet are directly packaged to obtain the to-be-sent data packet.
  • the network device needs to first compare the received data packet with the processed data packet to obtain a difference between two data packets, such as a source address and a target address. And obtaining the comparison information; and then packetizing the processed data packet, the comparison information, and the signature corresponding to the received data packet to obtain the to-be-sent data packet.
  • Step 304 Sign the data packet to be sent
  • the signature algorithm may be RSA, ElGamal, Fiat-Shamir, Guillou-Quisquarter, Schnorr, Ong-Schnorr-Shamir digital signature algorithm, Des/DSA, elliptic curve digital signature algorithm or finite automaton digital signature algorithm.
  • RSA RSA
  • ElGamal Fiat-Shamir
  • Guillou-Quisquarter Schnorr
  • Ong-Schnorr-Shamir digital signature algorithm Des/DSA
  • elliptic curve digital signature algorithm or finite automaton digital signature algorithm.
  • the embodiment of the present disclosure does not limit this.
  • Step 305 Send the signed data packet to the next hop network.
  • the next hop network may be determined according to information of the target network, which is an intermediate network or the target network.
  • the signature is used to verify the corresponding network.
  • the embodiment of the present disclosure further provides a data transmission method, which is applied to a network device of a target network, as shown in FIG. 4, the method includes:
  • Step 401 Receive a data packet sent by the second network.
  • the received data packet is a data packet sent by the source network and reaching the target network through at least one intermediate network; meanwhile, the received data packet is a data packet signed by at least a border device in each network.
  • the path of the received data packet transmission passes through N networks; N is an integer greater than or equal to 2. More specifically, the received data packet is counted from the source network to the first network, and reaches the target network through the N networks, that is, the N networks include the source network and the at least one intermediate network.
  • the second network is a last hop network of the target network.
  • Step 402 Starting from the second network, verify signatures in the received data packets in sequence until the source network is verified.
  • the verification process includes:
  • the second network is an Nth network of the path
  • the verification process includes:
  • the second network is an Nth network of the path
  • comparison information and a signature corresponding to the N-1th network from the received data packet; the comparison information characterizing the data packet sent by the N-1th network and the Nth network based on the target network pair
  • the content of the data packet sent by the N-1th network is sent to the deviation ratio information of the data packet after the relevant processing;
  • a process in which a data packet is transmitted from a source network to a target network includes:
  • Step 501 The network device in the source network signs the to-be-sent data packet and sends the data packet to the intermediate network.
  • Step 502 The network device of the intermediate network sends a related process to the content of the received data packet based on the information of the target network.
  • Step 503 The network device of the intermediate network generates a to-be-sent data packet based on the received data packet and the processed data packet, and signs the data packet to be sent, and sends the signed data packet to the next hop network.
  • the network devices of the multiple intermediate networks perform steps 502-503, that is, after the network device of each intermediate network receives the data packet, step 502 needs to be performed.
  • ⁇ 503 to transfer the packet to the target network.
  • Step 504 The target network receives the data packet, starts with the previous network of itself, and sequentially verifies the signature in the received data packet until the source network is verified.
  • the source network refers to an initial network corresponding to a data packet, which can be understood as a network that initially sends a data packet; correspondingly, the target network refers to a final network corresponding to a data packet, which can be understood as a network in which a data packet finally arrives. .
  • the data packet to be sent is signed and sent to the intermediate network; in the intermediate network, the content of the received data packet is sent and processed based on the information of the target network.
  • the process of data transmission in this application embodiment, as shown in FIG. 6, includes the following steps:
  • Step 601 Any network element in the source network sends a data packet m, and the data packet m is not protected.
  • Step 602 When the data packet reaches the boundary of the source network, the data packet is signed sig(m) by the boundary network element, and sent to the intermediate network.
  • the packet is a signed packet [m, sig(m)].
  • Step 603 After the signed data packet [m, sig(m)] reaches the directly connected intermediate network, the signature of the data packet is verified by the intermediate network;
  • step 604 is continued.
  • Step 604 After receiving the data packet, the intermediate network may modify the content of the data packet (assuming the modified data packet is recorded as m'), and send the information to the next network based on the information of the target network (the next network may be in the middle) Network or target network);
  • Step 605 When the data packet of the intermediate network reaches the boundary of the intermediate network, the border network element signs the sig(M) to be sent, and sends the data.
  • the receiving network of the data packet when the receiving network of the data packet is still the intermediate network, the receiving network transmits the signed transmission data [M, sig(M)] as [m, sig(m)], and steps 603 to 605 are performed.
  • the border network element (such as a border gateway, etc.) needs to generate a data packet to be sent and perform signature.
  • Step 606 After receiving the data packet, the target network sequentially verifies the correctness of the signature from the previous network until the source network is verified.
  • the target network first verifies the correspondence between the sig(M) and the M of the previous network. At this time, it is assumed that the last network received by the nth network is sent.
  • the incoming data packet is M n-1
  • the modified data packet is m n
  • the correspondence between the back-test and the previous network is continued.
  • sig(M n-2 ), verify in turn until verification to the source network, ie m sig (m).
  • the solution provided by the embodiment of the present disclosure is a new untrusted inter-domain data transfer protection method, in which the data packet is hop-by-hop security protection between network domains, and thus, Can achieve the following effects:
  • the target network can verify the original information of the data packet
  • the target network can find out which network the change occurred on.
  • the embodiment of the present disclosure further provides a data transmission device, which is disposed in the network device of the intermediate network. As shown in FIG. 7, the device includes:
  • the first receiving unit 71 is configured to receive a data packet sent by the first network; the received data packet is a data packet that is sent by the source network and can reach the target network through the at least one intermediate network; the first network is the receiving a source network corresponding to the data packet or an intermediate network of the at least one intermediate network; the received data packet is a data packet signed by a border device in the first network;
  • the first processing unit 72 is configured to: perform transmission related processing on the content of the received data packet based on information of the target network; generate a to-be-sent data packet based on the received data packet and the processed data packet; Send a packet for signature;
  • the sending unit 73 is configured to send the signed data packet to the next hop network.
  • the first processing unit 72 is specifically configured to:
  • the intermediate network can verify the signature of the received data packet (also can be understood as verification).
  • the first processing unit 72 is specifically configured to:
  • the received data packet is sent and processed according to the information of the target network.
  • the first processing unit 72 returns an error message to the first network, and does not perform transmission related processing on the received data packet based on the information of the target network.
  • the first receiving unit 71 and the transmitting unit 73 may be implemented by a communication interface in a data transmission device; the first processing unit 72 may be implemented by a processor in the data transmission device.
  • the embodiment of the present disclosure further provides a data transmission device, which is disposed in a network device of the target network, as shown in FIG.
  • the second receiving unit 81 is configured to receive a data packet sent by the second network; the received data packet is a data packet sent by the source network and reaches the target network through the at least one intermediate network; the second network is the target network a last hop network; the received data packet is a data packet signed by at least a border device in each network;
  • the second processing unit 82 is configured to, from the second network, verify the signatures in the received data packets in sequence until the source network is verified.
  • the received data packet is a data packet sent by the source network and reaching the target network through at least one intermediate network; meanwhile, the received data packet is a data packet signed by at least a border device in each network.
  • the path of the received data packet transmission passes through N networks; N is an integer greater than or equal to 2. More specifically, the received data packet is counted from the source network to the first network, and reaches the target network through the N networks, that is, the N networks include the source network and the at least one intermediate network.
  • the second processing unit 82 is specifically configured to: when the data to be sent is generated in the foregoing manner, the second processing unit 82 is specifically configured to:
  • the second network is an Nth network of the path
  • the second processing unit 82 is specifically configured to:
  • the second network is an Nth network of the path
  • comparison information and a signature corresponding to the N-1th network from the received data packet; the comparison information characterizing the data packet sent by the N-1th network and the Nth network based on the target network pair
  • the content of the data packet sent by the N-1th network is sent to the deviation ratio information of the data packet after the relevant processing;
  • the second receiving unit 81 can be implemented by a communication interface in the data transmission device; the second processing unit 82 can be implemented by a processor in the data transmission device.
  • the embodiment of the present disclosure further provides a network device.
  • the network device 90 includes:
  • the first communication interface 91 is capable of performing information interaction with other network devices
  • the first processor 92 is connected to the first communication interface 91 to implement information interaction with other network devices, and is configured to perform the method provided by one or more technical solutions on the network device side of the intermediate network when the computer program is run .
  • the first communication interface 91 is configured to receive a data packet sent by the first network; the received data packet is a data packet that is sent by the source network and can reach the target network through the at least one intermediate network; the first network is a source network corresponding to the received data packet or an intermediate network of the at least one intermediate network; the received data packet is a data packet signed by a border device in the first network;
  • the first processor 92 is configured to: perform transmission related processing on the content of the received data packet based on information of the target network; generate a to-be-sent data packet based on the received data packet and the processed data packet; Send a packet for signature;
  • the first communication interface 91 is further configured to send the signed data packet to the next hop network.
  • the first processor 92 is specifically configured to:
  • the first processor 92 is specifically configured to:
  • the received data packet is sent and processed according to the information of the target network.
  • the network device 90 may further include: a first memory 93.
  • the various components in the network device 90 are coupled together by a bus system 94.
  • bus system 94 is configured to enable connection communication between these components.
  • the bus system 94 includes, in addition to the data bus, a power bus, a control bus, and a status signal bus.
  • various buses are labeled as bus system 94 in FIG.
  • the number of the first processors 92 is at least one.
  • the first memory 93 in an embodiment of the present disclosure is configured to store various types of data to support operation of the network device 90. Examples of such data include any computer program configured to operate on network device 90.
  • the method disclosed in the above embodiments of the present disclosure may be applied to the first processor 92 or implemented by the first processor 92.
  • the first processor 92 may be an integrated circuit chip with signal processing capabilities. In the implementation process, each step of the foregoing method may be completed by an integrated logic circuit of hardware in the first processor 92 or an instruction in a form of software.
  • the first processor 92 described above may be a general purpose processor, a digital signal processor (DSP), or other programmable logic device, discrete gate or transistor logic device, discrete hardware component, or the like.
  • DSP digital signal processor
  • the first processor 92 may implement or perform the methods, steps, and logic blocks disclosed in the embodiments of the present disclosure.
  • a general purpose processor can be a microprocessor or any conventional processor or the like.
  • the steps of the method disclosed in the embodiments of the present disclosure may be directly implemented as a hardware decoding processor, or may be performed by a combination of hardware and software modules in the decoding processor.
  • the software module may be located in a storage medium located in the first memory 93, the first processor 92 reading the information in the first memory 93, in conjunction with its hardware, to perform the steps of the foregoing method.
  • the network device 90 may be configured by one or more Application Specific Integrated Circuits (ASICs), DSPs, Programmable Logic Devices (PLDs), and Complex Programmable Logic Devices (CPLDs). , Complex Programmable Logic Device), Field-Programmable Gate Array (FPGA), General Purpose Processor, Controller, Micro Controller Unit (MCU), Microprocessor, or other electronics
  • ASICs Application Specific Integrated Circuits
  • DSPs Digital Signal Processing Unit
  • PLDs Programmable Logic Devices
  • CPLDs Complex Programmable Logic Device
  • FPGA Field-Programmable Gate Array
  • MCU Micro Controller Unit
  • Microprocessor or other electronics
  • the component implementation is configured to perform the aforementioned method.
  • the embodiment of the present disclosure further provides a network device.
  • the network device 100 includes:
  • the second communication interface 101 is capable of performing information interaction with other network devices
  • the second processor 102 is connected to the second communication interface 101 to implement information interaction with other network devices, and is configured to perform the method provided by one or more technical solutions on the network device side of the target network when the computer program is run .
  • the second communication interface 101 is configured to receive a data packet sent by the second network; the received data packet is a data packet that is sent by the source network and reaches the target network through the at least one intermediate network; the second network a previous hop network of the target network; the received data packet is a data packet signed by at least a border device in each network;
  • the second processor 102 is configured to, from the second network, verify the signatures in the received data packets in sequence until the source network is verified.
  • the path of the received data packet transmission passes through N networks; N is an integer greater than or equal to 2; and the second processor 102 is specifically configured to:
  • the second network is an Nth network of the path; and acquiring, by the received data packet, a data packet sent by the N-1th network and corresponding Signature; verify the correspondence between the data packet sent by the N-1th network and the corresponding signature; and so on, until the correspondence between the data packet sent by the source network and the corresponding signature is verified;
  • the second network is an Nth network of the path; obtaining comparison information from the received data packet and corresponding to the N-1th network Signing; the comparison information characterizing the data packet sent by the N-1th network and the data packet of the Nth network transmitting and processing the content of the data packet sent by the N-1 network based on the target network Deviation comparison information; data packets sent by N-1 networks obtained by using the comparison information; and verifying correspondence between data packets sent by the N-1th network and corresponding signatures; and so on until verification Correspondence between data packets sent by the source network and corresponding signatures.
  • the network device 100 may further include: a second memory 103.
  • the various components in network device 100 are coupled together by bus system 104.
  • the bus system 104 is configured to enable connection communication between these components.
  • the bus system 104 includes, in addition to the data bus, a power bus, a control bus, and a status signal bus.
  • various buses are labeled as bus system 104 in FIG.
  • the number of the second processors 102 is at least one.
  • the second memory 102 in an embodiment of the present disclosure is configured to store various types of data to support operation of the network device 70. Examples of such data include any computer program configured to operate on network device 100.
  • the method disclosed in the above embodiments of the present disclosure may be configured in the second processor 102 or implemented by the second processor 102.
  • the second processor 102 may be an integrated circuit chip with signal processing capabilities. In the implementation process, each step of the foregoing method may be completed by an integrated logic circuit of hardware in the second processor 102 or an instruction in a form of software.
  • the second processor 102 described above may be a general purpose processor, a DSP, or other programmable logic device, discrete gate or transistor logic device, discrete hardware component, or the like.
  • the second processor 72 can implement or perform the various methods, steps, and logic blocks disclosed in the embodiments of the present disclosure.
  • a general purpose processor can be a microprocessor or any conventional processor or the like.
  • the steps of the method disclosed in the embodiments of the present disclosure may be directly implemented as a hardware decoding processor, or may be performed by a combination of hardware and software modules in the decoding processor.
  • the software module can be located in a storage medium located in the second memory 103, the second processor 102 reading the information in the second memory 103, and completing the steps of the foregoing method in combination with its hardware.
  • network device 100 may be implemented by one or more ASICs, DSPs, PLDs, CPLDs, FPGAs, general purpose processors, controllers, MCUs, Microprocessors, or other electronic components configured to perform the aforementioned methods.
  • the memories (first memory 93 and second memory 103) of embodiments of the present disclosure may be either volatile memory or non-volatile memory, and may include both volatile and non-volatile memory.
  • the non-volatile memory may be a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), or an Erasable Programmable Read (EPROM). Only Memory), Electrically Erasable Programmable Read-Only Memory (EEPROM), Ferromagnetic Random Access Memory (FRAM), Flash Memory, Magnetic Surface Memory , CD-ROM, or Compact Disc Read-Only Memory (CD-ROM); the magnetic surface memory can be a disk storage or a tape storage.
  • the volatile memory can be a random access memory (RAM) that acts as an external cache.
  • RAM Random Access Memory
  • SRAM Static Random Access Memory
  • SSRAM Synchronous Static Random Access Memory
  • SSRAM Dynamic Random Access
  • DRAM Dynamic Random Access Memory
  • SDRAM Synchronous Dynamic Random Access Memory
  • DDRSDRAM Double Data Rate Synchronous Dynamic Random Access Memory
  • ESDRAM enhancement Enhanced Synchronous Dynamic Random Access Memory
  • SLDRAM Synchronous Dynamic Random Access Memory
  • DRRAM Direct Memory Bus Random Access Memory
  • the embodiment of the present disclosure further provides a data transmission system. As shown in FIG. 11, the system includes:
  • the network device 111 is located in the source network and configured to sign the to-be-sent data packet and send it to the intermediate network.
  • the network device 112 is located in the intermediate network, configured to receive the data packet, and perform related processing on the content of the received data packet based on the information of the target network; and generate a to-be-sent data packet based on the received data packet and the processed data packet. ; to sign the transmitted data packet; and send the signed data packet to the next hop network;
  • the network device 113 located in the target network, is configured to receive the data packet, start with the previous network of itself, and sequentially verify the signature in the received data packet until the source network is verified.
  • an embodiment of the present disclosure further provides a storage medium, that is, a computer storage medium, particularly a computer readable storage medium, for example, including a first memory 93 storing a computer program, which may be provided by the network device 90.
  • the first processor 92 executes to perform the steps described in the foregoing methods.
  • a second memory 103 storing a computer program can be included, which can be executed by the second processor 102 of the network device 100 to perform the steps described in the foregoing methods.
  • the computer readable storage medium may be a memory such as FRAM, ROM, PROM, EPROM, EEPROM, Flash Memory, magnetic surface memory, optical disk, or CD-ROM.

