WO2019137268A1 - Procédé et dispositif de transmission de données, appareil de réseau, et support de stockage - Google Patents

Procédé et dispositif de transmission de données, appareil de réseau, et support de stockage Download PDF

Info

Publication number
WO2019137268A1
WO2019137268A1 PCT/CN2018/125840 CN2018125840W WO2019137268A1 WO 2019137268 A1 WO2019137268 A1 WO 2019137268A1 CN 2018125840 W CN2018125840 W CN 2018125840W WO 2019137268 A1 WO2019137268 A1 WO 2019137268A1
Authority
WO
WIPO (PCT)
Prior art keywords
network
data packet
sent
received data
received
Prior art date
Application number
PCT/CN2018/125840
Other languages
English (en)
Chinese (zh)
Inventor
齐旻鹏
刘福文
杨波
Original Assignee
中国移动通信有限公司研究院
中国移动通信集团有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国移动通信有限公司研究院, 中国移动通信集团有限公司 filed Critical 中国移动通信有限公司研究院
Publication of WO2019137268A1 publication Critical patent/WO2019137268A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Definitions

  • the present disclosure relates to the field of network security technologies, and in particular, to a data transmission method, apparatus, network device, and storage medium.
  • IPsec Internet Protocol Security
  • the connections between the two NEs in the network domain can be selected according to the actual deployment. Apply an IPsec connection.
  • IPsec Internet Protocol Security
  • the carrier network cannot be directly connected, there will be security risks, and when the non-adjacent carrier network attempts to transmit data, the network through which the data passes is not protected, and the information may be Was tampered with.
  • embodiments of the present disclosure provide a data transmission method, apparatus, network device, and storage medium.
  • the embodiment of the present disclosure provides a data transmission method, which is applied to a network device of an intermediate network, and includes:
  • the received data packet is a data packet sent by the source network and capable of reaching the target network through the at least one intermediate network;
  • the first network is a source network corresponding to the received data packet or An intermediate network of the at least one intermediate network;
  • the received data packet is a data packet signed by a border device in the first network;
  • the generating, according to the received data packet and the processed data packet, a data packet to be sent including:
  • the received data packet and the corresponding signature and the processed data packet are packaged to obtain the to-be-sent data packet.
  • the generating, according to the received data packet and the processed data packet, a data packet to be sent including:
  • the sending according to the information of the target network, the related processing of sending the received data packet, including:
  • the received data packet is sent and processed according to the information of the target network.
  • the embodiment of the present disclosure further provides a data transmission method, which is applied to a network device of a target network, and includes:
  • the received data packet is a data packet sent by the source network and reaching the target network through the at least one intermediate network; the second network is a last hop network of the target network; The received data packet is a data packet signed by at least a border device in each network;
  • the signatures in the received data packets are sequentially verified until the source network is verified.
  • the path of the received data packet transmission passes through N networks; N is an integer greater than or equal to 2; and the signature in the received data packet is sequentially verified from the second network. Until the source network is verified, including:
  • the second network is an Nth network of the path
  • the path of the received data packet transmission passes through N networks; N is an integer greater than or equal to 2; and the signature in the received data packet is sequentially verified from the second network. Until the source network is verified, including:
  • the second network is an Nth network of the path
  • comparison information and a signature corresponding to the N-1th network from the received data packet; the comparison information characterizing the data packet sent by the N-1th network and the Nth network based on the target network pair
  • the content of the data packet sent by the N-1th network is sent to the deviation ratio information of the data packet after the relevant processing;
  • the embodiment of the present disclosure further provides a data transmission apparatus, including:
  • a first receiving unit configured to receive a data packet sent by the first network;
  • the received data packet is a data packet sent by the source network and capable of reaching the target network through the at least one intermediate network;
  • the first network is the received a source network corresponding to the data packet or an intermediate network of the at least one intermediate network;
  • the received data packet is a data packet signed by a border device in the first network;
  • a first processing unit configured to: perform transmission related processing on content of the received data packet based on information of the target network; generate a to-be-sent data packet based on the received data packet and the processed data packet; and send the data packet to be sent
  • the data packet is signed;
  • the sending unit is configured to send the signed data packet to the next hop network.
  • the embodiment of the present disclosure further provides a data transmission apparatus, including:
  • a second receiving unit configured to receive a data packet sent by the second network;
  • the received data packet is a data packet sent by the source network and reaching the target network through the at least one intermediate network;
