WO2020248906A1 - 智融标识网络的安全数据传输方法和装置 - Google Patents
智融标识网络的安全数据传输方法和装置 Download PDFInfo
- Publication number
- WO2020248906A1 WO2020248906A1 PCT/CN2020/094554 CN2020094554W WO2020248906A1 WO 2020248906 A1 WO2020248906 A1 WO 2020248906A1 CN 2020094554 W CN2020094554 W CN 2020094554W WO 2020248906 A1 WO2020248906 A1 WO 2020248906A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- data packet
- obfuscated
- encryption
- update
- obfuscated encryption
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/045—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
Definitions
- This application relates to the field of computer network communication technology, and in particular, to a method and device for secure data transmission in a smart identification network.
- the Zhirong logo network system dynamically perceives the network status and intelligently matches service requirements, and then selects a reasonable network group and its internal components to provide intelligent services.
- the Zhirong logo network system dynamically perceives the network status and intelligently matches service requirements, and then selects a reasonable network group and its internal components to provide intelligent services.
- behavior matching through the introduction of behavior matching, behavior clustering, network complex behavior game decision-making and other mechanisms to achieve dynamic adaptation and coordinated scheduling of resources, greatly improving the utilization of network resources, reducing network energy consumption, etc., significantly improving user experience.
- the security of the Zhirong logo network is particularly important.
- RSA Rivest, Adi Shamir, and Leonard Adleman
- the improvement of computing power includes the improvement of distributed computing power of many computers connected to the network due to the development of computer networks and the improvement of computing power of supercomputers. Long keys are safe for a long time.
- most of the obfuscated encryption methods of data packets in the existing Internet are static and cannot be dynamically updated, and cannot effectively guarantee the security of the intelligent identification network.
- the embodiments of the present application provide a method and device for secure data transmission of a smart financial identity network to overcome the problems of the prior art.
- a method for secure data transmission in a smart financial identity network including:
- Step S110 After receiving the obfuscated encrypted data packet from the sender device, the receiver device parses the data packet to obtain the obfuscated encryption mode flag and the value of the update flag in the data packet;
- Step S120 The receiver device queries the encryption rule database according to the value of the obfuscated encryption mode flag to obtain a decryption algorithm, uses the decryption algorithm to perform data decryption processing on the data packet, and judges according to the value of the update flag Whether it is necessary to update the obfuscated encryption mode, if yes, execute step S130;
- Step S130 The receiver device selects a new obfuscated encryption method using the receiver's system time and the value of the timestamp operation in the data packet as seeds, and returns the new obfuscated encryption method to the sender device;
- Step S140 After receiving the new obfuscated encryption method, the receiver device obfuscates the encrypted data packet according to the new obfuscated encryption method, and sends the obfuscated encrypted data packet to the sender device.
- the data packet includes an update flag bit, a confirmation update flag bit, an obfuscated encryption method flag bit, and a time stamp; the obfuscation flag bit adopts a length of 14 bits to indicate the obfuscated encryption method adopted by the data packet, and the obfuscated encryption method flag
- the value of the bit and the obfuscated encryption policy in the obfuscated encryption policy database are mutually mapped.
- the timestamp adopts a 32-bit length to mark the time of the data packet, and the timestamp is used as a seed value for the strategy selection operation.
- the update flag bit has a length of 1 bit, and when the update flag bit is 1, the obfuscated encryption method is updated, and when the update flag bit is 0, the obfuscated encryption method is not updated;
- the confirmation update flag has a length of 1 bit.
- the confirmation update flag is 1, it means that the obfuscated encryption method has been confirmed to be updated, and when the confirmation update flag is 0, it means that the obfuscated encryption method has not been updated.
- the method further includes:
- the sender device initiates communication for the first time, and the payload of the data packet sent by the sender device contains obfuscated encryption database information;
- the receiver device receives the data packet that the sender device initiates communication for the first time, extracts the obfuscated encryption method database information in the data packet, and collates the local obfuscated encryption method database to obtain the obfuscated encryption jointly maintained by the sender device and the receiver device
- the policy database information is encapsulated in a response data packet, and the response data packet is sent to the sender device;
- the sender device After receiving the response data packet, the sender device extracts the obfuscated encryption strategy database information jointly maintained by the sender device and the receiver device in the response data packet, and selects an obfuscated encryption strategy therefrom.
- the sender device encapsulates the selected obfuscated encryption strategy in a policy confirmation request packet and sends it to the receiver device;
- the receiver device After the receiver device receives the policy confirmation request packet of the sender device, extracts and stores the obfuscated encryption strategy selected by the sender device, and sends a policy confirmation response packet to the sender device;
- the sender device After receiving the policy confirmation response packet returned by the receiver device, the sender device obfuscates the encrypted data packet according to the obfuscated encryption policy confirmed by both parties, and sends the obfuscated encrypted data packet to the receiver device.