Abstract

Disclosed are a data transmission method and device, a network apparatus, and a storage medium. The method comprises: receiving a data packet sent by a first network, wherein the received data packet is a data packet sent by a source network and capable of arriving at a target network by passing through at least one intermediate network, the first network is the source network corresponding to the received data packet or to an intermediate network of the at least one intermediate network, and the received data packet is a data packet signed by a border apparatus of the first network; performing, on the basis of information of the target network, transmission related processing on the content of the received data packet; generating a data packet to be transmitted on the basis of the received data packet and the processed data packet; performing signing on the data packet to be transmitted; and transmitting the signed data packet to a next hop network.

Description

数据传输方法、装置、网络设备及存储介质Data transmission method, device, network device and storage medium
相关申请的交叉引用Cross-reference to related applications
本申请基于申请号为201810029643.7、申请日为2018年01月12日的中国专利申请提出,并要求该中国专利申请的优先权,该中国专利申请的全部内容在此引入本申请作为参考。The present application is filed on the basis of the Chinese Patent Application No. PCT Application No. PCT Application No
技术领域Technical field
本公开涉及网络安全技术领域,尤其涉及一种数据传输方法、装置、网络设备及存储介质。The present disclosure relates to the field of network security technologies, and in particular, to a data transmission method, apparatus, network device, and storage medium.
背景技术Background technique
传统通信网络中,每个运营商提供的服务具有一定的地域性,为了满足用户的全球移动通信需求,所以不同的运营商网络通过多种不同的方法逐步连接在一起,使得为用户提供服务的消息信令数据和用户数据可以跨运营商的传输与处理,从而为用户的全球使用提供基础。In the traditional communication network, the services provided by each operator have a certain regionality. In order to meet the global mobile communication requirements of users, different carrier networks are gradually connected through a variety of different methods, so as to provide services for users. Message signaling data and user data can be transmitted and processed across carriers to provide a basis for the user's global use.
早期的通信网络互联,由于通信网络为全封闭网络,所以运营商网络之间的连接也相对封闭,没有考虑较多的安全保护。而随着IP等技术的引入,运营商独立部署的网络仍然具备一定的封闭条件,这样可以有效地保证集中部署的网元间的安全,但运营商网络之间相互联系的网络接口则不再是封闭环境,因此需要对这些集中部署的网元集合与网元集合间的信息传输提供安全保护。In the early communication network interconnection, since the communication network was a fully enclosed network, the connection between the operators' networks was relatively closed, and no more security protection was considered. With the introduction of technologies such as IP, the network that the operators independently deploy still has certain closed conditions, which can effectively ensure the security between the network elements deployed centrally, but the network interfaces between the operators' networks are no longer connected. It is a closed environment, so it is necessary to provide security protection for the information transmission between these centrally deployed network element sets and network element sets.
相关技术对于不同网络域之间的安全保护,Internet协议安全性(IPsec)会在两个域的边界网关上进行部署,而网络域内的两个网元间的连接,可以根据实际部署情况可选的施加IPsec连接。这种部署方式,对于运营商网 络无法直接相连的情况,将存在安全隐患,而且对于不相邻的运营商网络试图传输数据时,该数据在中间通过的网络是没有受到保护的,信息可能会被篡改。Related technologies: For the security protection between different network domains, Internet Protocol Security (IPsec) is deployed on the border gateways of the two domains, and the connections between the two NEs in the network domain can be selected according to the actual deployment. Apply an IPsec connection. In this deployment mode, if the carrier network cannot be directly connected, there will be security risks, and when the non-adjacent carrier network attempts to transmit data, the network through which the data passes is not protected, and the information may be Was tampered with.
发明内容Summary of the invention
为解决现有存在的技术问题,本公开实施例提供一种数据传输方法、装置、网络设备及存储介质。In order to solve the existing technical problems, embodiments of the present disclosure provide a data transmission method, apparatus, network device, and storage medium.
本公开实施例的技术方案是这样实现的:The technical solution of the embodiment of the present disclosure is implemented as follows:
本公开实施例提供了一种数据传输方法,应用于中间网络的网络设备,包括:The embodiment of the present disclosure provides a data transmission method, which is applied to a network device of an intermediate network, and includes:
接收第一网络发送的数据包;接收的数据包为由源网络发送,且能够经过至少一个中间网络到达目标网络的数据包;所述第一网络为所述接收的数据包对应的源网络或所述至少一个中间网络中的一个中间网络;所述接收的数据包为经过所述第一网络中的边界设备签名的数据包;Receiving a data packet sent by the first network; the received data packet is a data packet sent by the source network and capable of reaching the target network through the at least one intermediate network; the first network is a source network corresponding to the received data packet or An intermediate network of the at least one intermediate network; the received data packet is a data packet signed by a border device in the first network;
基于所述目标网络的信息对所述接收的数据包的内容进行发送相关处理;Transmitting and processing related to the content of the received data packet based on information of the target network;
基于所述接收的数据包及处理后的数据包生成待发送数据包;Generating a to-be-sent data packet based on the received data packet and the processed data packet;
对待发送数据包进行签名;Sign the sending data packet;
将签名后的数据包发给下一跳网络。Send the signed data packet to the next hop network.
上述方案中,所述基于所述接收的数据包及处理后的数据包生成待发送数据包,包括:In the above solution, the generating, according to the received data packet and the processed data packet, a data packet to be sent, including:
将所述接收的数据包及对应的签名、处理后的数据包进行打包,得到所述待发送数据包。The received data packet and the corresponding signature and the processed data packet are packaged to obtain the to-be-sent data packet.
上述方案中,所述基于所述接收的数据包及处理后的数据包生成待发送数据包,包括:In the above solution, the generating, according to the received data packet and the processed data packet, a data packet to be sent, including:
将所述接收的数据包与所述处理后的数据包进行偏差比对,得到比对 信息;And comparing the received data packet with the processed data packet to obtain comparison information;
将所述处理后的数据包、所述比对信息及上述接收的数据包对应的签名进行打包,得到所述待发送数据包。And encoding the processed data packet, the comparison information, and the signature corresponding to the received data packet to obtain the to-be-sent data packet.
上述方案中,所述基于所述目标网络的信息对所述接收的数据包进行发送相关处理,包括:In the above solution, the sending, according to the information of the target network, the related processing of sending the received data packet, including:
对所述接收的数据包的签名进行验证;Verifying the signature of the received data packet;
验证成功后基于所述目标网络的信息,对所述接收的数据包进行发送相关处理。After the verification succeeds, the received data packet is sent and processed according to the information of the target network.
本公开实施例还提供了一种数据传输方法,应用于目标网络的网络设备,包括:The embodiment of the present disclosure further provides a data transmission method, which is applied to a network device of a target network, and includes:
接收第二网络发送的数据包;接收的数据包为由源网络发送,且经过至少一个中间网络到达目标网络的数据包;所述第二网络为所述目标网络的上一跳网络;所述接收的数据包为至少经过各网络中的边界设备签名的数据包;Receiving a data packet sent by the second network; the received data packet is a data packet sent by the source network and reaching the target network through the at least one intermediate network; the second network is a last hop network of the target network; The received data packet is a data packet signed by at least a border device in each network;
从所述第二网络开始,对所述接收的数据包中的签名依次进行验证,直至验证所述源网络。Starting from the second network, the signatures in the received data packets are sequentially verified until the source network is verified.
上述方案中,所述接收的数据包传输的路径经过N个网络;N为大于或等于2的整数;所述从所述第二网络开始,对所述接收的数据包中的签名依次进行验证,直至验证所述源网络,包括:In the above solution, the path of the received data packet transmission passes through N networks; N is an integer greater than or equal to 2; and the signature in the received data packet is sequentially verified from the second network. Until the source network is verified, including:
验证所述接收的数据包与对应签名的对应关系;所述第二网络为所述路径的第N个网络;Verifying a correspondence between the received data packet and a corresponding signature; the second network is an Nth network of the path;
从所述接收的数据包中获取第N-1个网络发送的数据包及对应的签名;Obtaining, by the received data packet, a data packet sent by the N-1th network and a corresponding signature;
验证第N-1个网络发送的数据包及对应签名的对应关系;以此类推,直至验证所述源网络发送的数据包及对应签名的对应关系。Verifying the correspondence between the data packet sent by the N-1th network and the corresponding signature; and so on, until the correspondence between the data packet sent by the source network and the corresponding signature is verified.
上述方案中,所述接收的数据包传输的路径经过N个网络;N为大于 或等于2的整数;所述从所述第二网络开始,对所述接收的数据包中的签名依次进行验证,直至验证所述源网络,包括:In the above solution, the path of the received data packet transmission passes through N networks; N is an integer greater than or equal to 2; and the signature in the received data packet is sequentially verified from the second network. Until the source network is verified, including:
验证所述接收的数据包与对应签名的对应关系;所述第二网络为所述路径的第N个网络;Verifying a correspondence between the received data packet and a corresponding signature; the second network is an Nth network of the path;
从所述接收的数据包中获取比对信息及第N-1个网络对应的签名;所述比对信息表征第N-1个网络发送的数据包与第N个网络基于所述目标网络对第N-1个网络发送的数据包的内容进行发送相关处理后的数据包的偏差比对信息;Obtaining comparison information and a signature corresponding to the N-1th network from the received data packet; the comparison information characterizing the data packet sent by the N-1th network and the Nth network based on the target network pair The content of the data packet sent by the N-1th network is sent to the deviation ratio information of the data packet after the relevant processing;
利用所述比对信息得到的N-1个网络发送的数据包;并验证第N-1个网络发送的数据包及对应签名的对应关系;以此类推,直至验证所述源网络发送的数据包及对应签名的对应关系。And using the comparison information to obtain the data packets sent by the N-1 networks; and verifying the correspondence between the data packets sent by the N-1th network and the corresponding signatures; and so on, until the data sent by the source network is verified. The correspondence between the package and the corresponding signature.
本公开实施例又提供了一种数据传输装置,包括:The embodiment of the present disclosure further provides a data transmission apparatus, including:
第一接收单元,配置为接收第一网络发送的数据包;接收的数据包为由源网络发送,且能够经过至少一个中间网络到达目标网络的数据包;所述第一网络为所述接收的数据包对应的源网络或所述至少一个中间网络中的一个中间网络;所述接收的数据包为经过所述第一网络中的边界设备签名的数据包;a first receiving unit, configured to receive a data packet sent by the first network; the received data packet is a data packet sent by the source network and capable of reaching the target network through the at least one intermediate network; the first network is the received a source network corresponding to the data packet or an intermediate network of the at least one intermediate network; the received data packet is a data packet signed by a border device in the first network;
第一处理单元,配置为基于所述目标网络的信息对所述接收的数据包的内容进行发送相关处理;基于所述接收的数据包及处理后的数据包生成待发送数据包;以及对待发送数据包进行签名;a first processing unit, configured to: perform transmission related processing on content of the received data packet based on information of the target network; generate a to-be-sent data packet based on the received data packet and the processed data packet; and send the data packet to be sent The data packet is signed;
发送单元,配置为将签名后的数据包发给下一跳网络。The sending unit is configured to send the signed data packet to the next hop network.
本公开实施例还提供了一种数据传输装置,包括:The embodiment of the present disclosure further provides a data transmission apparatus, including:
第二接收单元,配置为接收第二网络发送的数据包;接收的数据包为由源网络发送,且经过至少一个中间网络到达目标网络的数据包;所述第二网络为所述目标网络的上一跳网络;所述接收的数据包为至少经过各网 络中的边界设备签名的数据包;a second receiving unit, configured to receive a data packet sent by the second network; the received data packet is a data packet sent by the source network and reaching the target network through the at least one intermediate network; the second network is the target network a last hop network; the received data packet is a data packet signed by at least a border device in each network;
第二处理单元,配置为从所述第二网络开始,对所述接收的数据包中的签名依次进行验证,直至验证所述源网络。The second processing unit is configured to, from the second network, verify the signatures in the received data packets in sequence until the source network is verified.
本公开实施例又提供了一种网络设备,包括:The embodiment of the present disclosure further provides a network device, including:
第一通信接口,配置为接收第一网络发送的数据包;接收的数据包为由源网络发送,且能够经过至少一个中间网络到达目标网络的数据包;所述第一网络为所述接收的数据包对应的源网络或所述至少一个中间网络中的一个中间网络;所述接收的数据包为经过所述第一网络中的边界设备签名的数据包;a first communication interface, configured to receive a data packet sent by the first network; the received data packet is a data packet sent by the source network and capable of reaching the target network through the at least one intermediate network; the first network is the received a source network corresponding to the data packet or an intermediate network of the at least one intermediate network; the received data packet is a data packet signed by a border device in the first network;
第一处理器,配置为基于所述目标网络的信息对所述接收的数据包的内容进行发送相关处理;基于所述接收的数据包及处理后的数据包生成待发送数据包;以及对待发送数据包进行签名;a first processor, configured to perform a transmission related process on the content of the received data packet based on information of the target network; generate a to-be-sent data packet based on the received data packet and the processed data packet; and send the data packet to be sent The data packet is signed;
所述第一通信接口,还配置为将签名后的数据包发给下一跳网络。The first communication interface is further configured to send the signed data packet to the next hop network.
上述方案中,所述第一处理器,配置为:In the above solution, the first processor is configured to:
将所述接收的数据包及对应的签名、处理后的数据包进行打包,得到所述待发送数据包;And packetizing the received data packet and the corresponding signature and the processed data packet to obtain the to-be-sent data packet;
或者,or,
将所述接收的数据包与所述处理后的数据包进行偏差比对,得到比对信息;将所述处理后的数据包、所述比对信息及上述接收的数据包对应的签名进行打包,得到所述待发送数据包。And comparing the received data packet with the processed data packet to obtain comparison information, and packaging the processed data packet, the comparison information, and a signature corresponding to the received data packet And obtaining the to-be-sent data packet.
上述方案中,所述第一处理器,配置为:In the above solution, the first processor is configured to:
对所述接收的数据包的签名进行验证;Verifying the signature of the received data packet;
验证成功后基于所述目标网络的信息,对所述接收的数据包进行发送相关处理。After the verification succeeds, the received data packet is sent and processed according to the information of the target network.
本公开实施例还提供了一种网络设备,包括:The embodiment of the present disclosure further provides a network device, including:
第二通信接口,配置为接收第二网络发送的数据包;接收的数据包为由源网络发送,且经过至少一个中间网络到达目标网络的数据包;所述第二网络为所述目标网络的上一跳网络;所述接收的数据包为至少经过各网络中的边界设备签名的数据包;a second communication interface, configured to receive a data packet sent by the second network; the received data packet is a data packet sent by the source network and reaching the target network through the at least one intermediate network; the second network is the target network a last hop network; the received data packet is a data packet signed by at least a border device in each network;
第二处理器,配置为从所述第二网络开始,对所述接收的数据包中的签名依次进行验证,直至验证所述源网络。The second processor is configured to, from the second network, verify the signatures in the received data packets in sequence until the source network is verified.
上述方案中,所述接收的数据包传输的路径经过N个网络;N为大于或等于2的整数;所述第二处理器,配置为:In the above solution, the path of the received data packet transmission passes through N networks; N is an integer greater than or equal to 2; and the second processor is configured to:
验证所述接收的数据包与对应签名的对应关系;所述第二网络为所述路径的第N个网络;从所述接收的数据包中获取第N-1个网络发送的数据包及对应的签名;验证第N-1个网络发送的数据包及对应签名的对应关系;以此类推,直至验证所述源网络发送的数据包及对应签名的对应关系;Verifying a correspondence between the received data packet and a corresponding signature; the second network is an Nth network of the path; and acquiring, by the received data packet, a data packet sent by the N-1th network and corresponding Signature; verify the correspondence between the data packet sent by the N-1th network and the corresponding signature; and so on, until the correspondence between the data packet sent by the source network and the corresponding signature is verified;
或者,or,
验证所述接收的数据包与对应签名的对应关系;所述第二网络为所述路径的第N个网络;从所述接收的数据包中获取比对信息及第N-1个网络对应的签名;所述比对信息表征第N-1个网络发送的数据包与第N个网络基于所述目标网络对第N-1个网络发送的数据包的内容进行发送相关处理后的数据包的偏差比对信息;利用所述比对信息得到的N-1个网络发送的数据包;并验证第N-1个网络发送的数据包及对应签名的对应关系;以此类推,直至验证所述源网络发送的数据包及对应签名的对应关系。Verifying a correspondence between the received data packet and a corresponding signature; the second network is an Nth network of the path; obtaining comparison information from the received data packet and corresponding to the N-1th network Signing; the comparison information characterizing the data packet sent by the N-1th network and the data packet of the Nth network transmitting and processing the content of the data packet sent by the N-1 network based on the target network Deviation comparison information; data packets sent by N-1 networks obtained by using the comparison information; and verifying correspondence between data packets sent by the N-1th network and corresponding signatures; and so on until verification Correspondence between data packets sent by the source network and corresponding signatures.
本公开实施例还提供了一种网络设备,包括:第一处理器和配置为存储能够在处理器上运行的计算机程序的第一存储器,An embodiment of the present disclosure also provides a network device, including: a first processor and a first memory configured to store a computer program executable on the processor,
其中,所述第一处理器配置为运行所述计算机程序时,执行上述中间网络的网络设备侧任一方法的步骤。The first processor is configured to perform the steps of any method on the network device side of the intermediate network when the computer program is run.
本公开实施例还提供了一种网络设备,包括:第二处理器和配置为存 储能够在处理器上运行的计算机程序的第二存储器,Embodiments of the present disclosure also provide a network device, including: a second processor and a second memory configured to store a computer program executable on the processor,
其中,所述第二处理器配置为运行所述计算机程序时,执行上述目标网络的网络设备侧任一方法的步骤。The second processor is configured to perform the step of any method on the network device side of the target network when the computer program is run.
本公开实施例还提供了一种存储介质,其上存储有计算机程序,所述计算机程序被处理器执行时实现上述中间网络的网络设备侧任一方法的步骤,或者实现目标网络的网络设备侧任一方法的步骤。The embodiment of the present disclosure further provides a storage medium on which a computer program is stored, and when the computer program is executed by the processor, the steps of any method of the network device side of the intermediate network are implemented, or the network device side of the target network is implemented. The steps of either method.
本公开实施例提供的数据传输方法、装置、网络设备及存储介质,在源网络中,将待发送数据包进行签名,并发送给中间网络;在中间网络中,基于目标网络的信息对接收的数据包的内容进行发送相关处理;基于所述接收的数据包及处理后的数据包生成待发送数据包;对待发送数据包进行签名;并将签名后的数据包发给下一跳网络;在目标网络中,接收数据包,对自身的上一条网络开始,对接收的数据包中的签名依次进行验证,直至验证所述源网络,由于数据包具有网络对应的签名,利用签名可以对对应的网络进行校验,所以能够实现数据包的安全保护。The data transmission method, device, network device and storage medium provided by the embodiments of the present disclosure, in the source network, the data packet to be sent is signed and sent to the intermediate network; in the intermediate network, the information is received based on the information of the target network. Transmitting the content of the data packet; generating a to-be-sent data packet based on the received data packet and the processed data packet; signing the data packet to be sent; and transmitting the signed data packet to the next hop network; In the target network, the data packet is received, and the signature of the received data packet is sequentially verified on the previous network until the source network is verified. Since the data packet has a signature corresponding to the network, the signature can be used for the corresponding The network is verified, so the security protection of the data packet can be realized.
附图说明DRAWINGS
图1为相关技术中两个网络之间的连接关系示意图;1 is a schematic diagram of a connection relationship between two networks in the related art;
图2为本公开实施例中多个网络之间的连接关系示意图;2 is a schematic diagram of a connection relationship between multiple networks in an embodiment of the present disclosure;
图3为本公开实施例一种数据传输方法流程示意图;3 is a schematic flowchart of a data transmission method according to an embodiment of the present disclosure;
图4为本公开实施例另一种数据传输方法流程示意图;4 is a schematic flow chart of another data transmission method according to an embodiment of the present disclosure;
图5为本公开实施例第三种数据传输方法流程示意图;FIG. 5 is a schematic flowchart of a third data transmission method according to an embodiment of the present disclosure;
图6为本公开应用实施例数据传输过程流程示意图;6 is a schematic flowchart of a data transmission process according to an application embodiment of the present disclosure;
图7为本公开实施例一种数据传输装置结构示意图;FIG. 7 is a schematic structural diagram of a data transmission apparatus according to an embodiment of the present disclosure;
图8为本公开实施例另一种数据传输装置结构示意图;FIG. 8 is a schematic structural diagram of another data transmission apparatus according to an embodiment of the present disclosure;
图9为本公开实施例一种网络设备结构示意图;FIG. 9 is a schematic structural diagram of a network device according to an embodiment of the present disclosure;
图10为本公开实施例另一种网络设备结构示意图;FIG. 10 is a schematic structural diagram of another network device according to an embodiment of the present disclosure;
图11为本公开实施例数据传输系统结构示意图。FIG. 11 is a schematic structural diagram of a data transmission system according to an embodiment of the present disclosure.
具体实施方式Detailed ways
下面结合附图及实施例对本公开再作进一步详细的描述。The present disclosure will be further described in detail below with reference to the accompanying drawings and embodiments.
相关技术中,运营商之间的网络安全采用基于IP的网络域安全保护方法(即NDS/IP(Network Domain Security:IP network layer security)),该方法主要是将通信网络划分成不同的网络安全域,然后在安全域的边界处放置安全网络。当两个网络安全域连接时,需要施加IPsec在两个域的边界网关上。举个例子来说,如图1所示,为了保证网络的安全,需要在边界网关(即SEG A)和边界网关(即SEG B)上放置安全网络。而在网络域内的两个网元间的连接,可以根据实际部署情况可选地施加IPsec连接。 In the related art, the network security between the operators adopts an IP-based network domain security protection method (NDS/IP (Network Domain Security: IP network layer security)), and the method mainly divides the communication network into different network security. Domain, then place a secure network at the boundary of the security domain. When two network security domains are connected, IPsec needs to be applied on the border gateways of the two domains. For example, as shown in Figure 1, in order to ensure the security of the network, a secure network needs to be placed on the border gateway (ie, SEG A ) and the border gateway (ie, SEG B ). In the connection between two network elements in the network domain, an IPsec connection can be optionally applied according to the actual deployment situation.
这种安全保护方式,一方面很好地适应了通信网络运营商集中部署的现实场景,另一方面能够灵活地提供网络域与网络域之间的安全保护,从而能够保证两个相邻网络域之间的安全性。On the one hand, this security protection method is well adapted to the realistic scenario of centralized deployment of communication network operators, and on the other hand, it can flexibly provide security protection between the network domain and the network domain, thereby ensuring two adjacent network domains. The security between.
然而,相关技术只考虑了两个不同的网络域之间的安全保护,并且假设网络域内的信息是可信的,不可更改的。这个假设在两个不同的运营商直接相连的时候是成立的,但是当运营商网络连接情况复杂之后,两个运营商无法直接相连的情况下,该机制将存在重大的问题。当多个网络逐一相连的时候,基于相关技术的安全机制,只能逐一在两个相邻的网络域之间建立安全连接。此时,若不相邻的运营商网络试图传输数据时,该数据在中间通过的网络内部是没有受到保护的,信息可能会被篡改。举个例子来说,如图2所示,当三个网络域逐一连接时,即第一网络域与第二网络域连接,第二网络域与第三网络域连接,当第一网络域试图向第三网络域传输数据时,该数据在中间通过的网络内部(即第二网络域)是没有受到保护的,信息可能会被篡改。另外,篡改的数据包到达目标网络后,目标网络也无法确认数据包是在哪里被修改,无法溯源。这种情况出现的原因 是因为中间的网络是非信任的网络域,源网络与目标网络之间也没有直接的信任关系。所以相关技术假设所有的网络域均为可信的网络域是不合理的。However, the related art only considers the security protection between two different network domains, and assumes that the information within the network domain is trusted and cannot be changed. This assumption is established when two different operators are directly connected. However, when the operator's network connection is complicated and the two operators cannot directly connect, the mechanism will have major problems. When multiple networks are connected one by one, security mechanisms based on related technologies can only establish secure connections between two adjacent network domains one by one. At this time, if the non-adjacent carrier network attempts to transmit data, the data is not protected inside the network passing through, and the information may be tampered with. For example, as shown in FIG. 2, when three network domains are connected one by one, that is, the first network domain is connected to the second network domain, and the second network domain is connected to the third network domain, when the first network domain tries When data is transmitted to the third network domain, the data inside the network (ie, the second network domain) that passes through the middle is unprotected, and the information may be tampered with. In addition, after the tamperized data packet arrives at the target network, the target network cannot confirm where the data packet is modified and cannot be traced. The reason for this is because the intermediate network is an untrusted network domain, and there is no direct trust relationship between the source network and the target network. Therefore, the related art assumes that all network domains are trusted network domains is unreasonable.
此时,可以考虑引入端到端的安全保护。但是端到端的安全无法满足通信网络的安全需求,因为当数据包通过中间网络时,中间网络是需要对数据包的部分内容,如源地址、目标地址等信息进行修改以便于进行路由的。如果进行端到端保护则中间网络无法修改数据包内容,将无法正常转发这些数据包,导致通信中断。At this point, consider introducing end-to-end security protection. However, end-to-end security cannot meet the security requirements of the communication network, because when the data packet passes through the intermediate network, the intermediate network needs to modify part of the content of the data packet, such as the source address and the destination address, to facilitate routing. If end-to-end protection is performed, the intermediate network cannot modify the contents of the packet, and the packets will not be forwarded normally, resulting in communication interruption.
基于此,在本公开的各种实施例中,有多个网络连接在一起,所有网络间的通信均可以直接或者间接的通过其他网络传递而连通,存在部分网络间没有直接连接的情况,一个网络中的边界设备具备对数据包进行签名的能力,为数据包施加完整性保护并提供该网络的签名;相互连接的网络,其边界对数据包的签名是相互可信的。Based on this, in various embodiments of the present disclosure, multiple networks are connected together, and communication between all networks can be directly or indirectly transmitted through other networks, and there is no direct connection between some networks, one The edge devices in the network have the ability to sign data packets, apply integrity protection to the data packets and provide signatures for the network; interconnected networks whose boundaries sign the packets are mutually trustworthy.
本公开实施例提供一种数据传输方法,应用于中间网络的网络设备,如图3所示,该方法包括:The embodiment of the present disclosure provides a data transmission method, which is applied to a network device of an intermediate network. As shown in FIG. 3, the method includes:
步骤301:接收第一网络发送的数据包;Step 301: Receive a data packet sent by the first network.
这里,接收的数据包为由源网络发送,且能够经过至少一个中间网络到达目标网络的数据包。同时,所述接收的数据包为经过所述第一网络中的边界设备签名的数据包。Here, the received data packet is a data packet transmitted by the source network and capable of reaching the target network through at least one intermediate network. At the same time, the received data packet is a data packet signed by a border device in the first network.
所述第一网络为所述接收的数据包对应的源网络或所述至少一个中间网络中的一个中间网络。The first network is a source network corresponding to the received data packet or an intermediate network of the at least one intermediate network.
步骤302:基于所述目标网络的信息对所述接收的数据包的内容进行发送相关处理;Step 302: Perform a transmission related process on the content of the received data packet based on the information of the target network.
这里,实际应用时,所述发送相关处理可以包括修改数据包中的源地址、目标地址等,以便进行路由。Here, in actual application, the transmission related processing may include modifying a source address, a target address, and the like in the data packet to perform routing.
当数据包传输到中间网络后,为了进一步保证数据包传输的安全性,中间网络可以对接收的数据包的签名进行校验(也可以理解为验证)。After the data packet is transmitted to the intermediate network, in order to further ensure the security of the data packet transmission, the intermediate network can verify the signature of the received data packet (also can be understood as verification).
基于此,在一实施例中,在步骤302中,对所述接收的数据包的签名进行验证;Based on this, in an embodiment, in step 302, the signature of the received data packet is verified;
验证成功后基于所述目标网络的信息,对所述接收的数据包进行发送相关处理。After the verification succeeds, the received data packet is sent and processed according to the information of the target network.
当然,当校验失败后,则向所述第一网络返回错误消息,且不基于所述目标网络的信息,对所述接收的数据包进行发送相关处理。Certainly, after the verification fails, an error message is returned to the first network, and the received data packet is not sent based on the information of the target network.
步骤303:基于所述接收的数据包及处理后的数据包生成待发送数据包;Step 303: Generate a to-be-sent data packet based on the received data packet and the processed data packet.
这里,生成待发送数据包的方式可以有以下两种方式:Here, there are two ways to generate a data packet to be sent:
第一种方式,将所述接收的数据包及对应的签名、处理后的数据包进行打包,得到所述待发送数据包;In a first manner, the received data packet, the corresponding signature, and the processed data packet are packaged to obtain the data packet to be sent;