  • the second network is the target network a last hop network;
  • the received data packet is a data packet signed by at least a border device in each network;
  • the second processing unit is configured to, from the second network, verify the signatures in the received data packets in sequence until the source network is verified.
  • the embodiment of the present disclosure further provides a network device, including:
  • a first communication interface configured to receive a data packet sent by the first network;
  • the received data packet is a data packet sent by the source network and capable of reaching the target network through the at least one intermediate network;
  • the first network is the received a source network corresponding to the data packet or an intermediate network of the at least one intermediate network;
  • the received data packet is a data packet signed by a border device in the first network;
  • a first processor configured to perform a transmission related process on the content of the received data packet based on information of the target network; generate a to-be-sent data packet based on the received data packet and the processed data packet; and send the data packet to be sent
  • the data packet is signed;
  • the first communication interface is further configured to send the signed data packet to the next hop network.
  • the first processor is configured to:
  • the first processor is configured to:
  • the received data packet is sent and processed according to the information of the target network.
  • the embodiment of the present disclosure further provides a network device, including:
  • a second communication interface configured to receive a data packet sent by the second network;
  • the received data packet is a data packet sent by the source network and reaching the target network through the at least one intermediate network;
  • the second network is the target network a last hop network;
  • the received data packet is a data packet signed by at least a border device in each network;
  • the second processor is configured to, from the second network, verify the signatures in the received data packets in sequence until the source network is verified.
  • the path of the received data packet transmission passes through N networks; N is an integer greater than or equal to 2; and the second processor is configured to:
  • the second network is an Nth network of the path; and acquiring, by the received data packet, a data packet sent by the N-1th network and corresponding Signature; verify the correspondence between the data packet sent by the N-1th network and the corresponding signature; and so on, until the correspondence between the data packet sent by the source network and the corresponding signature is verified;
  • the second network is an Nth network of the path; obtaining comparison information from the received data packet and corresponding to the N-1th network Signing; the comparison information characterizing the data packet sent by the N-1th network and the data packet of the Nth network transmitting and processing the content of the data packet sent by the N-1 network based on the target network Deviation comparison information; data packets sent by N-1 networks obtained by using the comparison information; and verifying correspondence between data packets sent by the N-1th network and corresponding signatures; and so on until verification Correspondence between data packets sent by the source network and corresponding signatures.
  • An embodiment of the present disclosure also provides a network device, including: a first processor and a first memory configured to store a computer program executable on the processor,
  • the first processor is configured to perform the steps of any method on the network device side of the intermediate network when the computer program is run.
  • Embodiments of the present disclosure also provide a network device, including: a second processor and a second memory configured to store a computer program executable on the processor,
  • the second processor is configured to perform the step of any method on the network device side of the target network when the computer program is run.
  • the embodiment of the present disclosure further provides a storage medium on which a computer program is stored, and when the computer program is executed by the processor, the steps of any method of the network device side of the intermediate network are implemented, or the network device side of the target network is implemented. The steps of either method.
  • the data packet to be sent is signed and sent to the intermediate network; in the intermediate network, the information is received based on the information of the target network. Transmitting the content of the data packet; generating a to-be-sent data packet based on the received data packet and the processed data packet; signing the data packet to be sent; and transmitting the signed data packet to the next hop network;
  • the target network the data packet is received, and the signature of the received data packet is sequentially verified on the previous network until the source network is verified. Since the data packet has a signature corresponding to the network, the signature can be used for the corresponding The network is verified, so the security protection of the data packet can be realized.
  • FIG. 1 is a schematic diagram of a connection relationship between two networks in the related art
  • FIG. 2 is a schematic diagram of a connection relationship between multiple networks in an embodiment of the present disclosure
  • FIG. 3 is a schematic flowchart of a data transmission method according to an embodiment of the present disclosure.
  • FIG. 4 is a schematic flow chart of another data transmission method according to an embodiment of the present disclosure.
  • FIG. 5 is a schematic flowchart of a third data transmission method according to an embodiment of the present disclosure.