- a secure data transmission device of a smart identification network including: a data packet processing module, a clock module, an arithmetic module, a confusion encryption strategy database module, and a controller;
- the data packet processing module is used to perform obfuscation encryption on the data packet according to the set obfuscation encryption method, and encapsulate the update flag bit, the confirmation update flag bit, the obfuscated encryption method flag bit and the time stamp into the data packet, according to the data
- the status information of the package determines when to initiate the update request of the obfuscated encryption algorithm; analyzes the received data package and receives the control information issued by the controller to update the package processing strategy and package encapsulation format;
- the clock module is used to provide clock information
- the arithmetic module is used to perform operations on data, select and update the value of the flag bit by performing modulo operations on random numbers, extract the time stamp from the clock, and provide the time stamp to the data packet processing module;
- the obfuscated encryption strategy database module is used to store obfuscated encryption strategies and obfuscated encryption strategy labels, etc. through the database; receive control information issued by the controller to update the obfuscated encryption strategy database;
- the controller is used to issue control information to the data packet processing module to update the packet processing strategy and packet encapsulation format, generate the obfuscation forwarding strategy of the data packet and send it to the obfuscation encryption strategy database module, to the obfuscation encryption strategy database Issue control information to update the obfuscated encryption policy database.
- the device further includes:
- the status information processing module is used to process the status information of the data packet, preprocess the time stamp information of the data packet, and determine whether the device should actively initiate a request for obfuscating encryption algorithm updates.
- the device includes: a sender device and a receiver device.
- the working mode is full duplex.
- the initiation of the update strategy supports two modes: manual initiation by the user and the device according to the status information of the data packet Select automatic launch.
- the data packet processing module is specifically configured to encapsulate the sent data packet: obfuscally encrypt the data packet according to the specified obfuscation encryption method in the obfuscation encryption policy database , Encapsulate the update flag bit, confirm update flag bit, obfuscated encryption method flag bit and time stamp into the data packet, and determine when to initiate an update request for obfuscated encryption algorithm according to the state information of the data packet; according to some flag fields of the data packet Define the parsing order and content of the header of the data packet.
- the obfuscated encryption method flag bit is parsed in the agreed parsing method, and the next set of data packets is performed according to the obfuscated encryption method in the obfuscated encryption policy database.
- Obfuscate encryption receive control information issued by the controller to update the package processing strategy and package encapsulation format;
- the data packet processing module is specifically configured to parse the data packet after receiving the obfuscated encrypted data packet from the sender device to obtain the data packet According to the value of the obfuscated encryption mode flag bit and the update flag bit, the encryption rule database is queried according to the value of the obfuscated encryption mode flag bit to obtain the decryption algorithm, and the decryption algorithm is used to decrypt the data packet according to the update The value of the flag bit determines whether it is necessary to update the obfuscated encryption method.
- the data packet processing module in the sender device is specifically configured to include obfuscated encryption database information in the payload of the sent data packet when the sender device initiates communication for the first time;
- the data packet processing module in the receiver device is specifically configured to receive the data packet for which the sender device initiates communication for the first time, extract the obfuscated encryption method database information in the data packet, and check the local obfuscated encryption method database to obtain the The obfuscated encryption policy database information jointly maintained by the sender device and the receiver device is encapsulated in a response data packet, and the response data packet is sent to the sender device;
- the data packet processing module in the sender device is specifically configured to extract the obfuscated encryption policy database information jointly maintained by the sender device and the receiver device in the response data packet after receiving the response data packet, and Choose an obfuscated encryption strategy among them, encapsulate the selected obfuscated encryption strategy in a policy confirmation request packet and send it to the recipient device;
- the data packet processing module in the receiver device is specifically configured to extract and store the obfuscated encryption strategy selected by the sender device after receiving the policy confirmation request data packet of the sender device, and send it to the sender The device sends a policy confirmation response packet;
- the data packet processing module in the sender device is specifically configured to obfuscate the encrypted data packet according to the obfuscation encryption strategy confirmed by both parties after receiving the policy confirmation response data packet returned by the receiver device, and send the obfuscated encrypted data Packet to the receiver device.
- the obfuscated encryption strategy in the secure data transmission solution of the smart financial identification network of the application embodiment supports user definition and can be continuously changed, and has higher security. Deciding whether to update the obfuscated encryption strategy based on the time stamp status change can prevent replay attacks. Taking the receiver's system time and the value calculated by the timestamp in the data packet as the seed value of the selection algorithm, the sender and receiver do not need to synchronize.
- FIG. 1 is a schematic diagram of the implementation principle of a method for secure data transmission of a smart financial identity network provided by an embodiment of the present application.