第二种方式,将所述接收的数据包与所述处理后的数据包进行偏差比对,得到比对信息;In a second manner, the received data packet is compared with the processed data packet to obtain comparison information.
将所述处理后的数据包、所述比对信息及上述接收的数据包对应的签名进行打包,得到所述待发送数据包。And encoding the processed data packet, the comparison information, and the signature corresponding to the received data packet to obtain the to-be-sent data packet.
其中,实际应用时,可以根据需要选择这两种方式中的一种方式来实现。Wherein, in actual application, one of the two methods may be selected according to the need to implement.
在第一种方式中,是将所述接收的数据包及对应的签名、处理后的数据包这些直接进行打包,从而得到所述待发送数据包。In the first mode, the received data packet, the corresponding signature, and the processed data packet are directly packaged to obtain the to-be-sent data packet.
在第二种方式中,所述网络设备需要先将所述接收的数据包与所述处理后的数据包进行偏差比对,得到比如源地址、目标地址等两个数据包之间的不同之处,从而得到比对信息;接着,将所述处理后的数据包、比对信息及上述接收的数据包对应的签名进行打包,得到所述待发送数据包。In the second mode, the network device needs to first compare the received data packet with the processed data packet to obtain a difference between two data packets, such as a source address and a target address. And obtaining the comparison information; and then packetizing the processed data packet, the comparison information, and the signature corresponding to the received data packet to obtain the to-be-sent data packet.
步骤304:对待发送数据包进行签名;Step 304: Sign the data packet to be sent;
这里,签名的算法可以是RSA、ElGamal、Fiat-Shamir、Guillou-Quisquarter、Schnorr、Ong-Schnorr-Shamir数字签名算法、Des/DSA、椭圆曲线数字签名算法或有限自动机数字签名算法等。当然,随着技术的发展,还可以是新的数字签名算法。本公开实施例对此不作限定。Here, the signature algorithm may be RSA, ElGamal, Fiat-Shamir, Guillou-Quisquarter, Schnorr, Ong-Schnorr-Shamir digital signature algorithm, Des/DSA, elliptic curve digital signature algorithm or finite automaton digital signature algorithm. Of course, with the development of technology, it can also be a new digital signature algorithm. The embodiment of the present disclosure does not limit this.
步骤305:将签名后的数据包发给下一跳网络。Step 305: Send the signed data packet to the next hop network.
这里,实际应用时,所述下一跳网络可以根据所述目标网络的信息来确定,其是一个中间网络或是所述目标网络。从上面的描述可以看出,签名用于验证对应的网络。Here, in actual application, the next hop network may be determined according to information of the target network, which is an intermediate network or the target network. As can be seen from the above description, the signature is used to verify the corresponding network.
对应地,本公开实施例还提供了一种数据传输方法,应用于目标网络的网络设备,如图4所示,该方法包括:Correspondingly, the embodiment of the present disclosure further provides a data transmission method, which is applied to a network device of a target network, as shown in FIG. 4, the method includes:
步骤401:接收第二网络发送的数据包;Step 401: Receive a data packet sent by the second network.
这里,接收的数据包为由源网络发送,且经过至少一个中间网络到达目标网络的数据包;同时,所述接收的数据包为至少经过各网络中的边界设备签名的数据包。Here, the received data packet is a data packet sent by the source network and reaching the target network through at least one intermediate network; meanwhile, the received data packet is a data packet signed by at least a border device in each network.
也就是说,所述接收的数据包传输的路径经过N个网络;N为大于或等于2的整数。更具体地,所述接收的数据包从源网络开始算第一个网络,经过N个网络到达所述目标网络,即N个网络包含源网络和至少一个中间网络。That is, the path of the received data packet transmission passes through N networks; N is an integer greater than or equal to 2. More specifically, the received data packet is counted from the source network to the first network, and reaches the target network through the N networks, that is, the N networks include the source network and the at least one intermediate network.
其中,所述第二网络为所述目标网络的上一跳网络。The second network is a last hop network of the target network.
步骤402:从所述第二网络开始,对所述接收的数据包中的签名依次进行验证,直至验证所述源网络。Step 402: Starting from the second network, verify signatures in the received data packets in sequence until the source network is verified.
如上所述,由于生成待发送数据的方式有上述两种方式,所以当采用上述第一种方式生成待发送数据包时,验证的过程包括:As described above, since the manner of generating the data to be transmitted is the above two manners, when the data packet to be sent is generated by using the foregoing first manner, the verification process includes:
验证所述接收的数据包与对应签名的对应关系;所述第二网络为所述 路径的第N个网络;Verifying a correspondence between the received data packet and a corresponding signature; the second network is an Nth network of the path;
从所述接收的数据包中获取第N-1个网络发送的数据包及对应的签名;Obtaining, by the received data packet, a data packet sent by the N-1th network and a corresponding signature;
验证第N-1个网络发送的数据包及对应签名的对应关系;以此类推,直至验证所述源网络发送的数据包及对应签名的对应关系。Verifying the correspondence between the data packet sent by the N-1th network and the corresponding signature; and so on, until the correspondence between the data packet sent by the source network and the corresponding signature is verified.
当采用上述第二种方式生成待发送数据包时,验证的过程包括:When the data packet to be sent is generated by using the second method described above, the verification process includes:
验证所述接收的数据包与对应签名的对应关系;所述第二网络为所述路径的第N个网络;Verifying a correspondence between the received data packet and a corresponding signature; the second network is an Nth network of the path;
从所述接收的数据包中获取比对信息及第N-1个网络对应的签名;所述比对信息表征第N-1个网络发送的数据包与第N个网络基于所述目标网络对第N-1个网络发送的数据包的内容进行发送相关处理后的数据包的偏差比对信息;Obtaining comparison information and a signature corresponding to the N-1th network from the received data packet; the comparison information characterizing the data packet sent by the N-1th network and the Nth network based on the target network pair The content of the data packet sent by the N-1th network is sent to the deviation ratio information of the data packet after the relevant processing;
利用所述比对信息得到的N-1个网络发送的数据包;并验证第N-1个网络发送的数据包及对应签名的对应关系;以此类推,直至验证所述源网络发送的数据包及对应签名的对应关系。And using the comparison information to obtain the data packets sent by the N-1 networks; and verifying the correspondence between the data packets sent by the N-1th network and the corresponding signatures; and so on, until the data sent by the source network is verified. The correspondence between the package and the corresponding signature.
从上面的描述可以看出,如图5所示,一个数据包从源网络开始传输到目标网络的过程(数据传输的方法),包括:As can be seen from the above description, as shown in FIG. 5, a process in which a data packet is transmitted from a source network to a target network (a method of data transmission) includes:
步骤501:源网络中的网络设备将待发送数据包进行签名,并发送给中间网络;Step 501: The network device in the source network signs the to-be-sent data packet and sends the data packet to the intermediate network.
步骤502:中间网络的网络设备基于目标网络的信息对接收的数据包的内容进行发送相关处理;Step 502: The network device of the intermediate network sends a related process to the content of the received data packet based on the information of the target network.
步骤503:中间网络的网络设备基于所述接收的数据包及处理后的数据包生成待发送数据包;对待发送数据包进行签名;并将签名后的数据包发给下一跳网络;Step 503: The network device of the intermediate network generates a to-be-sent data packet based on the received data packet and the processed data packet, and signs the data packet to be sent, and sends the signed data packet to the next hop network.
这里,当数据包需要经过多个中间网络才能到达目标网络时,多个中间网络的网络设备均执行步骤502~503,即每个中间网络的网络设备收到数 据包后,均需要执行步骤502~503,以便将数据包传输至目标网络。Here, when the data packet needs to pass through multiple intermediate networks to reach the target network, the network devices of the multiple intermediate networks perform steps 502-503, that is, after the network device of each intermediate network receives the data packet, step 502 needs to be performed. ~ 503 to transfer the packet to the target network.
步骤504:目标网络接收数据包,对自身的上一条网络开始,对接收的数据包中的签名依次进行验证,直至验证所述源网络。Step 504: The target network receives the data packet, starts with the previous network of itself, and sequentially verifies the signature in the received data packet until the source network is verified.
需要说明的是:中间网络的网络设备和目标网络的网络设备的具体处理过程以在上文详述,这里不再赘述。It should be noted that the specific processing procedures of the network device of the intermediate network and the network device of the target network are detailed above, and are not described herein again.
另外,所述源网络是指数据包对应的最初网络,可以理解为最初发送数据包的网络;相应地,所述目标网络是指数据包对应的最终网络,可以理解为数据包最终到达的网络。In addition, the source network refers to an initial network corresponding to a data packet, which can be understood as a network that initially sends a data packet; correspondingly, the target network refers to a final network corresponding to a data packet, which can be understood as a network in which a data packet finally arrives. .
本公开实施例提供的数据传输方法,在源网络中,将待发送数据包进行签名,并发送给中间网络;在中间网络中,基于目标网络的信息对接收的数据包的内容进行发送相关处理;基于所述接收的数据包及处理后的数据包生成待发送数据包;对待发送数据包进行签名;并将签名后的数据包发给下一跳网络;在目标网络中,接收数据包,对自身的上一条网络开始,对接收的数据包中的签名依次进行验证,直至验证所述源网络,由于数据包具有网络对应的签名,利用签名可以对对应的网络进行校验,所以能够实现数据包的安全保护。In the data transmission method provided by the embodiment of the present disclosure, in the source network, the data packet to be sent is signed and sent to the intermediate network; in the intermediate network, the content of the received data packet is sent and processed based on the information of the target network. Generating a to-be-sent data packet based on the received data packet and the processed data packet; signing the data packet to be sent; and transmitting the signed data packet to the next hop network; receiving the data packet in the target network, Start with the previous network of itself, and verify the signatures in the received data packets in turn until the source network is verified. Since the data packets have signatures corresponding to the network, the corresponding network can be verified by using the signature, so that it can be implemented. Security protection of the packet.
下面结合应用实施例对本公开再作进一步详细的描述。The present disclosure will be further described in detail below in conjunction with application examples.
本应用实施例数据传输的过程,如图6所示,包括以下步骤:The process of data transmission in this application embodiment, as shown in FIG. 6, includes the following steps:
步骤601:源网络中的任一网元发送数据包m,数据包m没有受到保护;Step 601: Any network element in the source network sends a data packet m, and the data packet m is not protected.
步骤602:当数据包到达源网络的边界时,由边界网元对数据包进行签名sig(m),并发送给中间网络;Step 602: When the data packet reaches the boundary of the source network, the data packet is signed sig(m) by the boundary network element, and sent to the intermediate network.
此时,数据包为带有签名的数据包[m,sig(m)]。At this point, the packet is a signed packet [m, sig(m)].
步骤603:当带有签名的数据包[m,sig(m)]到达直接相连的中间网络后,由中间网络对数据包的签名进行验证;Step 603: After the signed data packet [m, sig(m)] reaches the directly connected intermediate network, the signature of the data packet is verified by the intermediate network;
这里,如果验证不通过,则向上一跳网络返回错误消息;如果验证通过,则继续执行步骤604。Here, if the verification fails, the error message is returned to the up hop network; if the verification is passed, step 604 is continued.
假设数据包为M,签名为sig(M),则直接验证sig(M)与M的对应关系。Assuming that the data packet is M and the signature is sig(M), the correspondence between sig(M) and M is directly verified.
步骤604:中间网络收到数据包后,可对数据包的内容进行修改(假设修改后的数据包记为m’),并基于目标网络的信息发往下一个网络(下一个网络可以是中间网络或目标网络);Step 604: After receiving the data packet, the intermediate network may modify the content of the data packet (assuming the modified data packet is recorded as m'), and send the information to the next network based on the information of the target network (the next network may be in the middle) Network or target network);
步骤605:当中间网络的数据包到达中间网络的边界时,边界网元对待发送的信息M进行签名sig(M),并发送;Step 605: When the data packet of the intermediate network reaches the boundary of the intermediate network, the border network element signs the sig(M) to be sent, and sends the data.
这里,当数据包的接收网络仍为中间网络,则接收网络将带有签名的发送数据[M,sig(M)]作为[m,sig(m)],执行步骤603~605。Here, when the receiving network of the data packet is still the intermediate network, the receiving network transmits the signed transmission data [M, sig(M)] as [m, sig(m)], and steps 603 to 605 are performed.
其中,在步骤605中,边界网元(比如边界网关等)需要生成待发送数据包,并进行签名。In step 605, the border network element (such as a border gateway, etc.) needs to generate a data packet to be sent and perform signature.
这里,生成待发送数据包的方式有以下两种方式:Here, there are two ways to generate a packet to be sent:
第一种方式:边界网元将收到的原数据包m,以及对应的签名sig(m),还有修改的数据包m’一并进行打包,即待发送的信息M=m’||(m||sig(m)),并签名sig(M)。The first mode: the boundary network element encapsulates the received original data packet m, and the corresponding signature sig(m), and the modified data packet m', that is, the information to be sent M=m'|| (m||sig(m)) and sign sig(M).
第二种方式:边界网元将收到的原数据m包与修改的数据包m’进行偏差对比(将偏差对比记为-运算,因此偏差记为m-m’),然后将修改的数据包m’,偏差对比,原数据包m对应的签名sig(m)一起打包,即待发送的信息M=m’||(m-m’||sig(m)),并签名sig(M)。The second way: the boundary network element compares the received original data m packet with the modified data packet m' (records the deviation as - operation, so the deviation is recorded as m-m'), and then the modified data Packet m', deviation comparison, the signature sig(m) corresponding to the original data packet m is packaged together, that is, the information to be transmitted M=m'||(m-m'||sig(m)), and the signature sig(M) ).
步骤606:目标网络接收到数据包后,从上一网络开始依次验证签名的正确性,直至验证源网络。Step 606: After receiving the data packet, the target network sequentially verifies the correctness of the signature from the previous network until the source network is verified.
这里,验证时,当采用第一种方式生成待发送信息时,目标网络首先验证上一网络的sig(M)与M的对应关系,此时,假设第n个网络接收到的上一网络发来的数据包为M n-1,修改后的数据包为m n,则目标网络收到的 第n个网络的信息为M=m n||M n-1||sig(M n-1); Here, in the verification, when the information to be transmitted is generated in the first manner, the target network first verifies the correspondence between the sig(M) and the M of the previous network. At this time, it is assumed that the last network received by the nth network is sent. The incoming data packet is M n-1 , and the modified data packet is m n , then the information of the nth network received by the target network is M=m n ||M n-1 ||sig(M n-1 );
验证通过后,继续回溯验证再上一网络的对应关系,此时,再上一网络的信息为M=M n-1=m n-1||M n-2||sig(M n-2),依次验证直至验证至源网络,即m=sig(m)。 After the verification is passed, the correspondence between the back-test and the previous network is continued. At this time, the information of the previous network is M=M n-1 =m n-1 ||M n-2 ||sig(M n-2 ), verify in turn until verification to the source network, ie m = sig (m).
当采用第二种方式生成待发送信息时,目标网络首先验证上一网络的sig(M)与M的对应关系,此时,假设第n个网络接收到的上一网络发来的数据包为m n-1,修改后的数据包为m n,信息M=m n||m n-m n-1||sig(m n-1); When the information to be sent is generated in the second manner, the target network first verifies the correspondence between the sig(M) and the M of the previous network. At this time, it is assumed that the data packet sent by the previous network received by the nth network is m n-1 , the modified data packet is m n , information M=m n ||m n -m n-1 ||sig(m n-1 );