  • FIG. 6 is a schematic flowchart of a data transmission process according to an application embodiment of the present disclosure.
  • FIG. 7 is a schematic structural diagram of a data transmission apparatus according to an embodiment of the present disclosure.
  • FIG. 8 is a schematic structural diagram of another data transmission apparatus according to an embodiment of the present disclosure.
  • FIG. 9 is a schematic structural diagram of a network device according to an embodiment of the present disclosure.
  • FIG. 10 is a schematic structural diagram of another network device according to an embodiment of the present disclosure.
  • FIG. 11 is a schematic structural diagram of a data transmission system according to an embodiment of the present disclosure.
  • the network security between the operators adopts an IP-based network domain security protection method (NDS/IP (Network Domain Security: IP network layer security)), and the method mainly divides the communication network into different network security. Domain, then place a secure network at the boundary of the security domain.
  • IPsec needs to be applied on the border gateways of the two domains.
  • a secure network needs to be placed on the border gateway (ie, SEG A ) and the border gateway (ie, SEG B ).
  • an IPsec connection can be optionally applied according to the actual deployment situation.
  • this security protection method is well adapted to the realistic scenario of centralized deployment of communication network operators, and on the other hand, it can flexibly provide security protection between the network domain and the network domain, thereby ensuring two adjacent network domains. The security between.
  • end-to-end security cannot meet the security requirements of the communication network, because when the data packet passes through the intermediate network, the intermediate network needs to modify part of the content of the data packet, such as the source address and the destination address, to facilitate routing. If end-to-end protection is performed, the intermediate network cannot modify the contents of the packet, and the packets will not be forwarded normally, resulting in communication interruption.
  • multiple networks are connected together, and communication between all networks can be directly or indirectly transmitted through other networks, and there is no direct connection between some networks, one
  • the edge devices in the network have the ability to sign data packets, apply integrity protection to the data packets and provide signatures for the network; interconnected networks whose boundaries sign the packets are mutually trustworthy.
  • the embodiment of the present disclosure provides a data transmission method, which is applied to a network device of an intermediate network. As shown in FIG. 3, the method includes:
  • Step 301 Receive a data packet sent by the first network.
  • the received data packet is a data packet transmitted by the source network and capable of reaching the target network through at least one intermediate network.
  • the received data packet is a data packet signed by a border device in the first network.
  • the first network is a source network corresponding to the received data packet or an intermediate network of the at least one intermediate network.
  • Step 302 Perform a transmission related process on the content of the received data packet based on the information of the target network.
  • the transmission related processing may include modifying a source address, a target address, and the like in the data packet to perform routing.
  • the intermediate network can verify the signature of the received data packet (also can be understood as verification).
  • step 302 the signature of the received data packet is verified
  • the received data packet is sent and processed according to the information of the target network.
  • an error message is returned to the first network, and the received data packet is not sent based on the information of the target network.
  • Step 303 Generate a to-be-sent data packet based on the received data packet and the processed data packet.
  • the received data packet, the corresponding signature, and the processed data packet are packaged to obtain the data packet to be sent;
  • the received data packet is compared with the processed data packet to obtain comparison information.
  • one of the two methods may be selected according to the need to implement.
  • the received data packet, the corresponding signature, and the processed data packet are directly packaged to obtain the to-be-sent data packet.
  • the network device needs to first compare the received data packet with the processed data packet to obtain a difference between two data packets, such as a source address and a target address. And obtaining the comparison information; and then packetizing the processed data packet, the comparison information, and the signature corresponding to the received data packet to obtain the to-be-sent data packet.
  • Step 304 Sign the data packet to be sent
  • the signature algorithm may be RSA, ElGamal, Fiat-Shamir, Guillou-Quisquarter, Schnorr, Ong-Schnorr-Shamir digital signature algorithm, Des/DSA, elliptic curve digital signature algorithm or finite automaton digital signature algorithm.
  • RSA RSA
  • ElGamal Fiat-Shamir
  • Guillou-Quisquarter Schnorr
  • Ong-Schnorr-Shamir digital signature algorithm Des/DSA
  • elliptic curve digital signature algorithm or finite automaton digital signature algorithm.
  • the embodiment of the present disclosure does not limit this.
  • Step 305 Send the signed data packet to the next hop network.
  • the next hop network may be determined according to information of the target network, which is an intermediate network or the target network.
  • the signature is used to verify the corresponding network.