- FIG. 2 is a schematic diagram of the processing flow of a method for secure data transmission of a smart financial identity network provided by an embodiment of the application.
- FIG. 3 is a schematic diagram of the implementation principle of a method for confirming an encryption strategy in obfuscated transmission data of a smart financial identity network provided by an embodiment of the present application.
- FIG. 4 is a schematic processing flow diagram of a method for confirming an encryption strategy in obfuscated transmission data of a smart financial identity network provided by an embodiment of the present application.
- FIG. 5 is a schematic diagram of a data packet structure in a method for secure data transmission of a smart financial identity network provided by an embodiment of the present application.
- Fig. 6 is a schematic structural diagram of a secure data transmission device for a smart financial identity network provided by an embodiment of the present application.
- FIG. 7 is a schematic diagram of an application scenario of an obfuscated transmission method for a smart financial identity network provided by an embodiment of the present application.
- Fig. 1 is a schematic diagram of the implementation principle of the secure data transmission method of the smart financial identity network according to an embodiment of this application
- Fig. 2 is a schematic diagram of the processing flow of a secure data transmission method of the smart financial identity network provided by an embodiment of this application, including The following steps.
- Step S210 When the receiver receives the data packet from the sender, it obtains the obfuscated encryption mode flag bit and the update flag bit in the data packet by analyzing the data packet, and judges the obfuscated encryption method of the data packet according to the obfuscated encryption mode flag bit;
- Step S220 Query the encryption rule database according to the obfuscated encryption mode flag bit to obtain the decryption algorithm, decrypt the data, check whether the update flag bit is the set threshold, if it reaches the threshold, proceed to S130, the above threshold indicates that obfuscated encryption method update is required; When the threshold is reached, the process ends;
- the value of the above-mentioned update flag bit is automatically and randomly set to 1 by the communication host according to the network environment to update the obfuscated encryption method of the communication parties.
- the update flag supports the command setting issued by the controller and the user setting.
- the user setting priority is higher than the controller setting, and the controller setting priority is higher than the automatic random setting.
- the update flag can be set by the command issued by the controller.
- the controller sends an update instruction to the client, and the client sets the update flag to 1.
- the update flag can be set by the user.
- This function provides the user with the ability to manually update the obfuscated encryption strategy after an emergency occurs, which can be set to 1 by the user.
- Step S230 The receiver uses the receiver's system time and the value of the timestamp calculation in the data packet as a seed to select a new obfuscated encryption method, and returns the new obfuscated encryption method to the sender; the value of the foregoing calculation may be the receiver's system time And the difference between the timestamp in the packet.
- Step S240 The sender sets the obfuscated encryption method flag bit, sets the update flag bit, and sets the time stamp according to the received obfuscated encryption method, and obfuscates the transmission data in the new obfuscated encryption method.
- FIG. 3 is a schematic diagram of the implementation principle of a method for confirming an encryption strategy in obfuscated transmission data of a smart financial identity network provided by an embodiment of the present application
- FIG. 4 is an encryption strategy in the obfuscated transmission data of a smart financial identity network in an embodiment of the present application
- the processing flow diagram of the confirmation method includes the following steps:
- Step S410 The sender A initiates communication for the first time.
- the payload of the data packet sent by the sender A contains the database information of the obfuscated encryption method.
- Step S420 Receiver B receives the data packet initiated by sender A for the first time, extracts the obfuscated encryption method database information in the data packet and proofreads the local obfuscated encryption method database to obtain obfuscated encryption strategy database information jointly maintained by A and B. Encapsulate the obfuscated encryption strategy database information jointly maintained by A and B in a response data packet, and send the above response data packet to the sender A.
- Step S430 After the sender A receives the above response data packet, it parses the response data packet to obtain the obfuscated encryption strategy database information jointly maintained by A and B, determines the obfuscated encryption strategy set for encrypted communication, and selects a type of obfuscated encryption. Strategy.
- the sender A encapsulates the selected obfuscated encryption strategy in a policy confirmation request packet, and sends the aforementioned policy confirmation request packet to the receiver B.
- Step S440 The receiver B receives the policy confirmation request packet of the sender A, and analyzes the policy confirmation request packet to obtain the obfuscated encryption strategy selected by the sender A. Receiver B stores the above-mentioned obfuscated encryption strategy in a register, and sends a policy confirmation response packet to sender A.
- Step S450 After receiving the policy confirmation response data packet returned by the receiver B, the sender A encapsulates the data packet according to the obfuscated encryption policy confirmed by the two parties, and the two parties start the encrypted communication shown in FIG. 2.
- FIG. 5 is a schematic diagram of a data packet structure in a method for secure data transmission of a smart financial identification network provided by an embodiment of the present application.
- the update flag bit adopts a 1-bit length.