验证通过后,继续回溯验证再上一网络的对应关系,此时,由于未保留上衣网络的数据包即原文,而是只保留了与原文的偏差,所以再上一网络的数据包需要根据现有数据和偏差进行恢复,将恢复动作记为+运算。即M=m n-1=m n+(m n-1-m n)。依次验证直至验证至源网络,即验证至m=sig(m)。 After the verification is passed, the correspondence between the back-test and the previous network is continued. At this time, since the data packet of the jacket network is not retained, but the original text is retained, only the deviation from the original text is retained, so the data packet of the previous network needs to be based on the current data. There are data and deviations to recover, and the recovery action is recorded as a + operation. That is, M = m n-1 = m n + (m n-1 - m n ). Verify in turn until verification to the source network, ie verify to m=sig(m).
从上面的描述可以看出,本公开实施例提供的方案,是一种新的非信任域间数据传递保护方法,在该方法中,数据包在网络域之间逐跳进行安全保护,如此,能够达到以下效果:As can be seen from the above description, the solution provided by the embodiment of the present disclosure is a new untrusted inter-domain data transfer protection method, in which the data packet is hop-by-hop security protection between network domains, and thus, Can achieve the following effects:
1、可以满足中间网络对数据包的修改需求;1. It can meet the modification requirements of the intermediate network for data packets;
2、无需源网络与目标网络之间存在信任关系;2. There is no need for a trust relationship between the source network and the target network;
3、目标网络可以验证数据包的原始信息;3. The target network can verify the original information of the data packet;
4、如果数据包被恶意篡改,目标网络可以发现改动发生在具体哪个网络。4. If the packet is maliciously tampered with, the target network can find out which network the change occurred on.
为实现本公开实施例中间网络的网络设备侧的方法,本公开实施例还提供了一种数据传输装置,设置在中间网络的网络设备,如图7所示,所述装置包括:In order to implement the method of the network device side of the intermediate network in the embodiment of the present disclosure, the embodiment of the present disclosure further provides a data transmission device, which is disposed in the network device of the intermediate network. As shown in FIG. 7, the device includes:
第一接收单元71,配置为接收第一网络发送的数据包;接收的数据包为由源网络发送,且能够经过至少一个中间网络到达目标网络的数据包;所述第一网络为所述接收的数据包对应的源网络或所述至少一个中间网络 中的一个中间网络;所述接收的数据包为经过所述第一网络中的边界设备签名的数据包;The first receiving unit 71 is configured to receive a data packet sent by the first network; the received data packet is a data packet that is sent by the source network and can reach the target network through the at least one intermediate network; the first network is the receiving a source network corresponding to the data packet or an intermediate network of the at least one intermediate network; the received data packet is a data packet signed by a border device in the first network;
第一处理单元72,配置为基于所述目标网络的信息对所述接收的数据包的内容进行发送相关处理;基于所述接收的数据包及处理后的数据包生成待发送数据包;以及对待发送数据包进行签名;The first processing unit 72 is configured to: perform transmission related processing on the content of the received data packet based on information of the target network; generate a to-be-sent data packet based on the received data packet and the processed data packet; Send a packet for signature;
发送单元73,配置为将签名后的数据包发给下一跳网络。The sending unit 73 is configured to send the signed data packet to the next hop network.
其中,在一实施例中,所述第一处理单元72,具体配置为:In an embodiment, the first processing unit 72 is specifically configured to:
将所述接收的数据包及对应的签名、处理后的数据包进行打包,得到所述待发送数据包;And packetizing the received data packet and the corresponding signature and the processed data packet to obtain the to-be-sent data packet;
或者,or,
将所述接收的数据包与所述处理后的数据包进行偏差比对,得到比对信息;And comparing the received data packet with the processed data packet to obtain comparison information;
将所述处理后的数据包、所述比对信息及上述接收的数据包对应的签名进行打包,得到所述待发送数据包。And encoding the processed data packet, the comparison information, and the signature corresponding to the received data packet to obtain the to-be-sent data packet.
当数据包传输到中间网络后,为了进一步保证数据包传输的安全性,中间网络可以对接收的数据包的签名进行校验(也可以理解为验证)。After the data packet is transmitted to the intermediate network, in order to further ensure the security of the data packet transmission, the intermediate network can verify the signature of the received data packet (also can be understood as verification).
基于此,在一实施例中,所述第一处理单元72,具体配置为:Based on this, in an embodiment, the first processing unit 72 is specifically configured to:
对所述接收的数据包的签名进行验证;Verifying the signature of the received data packet;
验证成功后基于所述目标网络的信息,对所述接收的数据包进行发送相关处理。After the verification succeeds, the received data packet is sent and processed according to the information of the target network.
当然,当校验失败后,则所述第一处理单元72向所述第一网络返回错误消息,且不基于所述目标网络的信息,对所述接收的数据包进行发送相关处理。Of course, after the verification fails, the first processing unit 72 returns an error message to the first network, and does not perform transmission related processing on the received data packet based on the information of the target network.
实际应用时,所述第一接收单元71及发送单元73可由数据传输装置中的通信接口实现;所述第一处理单元72可由数据传输装置中的处理器实 现。In practical applications, the first receiving unit 71 and the transmitting unit 73 may be implemented by a communication interface in a data transmission device; the first processing unit 72 may be implemented by a processor in the data transmission device.
为了实现发明实施例目标网络的网络设备侧的方法,本公开实施例还提供了一种数据传输装置,设置在目标网络的网络设备,如图8所示,所述装置包括:In order to implement the method on the network device side of the target network of the embodiment of the present invention, the embodiment of the present disclosure further provides a data transmission device, which is disposed in a network device of the target network, as shown in FIG.
第二接收单元81,配置为接收第二网络发送的数据包;接收的数据包为由源网络发送,且经过至少一个中间网络到达目标网络的数据包;所述第二网络为所述目标网络的上一跳网络;所述接收的数据包为至少经过各网络中的边界设备签名的数据包;The second receiving unit 81 is configured to receive a data packet sent by the second network; the received data packet is a data packet sent by the source network and reaches the target network through the at least one intermediate network; the second network is the target network a last hop network; the received data packet is a data packet signed by at least a border device in each network;
第二处理单元82,配置为从所述第二网络开始,对所述接收的数据包中的签名依次进行验证,直至验证所述源网络。The second processing unit 82 is configured to, from the second network, verify the signatures in the received data packets in sequence until the source network is verified.
接收的数据包为由源网络发送,且经过至少一个中间网络到达目标网络的数据包;同时,所述接收的数据包为至少经过各网络中的边界设备签名的数据包。The received data packet is a data packet sent by the source network and reaching the target network through at least one intermediate network; meanwhile, the received data packet is a data packet signed by at least a border device in each network.
也就是说,所述接收的数据包传输的路径经过N个网络;N为大于或等于2的整数。更具体地,所述接收的数据包从源网络开始算第一个网络,经过N个网络到达所述目标网络,即N个网络包含源网络和至少一个中间网络。That is, the path of the received data packet transmission passes through N networks; N is an integer greater than or equal to 2. More specifically, the received data packet is counted from the source network to the first network, and reaches the target network through the N networks, that is, the N networks include the source network and the at least one intermediate network.
由于生成待发送数据的方式有上述两种方式,所以当采用上述第一种方式生成待发送数据包时,所述第二处理单元82,具体配置为:The second processing unit 82 is specifically configured to: when the data to be sent is generated in the foregoing manner, the second processing unit 82 is specifically configured to:
验证所述接收的数据包与对应签名的对应关系;所述第二网络为所述路径的第N个网络;Verifying a correspondence between the received data packet and a corresponding signature; the second network is an Nth network of the path;
从所述接收的数据包中获取第N-1个网络发送的数据包及对应的签名;Obtaining, by the received data packet, a data packet sent by the N-1th network and a corresponding signature;
验证第N-1个网络发送的数据包及对应签名的对应关系;以此类推,直至验证所述源网络发送的数据包及对应签名的对应关系。Verifying the correspondence between the data packet sent by the N-1th network and the corresponding signature; and so on, until the correspondence between the data packet sent by the source network and the corresponding signature is verified.
当采用上述第二种方式生成待发送数据包时,所述第二处理单元82, 具体配置为:When the data packet to be sent is generated in the foregoing manner, the second processing unit 82 is specifically configured to:
验证所述接收的数据包与对应签名的对应关系;所述第二网络为所述路径的第N个网络;Verifying a correspondence between the received data packet and a corresponding signature; the second network is an Nth network of the path;
从所述接收的数据包中获取比对信息及第N-1个网络对应的签名;所述比对信息表征第N-1个网络发送的数据包与第N个网络基于所述目标网络对第N-1个网络发送的数据包的内容进行发送相关处理后的数据包的偏差比对信息;Obtaining comparison information and a signature corresponding to the N-1th network from the received data packet; the comparison information characterizing the data packet sent by the N-1th network and the Nth network based on the target network pair The content of the data packet sent by the N-1th network is sent to the deviation ratio information of the data packet after the relevant processing;
利用所述比对信息得到的N-1个网络发送的数据包;并验证第N-1个网络发送的数据包及对应签名的对应关系;以此类推,直至验证所述源网络发送的数据包及对应签名的对应关系。And using the comparison information to obtain the data packets sent by the N-1 networks; and verifying the correspondence between the data packets sent by the N-1th network and the corresponding signatures; and so on, until the data sent by the source network is verified. The correspondence between the package and the corresponding signature.
实际应用时,所述第二接收单元81可由数据传输装置中的通信接口实现;所述第二处理单元82可由数据传输装置中的处理器实现。In practical applications, the second receiving unit 81 can be implemented by a communication interface in the data transmission device; the second processing unit 82 can be implemented by a processor in the data transmission device.
需要说明的是:上述实施例提供的数据传输装置在进行数据传输时,仅以上述各程序模块的划分进行举例说明,实际应用中,可以根据需要而将上述处理分配由不同的程序模块完成,即将装置的内部结构划分成不同的程序模块,以完成以上描述的全部或者部分处理。另外,上述实施例提供的数据传输装置与数据传输方法实施例属于同一构思,其具体实现过程详见方法实施例,这里不再赘述。It should be noted that, when the data transmission device provided by the foregoing embodiment performs data transmission, only the division of each of the foregoing program modules is illustrated. In an actual application, the processing may be allocated by different program modules as needed. The internal structure of the device is divided into different program modules to complete all or part of the processing described above. In addition, the data transmission apparatus and the data transmission method embodiment provided by the foregoing embodiments are in the same concept, and the specific implementation process is described in detail in the method embodiment, and details are not described herein again.
基于上述装置的硬件实现,且为了实现本公开实施例中间网络的网络设备侧的方法,本公开实施例还提供了一种网络设备,如图9所示,该网络设备90包括:Based on the hardware implementation of the foregoing apparatus, and in order to implement the method of the network device side of the intermediate network in the embodiment of the present disclosure, the embodiment of the present disclosure further provides a network device. As shown in FIG. 9, the network device 90 includes:
第一通信接口91,能够与其它网络设备进行信息交互;The first communication interface 91 is capable of performing information interaction with other network devices;
第一处理器92,与所述第一通信接口91连接,以实现与其它网络设备进行信息交互,配置为运行计算机程序时,执行上述中间网络的网络设备侧一个或多个技术方案提供的方法。The first processor 92 is connected to the first communication interface 91 to implement information interaction with other network devices, and is configured to perform the method provided by one or more technical solutions on the network device side of the intermediate network when the computer program is run .
具体地,第一通信接口91,配置为接收第一网络发送的数据包;接收的数据包为由源网络发送,且能够经过至少一个中间网络到达目标网络的数据包;所述第一网络为所述接收的数据包对应的源网络或所述至少一个中间网络中的一个中间网络;所述接收的数据包为经过所述第一网络中的边界设备签名的数据包;Specifically, the first communication interface 91 is configured to receive a data packet sent by the first network; the received data packet is a data packet that is sent by the source network and can reach the target network through the at least one intermediate network; the first network is a source network corresponding to the received data packet or an intermediate network of the at least one intermediate network; the received data packet is a data packet signed by a border device in the first network;
第一处理器92,配置为基于所述目标网络的信息对所述接收的数据包的内容进行发送相关处理;基于所述接收的数据包及处理后的数据包生成待发送数据包;以及对待发送数据包进行签名;The first processor 92 is configured to: perform transmission related processing on the content of the received data packet based on information of the target network; generate a to-be-sent data packet based on the received data packet and the processed data packet; Send a packet for signature;
所述第一通信接口91,还配置为将签名后的数据包发给下一跳网络。The first communication interface 91 is further configured to send the signed data packet to the next hop network.
其中,在一实施例中,所述第一处理器92,具体配置为:In an embodiment, the first processor 92 is specifically configured to:
将所述接收的数据包及对应的签名、处理后的数据包进行打包,得到所述待发送数据包;And packetizing the received data packet and the corresponding signature and the processed data packet to obtain the to-be-sent data packet;
或者,or,
将所述接收的数据包与所述处理后的数据包进行偏差比对,得到比对信息;And comparing the received data packet with the processed data packet to obtain comparison information;
将所述处理后的数据包、所述比对信息及上述接收的数据包对应的签名进行打包,得到所述待发送数据包。And encoding the processed data packet, the comparison information, and the signature corresponding to the received data packet to obtain the to-be-sent data packet.
其中,在一实施例中,所述第一处理器92,具体配置为:In an embodiment, the first processor 92 is specifically configured to:
对所述接收的数据包的签名进行验证;Verifying the signature of the received data packet;
验证成功后基于所述目标网络的信息,对所述接收的数据包进行发送相关处理。After the verification succeeds, the received data packet is sent and processed according to the information of the target network.
当然,实际应用时,所述网络设备90还可以包括:第一存储器93。所述网络设备90中的各个组件通过总线系统94耦合在一起。可理解,总线系统94配置为实现这些组件之间的连接通信。总线系统94除包括数据总线之外,还包括电源总线、控制总线和状态信号总线。但是为了清楚说明 起见,在图9中将各种总线都标为总线系统94。Of course, in actual application, the network device 90 may further include: a first memory 93. The various components in the network device 90 are coupled together by a bus system 94. It will be appreciated that bus system 94 is configured to enable connection communication between these components. The bus system 94 includes, in addition to the data bus, a power bus, a control bus, and a status signal bus. However, for clarity of description, various buses are labeled as bus system 94 in FIG.
其中,所述第一处理器92的个数为至少一个。The number of the first processors 92 is at least one.
本公开实施例中的第一存储器93配置为存储各种类型的数据以支持网络设备90的操作。这些数据的示例包括:配置为在网络设备90上操作的任何计算机程序。The first memory 93 in an embodiment of the present disclosure is configured to store various types of data to support operation of the network device 90. Examples of such data include any computer program configured to operate on network device 90.