  • the embodiment of the present disclosure further provides a data transmission method, which is applied to a network device of a target network, as shown in FIG. 4, the method includes:
  • Step 401 Receive a data packet sent by the second network.
  • the received data packet is a data packet sent by the source network and reaching the target network through at least one intermediate network; meanwhile, the received data packet is a data packet signed by at least a border device in each network.
  • the path of the received data packet transmission passes through N networks; N is an integer greater than or equal to 2. More specifically, the received data packet is counted from the source network to the first network, and reaches the target network through the N networks, that is, the N networks include the source network and the at least one intermediate network.
  • the second network is a last hop network of the target network.
  • Step 402 Starting from the second network, verify signatures in the received data packets in sequence until the source network is verified.
  • the verification process includes:
  • the second network is an Nth network of the path
  • the verification process includes:
  • the second network is an Nth network of the path
  • comparison information and a signature corresponding to the N-1th network from the received data packet; the comparison information characterizing the data packet sent by the N-1th network and the Nth network based on the target network pair
  • the content of the data packet sent by the N-1th network is sent to the deviation ratio information of the data packet after the relevant processing;
  • a process in which a data packet is transmitted from a source network to a target network includes:
  • Step 501 The network device in the source network signs the to-be-sent data packet and sends the data packet to the intermediate network.
  • Step 502 The network device of the intermediate network sends a related process to the content of the received data packet based on the information of the target network.
  • Step 503 The network device of the intermediate network generates a to-be-sent data packet based on the received data packet and the processed data packet, and signs the data packet to be sent, and sends the signed data packet to the next hop network.
  • the network devices of the multiple intermediate networks perform steps 502-503, that is, after the network device of each intermediate network receives the data packet, step 502 needs to be performed.
  • ⁇ 503 to transfer the packet to the target network.
  • Step 504 The target network receives the data packet, starts with the previous network of itself, and sequentially verifies the signature in the received data packet until the source network is verified.
  • the source network refers to an initial network corresponding to a data packet, which can be understood as a network that initially sends a data packet; correspondingly, the target network refers to a final network corresponding to a data packet, which can be understood as a network in which a data packet finally arrives. .
  • the data packet to be sent is signed and sent to the intermediate network; in the intermediate network, the content of the received data packet is sent and processed based on the information of the target network.
  • the process of data transmission in this application embodiment, as shown in FIG. 6, includes the following steps:
  • Step 601 Any network element in the source network sends a data packet m, and the data packet m is not protected.
  • Step 602 When the data packet reaches the boundary of the source network, the data packet is signed sig(m) by the boundary network element, and sent to the intermediate network.
  • the packet is a signed packet [m, sig(m)].
  • Step 603 After the signed data packet [m, sig(m)] reaches the directly connected intermediate network, the signature of the data packet is verified by the intermediate network;
  • step 604 is continued.
  • Step 604 After receiving the data packet, the intermediate network may modify the content of the data packet (assuming the modified data packet is recorded as m'), and send the information to the next network based on the information of the target network (the next network may be in the middle) Network or target network);
  • Step 605 When the data packet of the intermediate network reaches the boundary of the intermediate network, the border network element signs the sig(M) to be sent, and sends the data.
  • the receiving network of the data packet when the receiving network of the data packet is still the intermediate network, the receiving network transmits the signed transmission data [M, sig(M)] as [m, sig(m)], and steps 603 to 605 are performed.
  • the border network element (such as a border gateway, etc.) needs to generate a data packet to be sent and perform signature.
  • Step 606 After receiving the data packet, the target network sequentially verifies the correctness of the signature from the previous network until the source network is verified.
  • the target network first verifies the correspondence between the sig(M) and the M of the previous network. At this time, it is assumed that the last network received by the nth network is sent.
  • the incoming data packet is M n-1
  • the modified data packet is m n
  • the correspondence between the back-test and the previous network is continued.
  • sig(M n-2 ), verify in turn until verification to the source network, ie m sig (m).
  • the solution provided by the embodiment of the present disclosure is a new untrusted inter-domain data transfer protection method, in which the data packet is hop-by-hop security protection between network domains, and thus, Can achieve the following effects:
  • the target network can verify the original information of the data packet
  • the target network can find out which network the change occurred on.
  • the embodiment of the present disclosure further provides a data transmission device, which is disposed in the network device of the intermediate network. As shown in FIG. 7, the device includes:
  • the first receiving unit 71 is configured to receive a data packet sent by the first network; the received data packet is a data packet that is sent by the source network and can reach the target network through the at least one intermediate network; the first network is the receiving a source network corresponding to the data packet or an intermediate network of the at least one intermediate network; the received data packet is a data packet signed by a border device in the first network;
  • the first processing unit 72 is configured to: perform transmission related processing on the content of the received data packet based on information of the target network; generate a to-be-sent data packet based on the received data packet and the processed data packet; Send a packet for signature;
  • the sending unit 73 is configured to send the signed data packet to the next hop network.
  • the first processing unit 72 is specifically configured to:
  • the intermediate network can verify the signature of the received data packet (also can be understood as verification).
  • the first processing unit 72 is specifically configured to:
  • the received data packet is sent and processed according to the information of the target network.
  • the first processing unit 72 returns an error message to the first network, and does not perform transmission related processing on the received data packet based on the information of the target network.
  • the first receiving unit 71 and the transmitting unit 73 may be implemented by a communication interface in a data transmission device; the first processing unit 72 may be implemented by a processor in the data transmission device.
  • the embodiment of the present disclosure further provides a data transmission device, which is disposed in a network device of the target network, as shown in FIG.
  • the second receiving unit 81 is configured to receive a data packet sent by the second network; the received data packet is a data packet sent by the source network and reaches the target network through the at least one intermediate network; the second network is the target network a last hop network; the received data packet is a data packet signed by at least a border device in each network;
  • the second processing unit 82 is configured to, from the second network, verify the signatures in the received data packets in sequence until the source network is verified.
  • the received data packet is a data packet sent by the source network and reaching the target network through at least one intermediate network; meanwhile, the received data packet is a data packet signed by at least a border device in each network.
  • the path of the received data packet transmission passes through N networks; N is an integer greater than or equal to 2. More specifically, the received data packet is counted from the source network to the first network, and reaches the target network through the N networks, that is, the N networks include the source network and the at least one intermediate network.
  • the second processing unit 82 is specifically configured to: when the data to be sent is generated in the foregoing manner, the second processing unit 82 is specifically configured to:
  • the second network is an Nth network of the path
  • the second processing unit 82 is specifically configured to:
  • the second network is an Nth network of the path
  • comparison information and a signature corresponding to the N-1th network from the received data packet; the comparison information characterizing the data packet sent by the N-1th network and the Nth network based on the target network pair
  • the content of the data packet sent by the N-1th network is sent to the deviation ratio information of the data packet after the relevant processing;
  • the second receiving unit 81 can be implemented by a communication interface in the data transmission device; the second processing unit 82 can be implemented by a processor in the data transmission device.
  • the embodiment of the present disclosure further provides a network device.
  • the network device 90 includes:
  • the first communication interface 91 is capable of performing information interaction with other network devices
  • the first processor 92 is connected to the first communication interface 91 to implement information interaction with other network devices, and is configured to perform the method provided by one or more technical solutions on the network device side of the intermediate network when the computer program is run .
  • the first communication interface 91 is configured to receive a data packet sent by the first network; the received data packet is a data packet that is sent by the source network and can reach the target network through the at least one intermediate network; the first network is a source network corresponding to the received data packet or an intermediate network of the at least one intermediate network; the received data packet is a data packet signed by a border device in the first network;
  • the first processor 92 is configured to: perform transmission related processing on the content of the received data packet based on information of the target network; generate a to-be-sent data packet based on the received data packet and the processed data packet; Send a packet for signature;
  • the first communication interface 91 is further configured to send the signed data packet to the next hop network.
  • the first processor 92 is specifically configured to:
  • the first processor 92 is specifically configured to:
  • the received data packet is sent and processed according to the information of the target network.
  • the network device 90 may further include: a first memory 93.