上述本公开实施例揭示的方法可以应用于所述第一处理器92中,或者由所述第一处理器92实现。所述第一处理器92可能是一种集成电路芯片,具有信号的处理能力。在实现过程中,上述方法的各步骤可以通过所述第一处理器92中的硬件的集成逻辑电路或者软件形式的指令完成。上述的所述第一处理器92可以是通用处理器、数字信号处理器(DSP,Digital Signal Processor),或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。所述第一处理器92可以实现或者执行本公开实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者任何常规的处理器等。结合本公开实施例所公开的方法的步骤,可以直接体现为硬件译码处理器执行完成,或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于存储介质中,该存储介质位于第一存储器93,所述第一处理器92读取第一存储器93中的信息,结合其硬件完成前述方法的步骤。The method disclosed in the above embodiments of the present disclosure may be applied to the first processor 92 or implemented by the first processor 92. The first processor 92 may be an integrated circuit chip with signal processing capabilities. In the implementation process, each step of the foregoing method may be completed by an integrated logic circuit of hardware in the first processor 92 or an instruction in a form of software. The first processor 92 described above may be a general purpose processor, a digital signal processor (DSP), or other programmable logic device, discrete gate or transistor logic device, discrete hardware component, or the like. The first processor 92 may implement or perform the methods, steps, and logic blocks disclosed in the embodiments of the present disclosure. A general purpose processor can be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiments of the present disclosure may be directly implemented as a hardware decoding processor, or may be performed by a combination of hardware and software modules in the decoding processor. The software module may be located in a storage medium located in the first memory 93, the first processor 92 reading the information in the first memory 93, in conjunction with its hardware, to perform the steps of the foregoing method.
在示例性实施例中,网络设备90可以被一个或多个应用专用集成电路(ASIC,Application Specific Integrated Circuit)、DSP、可编程逻辑器件(PLD,Programmable Logic Device)、复杂可编程逻辑器件(CPLD,Complex Programmable Logic Device)、现场可编程门阵列(FPGA,Field-Programmable Gate Array)、通用处理器、控制器、微控制器(MCU,Micro Controller Unit)、微处理器(Microprocessor)、或者其他电子元件实现,配置为执行前述方法。In an exemplary embodiment, the network device 90 may be configured by one or more Application Specific Integrated Circuits (ASICs), DSPs, Programmable Logic Devices (PLDs), and Complex Programmable Logic Devices (CPLDs). , Complex Programmable Logic Device), Field-Programmable Gate Array (FPGA), General Purpose Processor, Controller, Micro Controller Unit (MCU), Microprocessor, or other electronics The component implementation is configured to perform the aforementioned method.
为实现本公开实施例目标网络的网络设备侧的方法,并基于上述装置 的硬件实现,本公开实施例还提供了一种网络设备,如图10所示,该网络设备100包括:In order to implement the method of the network device side of the target network of the embodiment of the present disclosure, and based on the hardware implementation of the foregoing apparatus, the embodiment of the present disclosure further provides a network device. As shown in FIG. 10, the network device 100 includes:
第二通信接口101,能够与其它网络设备进行信息交互;The second communication interface 101 is capable of performing information interaction with other network devices;
第二处理器102,与所述第二通信接口101连接,以实现与其它网络设备进行信息交互,配置为运行计算机程序时,执行上述目标网络的网络设备侧一个或多个技术方案提供的方法。The second processor 102 is connected to the second communication interface 101 to implement information interaction with other network devices, and is configured to perform the method provided by one or more technical solutions on the network device side of the target network when the computer program is run .
具体地,所述第二通信接口101,配置为接收第二网络发送的数据包;接收的数据包为由源网络发送,且经过至少一个中间网络到达目标网络的数据包;所述第二网络为所述目标网络的上一跳网络;所述接收的数据包为至少经过各网络中的边界设备签名的数据包;Specifically, the second communication interface 101 is configured to receive a data packet sent by the second network; the received data packet is a data packet that is sent by the source network and reaches the target network through the at least one intermediate network; the second network a previous hop network of the target network; the received data packet is a data packet signed by at least a border device in each network;
所述第二处理器102,配置为从所述第二网络开始,对所述接收的数据包中的签名依次进行验证,直至验证所述源网络。The second processor 102 is configured to, from the second network, verify the signatures in the received data packets in sequence until the source network is verified.
在一实施例中,所述接收的数据包传输的路径经过N个网络;N为大于或等于2的整数;所述第二处理器102,具体配置为:In an embodiment, the path of the received data packet transmission passes through N networks; N is an integer greater than or equal to 2; and the second processor 102 is specifically configured to:
验证所述接收的数据包与对应签名的对应关系;所述第二网络为所述路径的第N个网络;从所述接收的数据包中获取第N-1个网络发送的数据包及对应的签名;验证第N-1个网络发送的数据包及对应签名的对应关系;以此类推,直至验证所述源网络发送的数据包及对应签名的对应关系;Verifying a correspondence between the received data packet and a corresponding signature; the second network is an Nth network of the path; and acquiring, by the received data packet, a data packet sent by the N-1th network and corresponding Signature; verify the correspondence between the data packet sent by the N-1th network and the corresponding signature; and so on, until the correspondence between the data packet sent by the source network and the corresponding signature is verified;
或者,or,
验证所述接收的数据包与对应签名的对应关系;所述第二网络为所述路径的第N个网络;从所述接收的数据包中获取比对信息及第N-1个网络对应的签名;所述比对信息表征第N-1个网络发送的数据包与第N个网络基于所述目标网络对第N-1个网络发送的数据包的内容进行发送相关处理后的数据包的偏差比对信息;利用所述比对信息得到的N-1个网络发送的数据包;并验证第N-1个网络发送的数据包及对应签名的对应关系;以此 类推,直至验证所述源网络发送的数据包及对应签名的对应关系。Verifying a correspondence between the received data packet and a corresponding signature; the second network is an Nth network of the path; obtaining comparison information from the received data packet and corresponding to the N-1th network Signing; the comparison information characterizing the data packet sent by the N-1th network and the data packet of the Nth network transmitting and processing the content of the data packet sent by the N-1 network based on the target network Deviation comparison information; data packets sent by N-1 networks obtained by using the comparison information; and verifying correspondence between data packets sent by the N-1th network and corresponding signatures; and so on until verification Correspondence between data packets sent by the source network and corresponding signatures.
当然,实际应用时,该网络设备100还可以包括:第二存储器103。网络设备100中的各个组件通过总线系统104耦合在一起。可理解,总线系统104配置为实现这些组件之间的连接通信。总线系统104除包括数据总线之外,还包括电源总线、控制总线和状态信号总线。但是为了清楚说明起见,在图10中将各种总线都标为总线系统104。Of course, in actual application, the network device 100 may further include: a second memory 103. The various components in network device 100 are coupled together by bus system 104. It will be appreciated that the bus system 104 is configured to enable connection communication between these components. The bus system 104 includes, in addition to the data bus, a power bus, a control bus, and a status signal bus. However, for clarity of description, various buses are labeled as bus system 104 in FIG.
第二处理器102的个数为至少一个。The number of the second processors 102 is at least one.
本公开实施例中的第二存储器102配置为存储各种类型的数据以支持网络设备70的操作。这些数据的示例包括:配置为在网络设备100上操作的任何计算机程序。The second memory 102 in an embodiment of the present disclosure is configured to store various types of data to support operation of the network device 70. Examples of such data include any computer program configured to operate on network device 100.
上述本公开实施例揭示的方法可以应配置为所述第二处理器102中,或者由所述第二处理器102实现。所述第二处理器102可能是一种集成电路芯片,具有信号的处理能力。在实现过程中,上述方法的各步骤可以通过所述第二处理器102中的硬件的集成逻辑电路或者软件形式的指令完成。上述的所述第二处理器102可以是通用处理器、DSP,或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。所述第二处理器72可以实现或者执行本公开实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者任何常规的处理器等。结合本公开实施例所公开的方法的步骤,可以直接体现为硬件译码处理器执行完成,或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于存储介质中,该存储介质位于第二存储器103,所述第二处理器102读取第二存储器103中的信息,结合其硬件完成前述方法的步骤。The method disclosed in the above embodiments of the present disclosure may be configured in the second processor 102 or implemented by the second processor 102. The second processor 102 may be an integrated circuit chip with signal processing capabilities. In the implementation process, each step of the foregoing method may be completed by an integrated logic circuit of hardware in the second processor 102 or an instruction in a form of software. The second processor 102 described above may be a general purpose processor, a DSP, or other programmable logic device, discrete gate or transistor logic device, discrete hardware component, or the like. The second processor 72 can implement or perform the various methods, steps, and logic blocks disclosed in the embodiments of the present disclosure. A general purpose processor can be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiments of the present disclosure may be directly implemented as a hardware decoding processor, or may be performed by a combination of hardware and software modules in the decoding processor. The software module can be located in a storage medium located in the second memory 103, the second processor 102 reading the information in the second memory 103, and completing the steps of the foregoing method in combination with its hardware.
在示例性实施例中,网络设备100可以被一个或多个ASIC、DSP、PLD、CPLD、FPGA、通用处理器、控制器、MCU、Microprocessor、或其他电子元件实现,配置为执行前述方法。In an exemplary embodiment, network device 100 may be implemented by one or more ASICs, DSPs, PLDs, CPLDs, FPGAs, general purpose processors, controllers, MCUs, Microprocessors, or other electronic components configured to perform the aforementioned methods.
可以理解,本公开实施例的存储器(第一存储器93和第二存储器103)可以是易失性存储器或者非易失性存储器,也可包括易失性和非易失性存储器两者。其中,非易失性存储器可以是只读存储器(ROM,Read Only Memory)、可编程只读存储器(PROM,Programmable Read-Only Memory)、可擦除可编程只读存储器(EPROM,Erasable Programmable Read-Only Memory)、电可擦除可编程只读存储器(EEPROM,Electrically Erasable Programmable Read-Only Memory)、磁性随机存取存储器(FRAM,ferromagnetic random access memory)、快闪存储器(Flash Memory)、磁表面存储器、光盘、或只读光盘(CD-ROM,Compact Disc Read-Only Memory);磁表面存储器可以是磁盘存储器或磁带存储器。易失性存储器可以是随机存取存储器(RAM,Random Access Memory),其用作外部高速缓存。通过示例性但不是限制性说明,许多形式的RAM可用,例如静态随机存取存储器(SRAM,Static Random Access Memory)、同步静态随机存取存储器(SSRAM,Synchronous Static Random Access Memory)、动态随机存取存储器(DRAM,Dynamic Random Access Memory)、同步动态随机存取存储器(SDRAM,Synchronous Dynamic Random Access Memory)、双倍数据速率同步动态随机存取存储器(DDRSDRAM,Double Data Rate Synchronous Dynamic Random Access Memory)、增强型同步动态随机存取存储器(ESDRAM,Enhanced Synchronous Dynamic Random Access Memory)、同步连接动态随机存取存储器(SLDRAM,SyncLink Dynamic Random Access Memory)、直接内存总线随机存取存储器(DRRAM,Direct Rambus Random Access Memory)。本公开实施例描述的存储器旨在包括但不限于这些和任意其它适合类型的存储器。It will be appreciated that the memories (first memory 93 and second memory 103) of embodiments of the present disclosure may be either volatile memory or non-volatile memory, and may include both volatile and non-volatile memory. The non-volatile memory may be a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), or an Erasable Programmable Read (EPROM). Only Memory), Electrically Erasable Programmable Read-Only Memory (EEPROM), Ferromagnetic Random Access Memory (FRAM), Flash Memory, Magnetic Surface Memory , CD-ROM, or Compact Disc Read-Only Memory (CD-ROM); the magnetic surface memory can be a disk storage or a tape storage. The volatile memory can be a random access memory (RAM) that acts as an external cache. By way of example and not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), Synchronous Static Random Access Memory (SSRAM), Dynamic Random Access (SSRAM). DRAM (Dynamic Random Access Memory), Synchronous Dynamic Random Access Memory (SDRAM), Double Data Rate Synchronous Dynamic Random Access Memory (DDRSDRAM), enhancement Enhanced Synchronous Dynamic Random Access Memory (ESDRAM), Synchronous Dynamic Random Access Memory (SLDRAM), Direct Memory Bus Random Access Memory (DRRAM) ). The memories described in the embodiments of the present disclosure are intended to include, but are not limited to, these and any other suitable types of memory.
本公开实施例还提供了一种数据传输系统,如图11所示,该系统包括:The embodiment of the present disclosure further provides a data transmission system. As shown in FIG. 11, the system includes:
网络设备111,位于源网络中,配置为将待发送数据包进行签名,并发 送给中间网络;The network device 111 is located in the source network and configured to sign the to-be-sent data packet and send it to the intermediate network.
网络设备112,位于中间网络中,配置为接收数据包,基于目标网络的信息对接收的数据包的内容进行发送相关处理;基于所述接收的数据包及处理后的数据包生成待发送数据包;对待发送数据包进行签名;并将签名后的数据包发给下一跳网络;The network device 112 is located in the intermediate network, configured to receive the data packet, and perform related processing on the content of the received data packet based on the information of the target network; and generate a to-be-sent data packet based on the received data packet and the processed data packet. ; to sign the transmitted data packet; and send the signed data packet to the next hop network;
网络设备113,位于目标网络中,配置为接收数据包,对自身的上一条网络开始,对接收的数据包中的签名依次进行验证,直至验证所述源网络。The network device 113, located in the target network, is configured to receive the data packet, start with the previous network of itself, and sequentially verify the signature in the received data packet until the source network is verified.
需要说明的是:网络设备112、网络设备113的具体处理过程已在上文详述,这里不再赘述。It should be noted that the specific processing procedures of the network device 112 and the network device 113 are detailed above, and are not described herein again.
在示例性实施例中,本公开实施例还提供了一种存储介质,即计算机存储介质,具体为计算机可读存储介质,例如包括存储计算机程序的第一存储器93,上述计算机程序可由网络设备90的第一处理器92执行,以完成前述方法所述步骤。再比如包括存储计算机程序的第二存储器103,上述计算机程序可由网络设备100的第二处理器102执行,以完成前述方法所述步骤。计算机可读存储介质可以是FRAM、ROM、PROM、EPROM、EEPROM、Flash Memory、磁表面存储器、光盘、或CD-ROM等存储器。In an exemplary embodiment, an embodiment of the present disclosure further provides a storage medium, that is, a computer storage medium, particularly a computer readable storage medium, for example, including a first memory 93 storing a computer program, which may be provided by the network device 90. The first processor 92 executes to perform the steps described in the foregoing methods. As another example, a second memory 103 storing a computer program can be included, which can be executed by the second processor 102 of the network device 100 to perform the steps described in the foregoing methods. The computer readable storage medium may be a memory such as FRAM, ROM, PROM, EPROM, EEPROM, Flash Memory, magnetic surface memory, optical disk, or CD-ROM.
需要说明的是:本公开实施例所记载的技术方案之间,在不冲突的情况下,可以任意组合。It should be noted that the technical solutions described in the embodiments of the present disclosure may be arbitrarily combined without conflict.
以上所述,仅为本公开的较佳实施例而已,并非用于限定本公开的保护范围。The above description is only for the preferred embodiments of the present disclosure, and is not intended to limit the scope of the disclosure.