  • the various components in the network device 90 are coupled together by a bus system 94.
  • bus system 94 is configured to enable connection communication between these components.
  • the bus system 94 includes, in addition to the data bus, a power bus, a control bus, and a status signal bus.
  • various buses are labeled as bus system 94 in FIG.
  • the number of the first processors 92 is at least one.
  • the first memory 93 in an embodiment of the present disclosure is configured to store various types of data to support operation of the network device 90. Examples of such data include any computer program configured to operate on network device 90.
  • the method disclosed in the above embodiments of the present disclosure may be applied to the first processor 92 or implemented by the first processor 92.
  • the first processor 92 may be an integrated circuit chip with signal processing capabilities. In the implementation process, each step of the foregoing method may be completed by an integrated logic circuit of hardware in the first processor 92 or an instruction in a form of software.
  • the first processor 92 described above may be a general purpose processor, a digital signal processor (DSP), or other programmable logic device, discrete gate or transistor logic device, discrete hardware component, or the like.
  • DSP digital signal processor
  • the first processor 92 may implement or perform the methods, steps, and logic blocks disclosed in the embodiments of the present disclosure.
  • a general purpose processor can be a microprocessor or any conventional processor or the like.
  • the steps of the method disclosed in the embodiments of the present disclosure may be directly implemented as a hardware decoding processor, or may be performed by a combination of hardware and software modules in the decoding processor.
  • the software module may be located in a storage medium located in the first memory 93, the first processor 92 reading the information in the first memory 93, in conjunction with its hardware, to perform the steps of the foregoing method.
  • the network device 90 may be configured by one or more Application Specific Integrated Circuits (ASICs), DSPs, Programmable Logic Devices (PLDs), and Complex Programmable Logic Devices (CPLDs). , Complex Programmable Logic Device), Field-Programmable Gate Array (FPGA), General Purpose Processor, Controller, Micro Controller Unit (MCU), Microprocessor, or other electronics
  • ASICs Application Specific Integrated Circuits
  • DSPs Digital Signal Processing Unit
  • PLDs Programmable Logic Devices
  • CPLDs Complex Programmable Logic Device
  • FPGA Field-Programmable Gate Array
  • MCU Micro Controller Unit
  • Microprocessor or other electronics
  • the component implementation is configured to perform the aforementioned method.
  • the embodiment of the present disclosure further provides a network device.
  • the network device 100 includes:
  • the second communication interface 101 is capable of performing information interaction with other network devices
  • the second processor 102 is connected to the second communication interface 101 to implement information interaction with other network devices, and is configured to perform the method provided by one or more technical solutions on the network device side of the target network when the computer program is run .
  • the second communication interface 101 is configured to receive a data packet sent by the second network; the received data packet is a data packet that is sent by the source network and reaches the target network through the at least one intermediate network; the second network a previous hop network of the target network; the received data packet is a data packet signed by at least a border device in each network;
  • the second processor 102 is configured to, from the second network, verify the signatures in the received data packets in sequence until the source network is verified.
  • the path of the received data packet transmission passes through N networks; N is an integer greater than or equal to 2; and the second processor 102 is specifically configured to:
  • the second network is an Nth network of the path; and acquiring, by the received data packet, a data packet sent by the N-1th network and corresponding Signature; verify the correspondence between the data packet sent by the N-1th network and the corresponding signature; and so on, until the correspondence between the data packet sent by the source network and the corresponding signature is verified;
  • the second network is an Nth network of the path; obtaining comparison information from the received data packet and corresponding to the N-1th network Signing; the comparison information characterizing the data packet sent by the N-1th network and the data packet of the Nth network transmitting and processing the content of the data packet sent by the N-1 network based on the target network Deviation comparison information; data packets sent by N-1 networks obtained by using the comparison information; and verifying correspondence between data packets sent by the N-1th network and corresponding signatures; and so on until verification Correspondence between data packets sent by the source network and corresponding signatures.
  • the network device 100 may further include: a second memory 103.
  • the various components in network device 100 are coupled together by bus system 104.
  • the bus system 104 is configured to enable connection communication between these components.
  • the bus system 104 includes, in addition to the data bus, a power bus, a control bus, and a status signal bus.
  • various buses are labeled as bus system 104 in FIG.
  • the number of the second processors 102 is at least one.
  • the second memory 102 in an embodiment of the present disclosure is configured to store various types of data to support operation of the network device 70. Examples of such data include any computer program configured to operate on network device 100.