Claims (17)

  1. 一种数据传输方法,包括:A data transmission method includes:
    接收第一网络发送的数据包;接收的数据包为由源网络发送,且能够经过至少一个中间网络到达目标网络的数据包;所述第一网络为所述接收的数据包对应的源网络或所述至少一个中间网络中的一个中间网络;所述接收的数据包为经过所述第一网络中的边界设备签名的数据包;Receiving a data packet sent by the first network; the received data packet is a data packet sent by the source network and capable of reaching the target network through the at least one intermediate network; the first network is a source network corresponding to the received data packet or An intermediate network of the at least one intermediate network; the received data packet is a data packet signed by a border device in the first network;
    基于所述目标网络的信息对所述接收的数据包的内容进行发送相关处理;Transmitting and processing related to the content of the received data packet based on information of the target network;
    基于所述接收的数据包及处理后的数据包生成待发送数据包;Generating a to-be-sent data packet based on the received data packet and the processed data packet;
    对待发送数据包进行签名;Sign the sending data packet;
    将签名后的数据包发给下一跳网络。Send the signed data packet to the next hop network.
  2. 根据权利要求1所述的方法,其中,所述基于所述接收的数据包及处理后的数据包生成待发送数据包,包括:The method of claim 1, wherein the generating the to-be-sent data packet based on the received data packet and the processed data packet comprises:
    将所述接收的数据包及对应的签名、处理后的数据包进行打包,得到所述待发送数据包。The received data packet and the corresponding signature and the processed data packet are packaged to obtain the to-be-sent data packet.
  3. 根据权利要求1所述的方法,其中,所述基于所述接收的数据包及处理后的数据包生成待发送数据包,包括:The method of claim 1, wherein the generating the to-be-sent data packet based on the received data packet and the processed data packet comprises:
    将所述接收的数据包与所述处理后的数据包进行偏差比对,得到比对信息;And comparing the received data packet with the processed data packet to obtain comparison information;
    将所述处理后的数据包、所述比对信息及上述接收的数据包对应的签名进行打包,得到所述待发送数据包。And encoding the processed data packet, the comparison information, and the signature corresponding to the received data packet to obtain the to-be-sent data packet.
  4. 根据权利要求1所述的方法,其中,所述基于所述目标网络的信息对所述接收的数据包进行发送相关处理,包括:The method of claim 1, wherein the transmitting the related processing of the received data packet based on the information of the target network comprises:
    对所述接收的数据包的签名进行验证;Verifying the signature of the received data packet;
    验证成功后基于所述目标网络的信息,对所述接收的数据包进行发送 相关处理。After the verification succeeds, the received data packet is sent and processed according to the information of the target network.
  5. 一种数据传输方法,包括:A data transmission method includes:
    接收第二网络发送的数据包;接收的数据包为由源网络发送,且经过至少一个中间网络到达目标网络的数据包;所述第二网络为所述目标网络的上一跳网络;所述接收的数据包为至少经过各网络中的边界设备签名的数据包;Receiving a data packet sent by the second network; the received data packet is a data packet sent by the source network and reaching the target network through the at least one intermediate network; the second network is a last hop network of the target network; The received data packet is a data packet signed by at least a border device in each network;
    从所述第二网络开始,对所述接收的数据包中的签名依次进行验证,直至验证所述源网络。Starting from the second network, the signatures in the received data packets are sequentially verified until the source network is verified.
  6. 根据权利要求5所述的方法,其中,所述接收的数据包传输的路径经过N个网络;N为大于或等于2的整数;所述从所述第二网络开始,对所述接收的数据包中的签名依次进行验证,直至验证所述源网络,包括:The method of claim 5, wherein the path of the received data packet transmission passes through N networks; N is an integer greater than or equal to 2; said starting from said second network, said received data The signatures in the package are verified in turn until the source network is verified, including:
    验证所述接收的数据包与对应签名的对应关系;所述第二网络为所述路径的第N个网络;Verifying a correspondence between the received data packet and a corresponding signature; the second network is an Nth network of the path;
    从所述接收的数据包中获取第N-1个网络发送的数据包及对应的签名;Obtaining, by the received data packet, a data packet sent by the N-1th network and a corresponding signature;
    验证第N-1个网络发送的数据包及对应签名的对应关系;以此类推,直至验证所述源网络发送的数据包及对应签名的对应关系。Verifying the correspondence between the data packet sent by the N-1th network and the corresponding signature; and so on, until the correspondence between the data packet sent by the source network and the corresponding signature is verified.
  7. 根据权利要求5所述的方法,其中,所述接收的数据包传输的路径经过N个网络;N为大于或等于2的整数;所述从所述第二网络开始,对所述接收的数据包中的签名依次进行验证,直至验证所述源网络,包括:The method of claim 5, wherein the path of the received data packet transmission passes through N networks; N is an integer greater than or equal to 2; said starting from said second network, said received data The signatures in the package are verified in turn until the source network is verified, including:
    验证所述接收的数据包与对应签名的对应关系;所述第二网络为所述路径的第N个网络;Verifying a correspondence between the received data packet and a corresponding signature; the second network is an Nth network of the path;
    从所述接收的数据包中获取比对信息及第N-1个网络对应的签名;所述比对信息表征第N-1个网络发送的数据包与第N个网络基于所述目标网络对第N-1个网络发送的数据包的内容进行发送相关处理后的数据包的偏差比对信息;Obtaining comparison information and a signature corresponding to the N-1th network from the received data packet; the comparison information characterizing the data packet sent by the N-1th network and the Nth network based on the target network pair The content of the data packet sent by the N-1th network is sent to the deviation ratio information of the data packet after the relevant processing;
    利用所述比对信息得到的N-1个网络发送的数据包;并验证第N-1个网络发送的数据包及对应签名的对应关系;以此类推,直至验证所述源网络发送的数据包及对应签名的对应关系。And using the comparison information to obtain the data packets sent by the N-1 networks; and verifying the correspondence between the data packets sent by the N-1th network and the corresponding signatures; and so on, until the data sent by the source network is verified. The correspondence between the package and the corresponding signature.
  8. 一种数据传输装置,包括:A data transmission device comprising:
    第一接收单元,配置为接收第一网络发送的数据包;接收的数据包为由源网络发送,且能够经过至少一个中间网络到达目标网络的数据包;所述第一网络为所述接收的数据包对应的源网络或所述至少一个中间网络中的一个中间网络;所述接收的数据包为经过所述第一网络中的边界设备签名的数据包;a first receiving unit, configured to receive a data packet sent by the first network; the received data packet is a data packet sent by the source network and capable of reaching the target network through the at least one intermediate network; the first network is the received a source network corresponding to the data packet or an intermediate network of the at least one intermediate network; the received data packet is a data packet signed by a border device in the first network;
    第一处理单元,配置为基于所述目标网络的信息对所述接收的数据包的内容进行发送相关处理;基于所述接收的数据包及处理后的数据包生成待发送数据包;以及对待发送数据包进行签名;a first processing unit, configured to: perform transmission related processing on content of the received data packet based on information of the target network; generate a to-be-sent data packet based on the received data packet and the processed data packet; and send the data packet to be sent The data packet is signed;
    发送单元,配置为将签名后的数据包发给下一跳网络。The sending unit is configured to send the signed data packet to the next hop network.
  9. 一种数据传输装置,包括:A data transmission device comprising:
    第二接收单元,配置为接收第二网络发送的数据包;接收的数据包为由源网络发送,且经过至少一个中间网络到达目标网络的数据包;所述第二网络为所述目标网络的上一跳网络;所述接收的数据包为至少经过各网络中的边界设备签名的数据包;a second receiving unit, configured to receive a data packet sent by the second network; the received data packet is a data packet sent by the source network and reaching the target network through the at least one intermediate network; the second network is the target network a last hop network; the received data packet is a data packet signed by at least a border device in each network;
    第二处理单元,配置为从所述第二网络开始,对所述接收的数据包中的签名依次进行验证,直至验证所述源网络。The second processing unit is configured to, from the second network, verify the signatures in the received data packets in sequence until the source network is verified.
  10. 一种网络设备,包括:A network device, including:
    第一通信接口,配置为接收第一网络发送的数据包;接收的数据包为由源网络发送,且能够经过至少一个中间网络到达目标网络的数据包;所述第一网络为所述接收的数据包对应的源网络或所述至少一个中间网络中的一个中间网络;所述接收的数据包为经过所述第一网络中的边界设备签 名的数据包;a first communication interface, configured to receive a data packet sent by the first network; the received data packet is a data packet sent by the source network and capable of reaching the target network through the at least one intermediate network; the first network is the received a source network corresponding to the data packet or an intermediate network of the at least one intermediate network; the received data packet is a data packet signed by a border device in the first network;
    第一处理器,配置为基于所述目标网络的信息对所述接收的数据包的内容进行发送相关处理;基于所述接收的数据包及处理后的数据包生成待发送数据包;以及对待发送数据包进行签名;a first processor, configured to perform a transmission related process on the content of the received data packet based on information of the target network; generate a to-be-sent data packet based on the received data packet and the processed data packet; and send the data packet to be sent The data packet is signed;
    所述第一通信接口,还配置为将签名后的数据包发给下一跳网络。The first communication interface is further configured to send the signed data packet to the next hop network.
  11. 根据权利要求10所述的网络设备,其中,所述第一处理器,配置为:The network device according to claim 10, wherein the first processor is configured to:
    将所述接收的数据包及对应的签名、处理后的数据包进行打包,得到所述待发送数据包;And packetizing the received data packet and the corresponding signature and the processed data packet to obtain the to-be-sent data packet;
    或者,or,
    将所述接收的数据包与所述处理后的数据包进行偏差比对,得到比对信息;将所述处理后的数据包、所述比对信息及上述接收的数据包对应的签名进行打包,得到所述待发送数据包。And comparing the received data packet with the processed data packet to obtain comparison information, and packaging the processed data packet, the comparison information, and a signature corresponding to the received data packet And obtaining the to-be-sent data packet.
  12. 根据权利要求10所述的网络设备,其中,所述第一处理器,配置为:The network device according to claim 10, wherein the first processor is configured to:
    对所述接收的数据包的签名进行验证;Verifying the signature of the received data packet;
    验证成功后基于所述目标网络的信息,对所述接收的数据包进行发送相关处理。After the verification succeeds, the received data packet is sent and processed according to the information of the target network.
  13. 一种网络设备,包括:A network device, including:
    第二通信接口,配置为接收第二网络发送的数据包;接收的数据包为由源网络发送,且经过至少一个中间网络到达目标网络的数据包;所述第二网络为所述目标网络的上一跳网络;所述接收的数据包为至少经过各网络中的边界设备签名的数据包;a second communication interface, configured to receive a data packet sent by the second network; the received data packet is a data packet sent by the source network and reaching the target network through the at least one intermediate network; the second network is the target network a last hop network; the received data packet is a data packet signed by at least a border device in each network;
    第二处理器,配置为从所述第二网络开始,对所述接收的数据包中的签名依次进行验证,直至验证所述源网络。The second processor is configured to, from the second network, verify the signatures in the received data packets in sequence until the source network is verified.
  14. 根据权利要求13所述的网络设备,其中,所述接收的数据包传输的路径经过N个网络;N为大于或等于2的整数;所述第二处理器,配置为:The network device according to claim 13, wherein the path of the received data packet transmission passes through N networks; N is an integer greater than or equal to 2; and the second processor is configured to:
    验证所述接收的数据包与对应签名的对应关系;所述第二网络为所述路径的第N个网络;从所述接收的数据包中获取第N-1个网络发送的数据包及对应的签名;验证第N-1个网络发送的数据包及对应签名的对应关系;以此类推,直至验证所述源网络发送的数据包及对应签名的对应关系;Verifying a correspondence between the received data packet and a corresponding signature; the second network is an Nth network of the path; and acquiring, by the received data packet, a data packet sent by the N-1th network and corresponding Signature; verify the correspondence between the data packet sent by the N-1th network and the corresponding signature; and so on, until the correspondence between the data packet sent by the source network and the corresponding signature is verified;
    或者,or,
    验证所述接收的数据包与对应签名的对应关系;所述第二网络为所述路径的第N个网络;从所述接收的数据包中获取比对信息及第N-1个网络对应的签名;所述比对信息表征第N-1个网络发送的数据包与第N个网络基于所述目标网络对第N-1个网络发送的数据包的内容进行发送相关处理后的数据包的偏差比对信息;利用所述比对信息得到的N-1个网络发送的数据包;并验证第N-1个网络发送的数据包及对应签名的对应关系;以此类推,直至验证所述源网络发送的数据包及对应签名的对应关系。Verifying a correspondence between the received data packet and a corresponding signature; the second network is an Nth network of the path; obtaining comparison information from the received data packet and corresponding to the N-1th network Signing; the comparison information characterizing the data packet sent by the N-1th network and the data packet of the Nth network transmitting and processing the content of the data packet sent by the N-1 network based on the target network Deviation comparison information; data packets sent by N-1 networks obtained by using the comparison information; and verifying correspondence between data packets sent by the N-1th network and corresponding signatures; and so on until verification Correspondence between data packets sent by the source network and corresponding signatures.
  15. 一种网络设备,包括:第一处理器和配置为存储能够在处理器上运行的计算机程序的第一存储器,A network device comprising: a first processor and a first memory configured to store a computer program executable on the processor,
    其中,所述第一处理器配置为运行所述计算机程序时,执行权利要求1至4任一项所述方法的步骤。Wherein the first processor is configured to perform the steps of the method of any one of claims 1 to 4 when the computer program is run.
  16. 一种网络设备,包括:第二处理器和配置为存储能够在处理器上运行的计算机程序的第二存储器,A network device comprising: a second processor and a second memory configured to store a computer program executable on the processor,
    其中,所述第二处理器配置为运行所述计算机程序时,执行权利要求5至7任一项所述方法的步骤。Wherein the second processor is configured to perform the steps of the method of any one of claims 5 to 7 when the computer program is run.
  17. 一种存储介质,其上存储有计算机程序,所述计算机程序被处理器执行时实现权利要求1至4任一项所述方法的步骤,或者实现权利要求5至7任一项所述方法的步骤。A storage medium having stored thereon a computer program, the computer program being executed by a processor to perform the steps of the method of any one of claims 1 to 4, or the method of any one of claims 5 to 7 step.
PCT/CN2018/125840 2018-01-12 2018-12-29 Data transmission method and device, network apparatus, and storage medium WO2019137268A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810029643.7A CN110035036B (en) 2018-01-12 2018-01-12 Data transmission method, device, network equipment and storage medium
CN201810029643.7 2018-01-12

Publications (1)

Publication Number Publication Date
WO2019137268A1 true WO2019137268A1 (en) 2019-07-18

Family

ID=67218449

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/125840 WO2019137268A1 (en) 2018-01-12 2018-12-29 Data transmission method and device, network apparatus, and storage medium

Country Status (2)

Country Link
CN (1) CN110035036B (en)
WO (1) WO2019137268A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114257465A (en) * 2020-09-11 2022-03-29 中国移动通信有限公司研究院 Equipment interaction method, device, system, super node and storage medium

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112865975A (en) * 2019-11-12 2021-05-28 中国电信股份有限公司 Message security interaction method and system, and signaling security gateway device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1921487A (en) * 2006-09-19 2007-02-28 清华大学 Identifying method for IPv6 actual source address between autonomy systems based on signature
US20160006714A1 (en) * 2005-04-22 2016-01-07 Microsoft Technology Licensing, Llc Protected media pipeline
CN105791244A (en) * 2014-12-26 2016-07-20 中国电信股份有限公司 Method, boundary router and system for controlling inter-domain routing change

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101610150B (en) * 2009-07-22 2015-08-12 中兴通讯股份有限公司 Third-party digital signature method and data transmission system
CN101867933B (en) * 2010-05-28 2013-04-03 东南大学 Secure routing method based on public key digital signature and routing malicious detection
US8879392B2 (en) * 2012-04-26 2014-11-04 Hewlett-Packard Development Company, L.P. BGP security update intercepts
CN103929357A (en) * 2013-01-11 2014-07-16 浙江大华技术股份有限公司 Data transmission method and network equipment
WO2016149355A1 (en) * 2015-03-16 2016-09-22 Convida Wireless, Llc End-to-end authentication at the service layer using public keying mechanisms
CN106911513B (en) * 2016-12-14 2019-12-13 中国电子科技集团公司第三十研究所 trusted device management method based on decentralized network
CN106453430A (en) * 2016-12-16 2017-02-22 北京瑞卓喜投科技发展有限公司 Method and device for verifying encrypted data transmission paths

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160006714A1 (en) * 2005-04-22 2016-01-07 Microsoft Technology Licensing, Llc Protected media pipeline
CN1921487A (en) * 2006-09-19 2007-02-28 清华大学 Identifying method for IPv6 actual source address between autonomy systems based on signature
CN105791244A (en) * 2014-12-26 2016-07-20 中国电信股份有限公司 Method, boundary router and system for controlling inter-domain routing change

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114257465A (en) * 2020-09-11 2022-03-29 中国移动通信有限公司研究院 Equipment interaction method, device, system, super node and storage medium
CN114257465B (en) * 2020-09-11 2023-09-05 中国移动通信有限公司研究院 Equipment interaction method, device, system, super node and storage medium

Also Published As

Publication number Publication date
CN110035036B (en) 2021-01-15
CN110035036A (en) 2019-07-19

Similar Documents

Publication Publication Date Title
CN107980216B (en) Communication method, device, system, electronic equipment and computer readable storage medium
EP3073668B1 (en) Apparatus and method for authenticating network devices
US7913086B2 (en) Method for remote message attestation in a communication system
WO2022095244A1 (en) Cross-chain transaction method, system and apparatus, device, and storage medium
WO2022143798A1 (en) Method for verifying cross-chain transaction, and terminal device and readable storage medium
BR112017016047A2 (en) methods of transmitting a packet and packets containing digital data through a cloud and digital data transmission through a cloud.
US11184336B2 (en) Public key pinning for private networks
US20180145837A1 (en) Establishing a secure connection across secured environments
US11558399B2 (en) Network transmission path verification
CN109309684A (en) A kind of business access method, apparatus, terminal, server and storage medium
WO2019137268A1 (en) Data transmission method and device, network apparatus, and storage medium
CN114867014A (en) Internet of vehicles access control method, system, medium, equipment and terminal
CN110474922A (en) A kind of communication means, PC system and access control router
CN113630244A (en) End-to-end safety guarantee method facing communication sensor network and edge server
EP3861445B1 (en) Method and apparatus for secure and verifiable composite service execution and fault management on blockchain
Bartlett et al. IKEv2 IPsec Virtual Private Networks: Understanding and Deploying IKEv2, IPsec VPNs, and FlexVPN in Cisco IOS
Joshi Network security: know it all
US10693849B2 (en) Sending message in multilayer system
Badertscher et al. On composable security for digital signatures
Laštinec Security extension of automotive communication protocols using ethernet/ip
Liu et al. A blockchain based scheme for authentic telephone identity
US20230379146A1 (en) Securing network communications using dynamically and locally generated secret keys
NASCIMENTO Design and Development of IDS for AVB/TSN
Hirschler et al. Secure Deterministic L2/L3 Ethernet Networking for Integrated Architectures
Tuovinen FPGA implementation of confidential computing enclave

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18899456

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 16.10.2020)

122 Ep: pct application non-entry in european phase

Ref document number: 18899456

Country of ref document: EP

Kind code of ref document: A1