  • the method disclosed in the above embodiments of the present disclosure may be configured in the second processor 102 or implemented by the second processor 102.
  • the second processor 102 may be an integrated circuit chip with signal processing capabilities. In the implementation process, each step of the foregoing method may be completed by an integrated logic circuit of hardware in the second processor 102 or an instruction in a form of software.
  • the second processor 102 described above may be a general purpose processor, a DSP, or other programmable logic device, discrete gate or transistor logic device, discrete hardware component, or the like.
  • the second processor 72 can implement or perform the various methods, steps, and logic blocks disclosed in the embodiments of the present disclosure.
  • a general purpose processor can be a microprocessor or any conventional processor or the like.
  • the steps of the method disclosed in the embodiments of the present disclosure may be directly implemented as a hardware decoding processor, or may be performed by a combination of hardware and software modules in the decoding processor.
  • the software module can be located in a storage medium located in the second memory 103, the second processor 102 reading the information in the second memory 103, and completing the steps of the foregoing method in combination with its hardware.
  • network device 100 may be implemented by one or more ASICs, DSPs, PLDs, CPLDs, FPGAs, general purpose processors, controllers, MCUs, Microprocessors, or other electronic components configured to perform the aforementioned methods.
  • the memories (first memory 93 and second memory 103) of embodiments of the present disclosure may be either volatile memory or non-volatile memory, and may include both volatile and non-volatile memory.
  • the non-volatile memory may be a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), or an Erasable Programmable Read (EPROM). Only Memory), Electrically Erasable Programmable Read-Only Memory (EEPROM), Ferromagnetic Random Access Memory (FRAM), Flash Memory, Magnetic Surface Memory , CD-ROM, or Compact Disc Read-Only Memory (CD-ROM); the magnetic surface memory can be a disk storage or a tape storage.
  • the volatile memory can be a random access memory (RAM) that acts as an external cache.
  • RAM Random Access Memory
  • SRAM Static Random Access Memory
  • SSRAM Synchronous Static Random Access Memory
  • SSRAM Dynamic Random Access
  • DRAM Dynamic Random Access Memory
  • SDRAM Synchronous Dynamic Random Access Memory
  • DDRSDRAM Double Data Rate Synchronous Dynamic Random Access Memory
  • ESDRAM enhancement Enhanced Synchronous Dynamic Random Access Memory
  • SLDRAM Synchronous Dynamic Random Access Memory
  • DRRAM Direct Memory Bus Random Access Memory
  • the embodiment of the present disclosure further provides a data transmission system. As shown in FIG. 11, the system includes:
  • the network device 111 is located in the source network and configured to sign the to-be-sent data packet and send it to the intermediate network.
  • the network device 112 is located in the intermediate network, configured to receive the data packet, and perform related processing on the content of the received data packet based on the information of the target network; and generate a to-be-sent data packet based on the received data packet and the processed data packet. ; to sign the transmitted data packet; and send the signed data packet to the next hop network;
  • the network device 113 located in the target network, is configured to receive the data packet, start with the previous network of itself, and sequentially verify the signature in the received data packet until the source network is verified.
  • an embodiment of the present disclosure further provides a storage medium, that is, a computer storage medium, particularly a computer readable storage medium, for example, including a first memory 93 storing a computer program, which may be provided by the network device 90.
  • the first processor 92 executes to perform the steps described in the foregoing methods.
  • a second memory 103 storing a computer program can be included, which can be executed by the second processor 102 of the network device 100 to perform the steps described in the foregoing methods.
  • the computer readable storage medium may be a memory such as FRAM, ROM, PROM, EPROM, EEPROM, Flash Memory, magnetic surface memory, optical disk, or CD-ROM.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention concerne un procédé et un dispositif de transmission de données, un appareil de réseau, et un support de stockage. Le procédé consiste à : recevoir un paquet de données envoyé par un premier réseau, le paquet de données reçu étant un paquet de données envoyé par un réseau source et étant apte à arriver à un réseau cible en passant par au moins un réseau intermédiaire, le premier réseau étant le réseau source correspondant au paquet de données reçu ou à un réseau intermédiaire du ou des réseaux intermédiaires, et le paquet de données reçu étant un paquet de données signé par un appareil de bordure du premier réseau ; exécuter sur le contenu du paquet de données reçu, un traitement associé à une transmission, sur la base d'informations du réseau cible ; générer un paquet de données devant être transmis sur la base du paquet de données reçu et du paquet de données traité ; exécuter une signature sur le paquet de données devant être transmis ; et transmettre le paquet de données signé à un réseau de bond suivant.
PCT/CN2018/125840 2018-01-12 2018-12-29 Procédé et dispositif de transmission de données, appareil de réseau, et support de stockage WO2019137268A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810029643.7A CN110035036B (zh) 2018-01-12 2018-01-12 数据传输方法、装置、网络设备及存储介质
CN201810029643.7 2018-01-12

Publications (1)

Publication Number Publication Date
WO2019137268A1 true WO2019137268A1 (fr) 2019-07-18

Family

ID=67218449

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/125840 WO2019137268A1 (fr) 2018-01-12 2018-12-29 Procédé et dispositif de transmission de données, appareil de réseau, et support de stockage

Country Status (2)

Country Link
CN (1) CN110035036B (fr)
WO (1) WO2019137268A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114257465A (zh) * 2020-09-11 2022-03-29 中国移动通信有限公司研究院 设备交互方法、装置、系统、超级节点及存储介质

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112865975A (zh) * 2019-11-12 2021-05-28 中国电信股份有限公司 消息安全交互方法和系统、信令安全网关装置

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1921487A (zh) * 2006-09-19 2007-02-28 清华大学 基于签名的自治系统间IPv6真实源地址验证方法
US20160006714A1 (en) * 2005-04-22 2016-01-07 Microsoft Technology Licensing, Llc Protected media pipeline
CN105791244A (zh) * 2014-12-26 2016-07-20 中国电信股份有限公司 用于控制域间路由变更的方法、边界路由器和系统

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101610150B (zh) * 2009-07-22 2015-08-12 中兴通讯股份有限公司 第三方数字签名方法和数据传输系统
CN101867933B (zh) * 2010-05-28 2013-04-03 东南大学 一种基于公钥数字签名和路由恶意检测的安全路由方法
US8879392B2 (en) * 2012-04-26 2014-11-04 Hewlett-Packard Development Company, L.P. BGP security update intercepts
CN103929357A (zh) * 2013-01-11 2014-07-16 浙江大华技术股份有限公司 一种数据传输方法及网络设备
CN107534658B (zh) * 2015-03-16 2020-11-17 康维达无线有限责任公司 使用公钥机制在服务层的端对端认证
CN106911513B (zh) * 2016-12-14 2019-12-13 中国电子科技集团公司第三十研究所 一种基于去中心化网络的可信设备管理方法
CN106453430A (zh) * 2016-12-16 2017-02-22 北京瑞卓喜投科技发展有限公司 验证加密数据传输路径的方法及装置

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160006714A1 (en) * 2005-04-22 2016-01-07 Microsoft Technology Licensing, Llc Protected media pipeline
CN1921487A (zh) * 2006-09-19 2007-02-28 清华大学 基于签名的自治系统间IPv6真实源地址验证方法
CN105791244A (zh) * 2014-12-26 2016-07-20 中国电信股份有限公司 用于控制域间路由变更的方法、边界路由器和系统

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114257465A (zh) * 2020-09-11 2022-03-29 中国移动通信有限公司研究院 设备交互方法、装置、系统、超级节点及存储介质
CN114257465B (zh) * 2020-09-11 2023-09-05 中国移动通信有限公司研究院 设备交互方法、装置、系统、超级节点及存储介质

Also Published As

Publication number Publication date
CN110035036B (zh) 2021-01-15
CN110035036A (zh) 2019-07-19

Similar Documents

Publication Publication Date Title
CN107980216B (zh) 通信方法、装置、系统、电子设备及计算机可读存储介质
EP3073668B1 (fr) Appareil et procédé permettant d'authentifier des dispositifs de réseau
US7913086B2 (en) Method for remote message attestation in a communication system
WO2022095244A1 (fr) Procédé, système et appareil de transactions interchaîne, dispositif et support d'enregistrement
WO2022143798A1 (fr) Procédé de vérification d'une transaction de chaîne de blocs, dispositif terminal et support de stockage lisible
JP2019502286A (ja) 部分的に信頼できる第三者機関を通しての鍵交換
BR112017016047A2 (pt) métodos de transmissão de um pacote e de pacotes contendo dados digitais através de uma nuvem e de transmissão de dados digitais através de uma nuvem.
US11184336B2 (en) Public key pinning for private networks
US20180145837A1 (en) Establishing a secure connection across secured environments
US20210099464A1 (en) Network transmission path verification
CN109309684A (zh) 一种业务访问方法、装置、终端、服务器及存储介质
CN114867014A (zh) 一种车联网访问控制方法、系统、介质、设备及终端
WO2019137268A1 (fr) Procédé et dispositif de transmission de données, appareil de réseau, et support de stockage
CN110474922A (zh) 一种通信方法、pc系统及接入控制路由器
CN113630244A (zh) 面对通信传感网的端到端安全保障方法及边缘服务器
EP4333360A1 (fr) Sécurisation de communications de réseau à l'aide de clés secrètes générées dynamiquement et localement
EP3861445B1 (fr) Méthode et dispositif pour une excécution de service composé sure et verifiable ainsi que pour une gestion de faute se basant sur la technique blockchain
Bartlett et al. IKEv2 IPsec Virtual Private Networks: Understanding and Deploying IKEv2, IPsec VPNs, and FlexVPN in Cisco IOS
Joshi Network security: know it all
US10693849B2 (en) Sending message in multilayer system
Badertscher et al. On composable security for digital signatures
Laštinec Security extension of automotive communication protocols using ethernet/ip
Liu et al. A blockchain based scheme for authentic telephone identity
NASCIMENTO Design and Development of IDS for AVB/TSN
Hirschler et al. Secure Deterministic L2/L3 Ethernet Networking for Integrated Architectures

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18899456

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 16.10.2020)

122 Ep: pct application non-entry in european phase

Ref document number: 18899456

Country of ref document: EP

Kind code of ref document: A1