- the update flag bit is 1, the obfuscated encryption method is updated, and when the update flag bit is 0, the obfuscated encryption method is not updated.
- the confirmation update flag is 1 bit in length.
- the confirmation update flag is 1, it means that the obfuscated encryption method has been confirmed to be updated.
- the confirmation update flag is 0, it means that the obfuscated encryption method has not been updated.
- the obfuscation flag uses 14 bits in length, and the obfuscation encryption method adopted for the flag.
- the value of the obfuscated encryption mode flag bit and the obfuscated encryption strategy in the obfuscated encryption strategy database are mutually mapped.
- the timestamp adopts a 32-bit length and is used to mark the time of the data packet. It can be used as the seed value of the strategy selection operation.
- the seed value includes but is not limited to being implemented in the form of an extended packet header.
- the embodiment of the present application also proposes a secure data transmission device for a smart financial identity network.
- the device is a state-based obfuscated transmission device with programmable capability and can flexibly define and update forwarding strategies, obfuscated encryption strategies, and packet analysis strategies.
- the above-mentioned secure data transmission device of the smart identification network includes, but is not limited to, a data packet processing module, a state information processing module, a clock module, a computing module, a confusion encryption strategy database, and a controller.
- the device can be two peer devices, the sender and the receiver.
- Fig. 6 is a schematic structural diagram of a secure data transmission device for a smart financial identity network provided by an embodiment of the present application.
- the device may be a sender and a receiver. There is no difference in the functions of the equipment itself.
- the working mode is full-duplex.
- a device is both a sender and a receiver.
- the initiation of the update strategy supports two modes: manual initiation by the user and automatic initiation by the device according to the status information of the data packet.
- the second update mode when the request for policy update is initiated is determined by the device that initiated the communication request. After the policy update request is initiated, the update strategy of the data packet and the obfuscated encryption strategy will not take effect immediately, but should wait until It will take effect after the requester receives the confirmation message.
- the obfuscated forwarding strategy of data packets should be uniformly generated by the controller.
- the device can cache the obfuscated forwarding strategy of data packets through online upgrade or local manual upgrade. Generally, the device will cache multiple obfuscated forwarding strategies to Ensure that the requirements for policy updates can be performed during packet processing.
- the main function of this device is to realize the processing of data packets, including but not limited to having certain computing power and storage capacity. Its computing power is reflected in the processing of status information and the processing of address fields in the process of addressing and forwarding data packets As well as the analysis of data packets, its storage capacity is reflected in the storage of state information and the storage of confusion and forwarding strategy information.
- the data should be stored in registers and memory, specifically, in registers
- the strategy information used in the current communication should be stored, and the strategy information of all obfuscated forwarding strategies supported by the device should be stored in the memory.
- each module of the sender A is as follows:
- Data packet processing module including but not limited to encapsulating the sent data packet: obfuscating the data packet according to the obfuscating encryption method in the obfuscation encryption policy database, updating the flag bit, confirming the update flag bit, obfuscating the encryption method flag bit and The timestamp is encapsulated in the data packet, and the data packet processing module should be able to determine when to initiate an update request for the obfuscated encryption algorithm based on the status information of the data packet.
- the request should support at least two modes: user initiative and device initiative.
- the data packet processing module should be flexible in parsing data packets. It can flexibly define the parsing sequence and content of the header of the data packet according to certain flag fields of the data packet. At the same time, it should be compatible with traditional equipment. Compatibility of data exchange. For the data packet sent by the receiver B, the obfuscated encryption mode flag bit is parsed in the agreed analysis method, and the next group of data packets are obfuscated and encrypted according to the obfuscated encryption method in the obfuscated encryption policy database. In addition, the control information sent by the controller should be received to update the package processing strategy and package encapsulation format.
- Clock module Provide clock information.
- Calculation module perform calculations on data. Including, but not limited to, performing a modular operation on a random number, selecting the value of the update flag, extracting the time stamp from the clock, and providing the time stamp to the data packet processing module.
- the device should have the ability to process data packet status information, including but not limited to preprocessing the time stamp information of the data packet, dynamically sensing the network status, and determining whether the device should actively initiate a request for obfuscating encryption algorithm updates.
- Obfuscated encryption strategy database including but not limited to storing obfuscated encryption strategies and obfuscated encryption strategy labels, etc.; receiving control information issued by the controller, and more obfuscating the encryption strategy database.
- Controller including but not limited to the controller sending control information to the data packet processing module, updating the packet processing strategy and packet encapsulation format.
- the controller sends control information to the obfuscated encryption policy database, and updates the obfuscated encryption policy database.
- each module of the receiving end B is as follows:
- Data packet processing module including but not limited to packet analysis function: parsing the flag bit of the obfuscated encryption mode, and parse the data packet according to the obfuscated encryption method in the obfuscated encryption policy database. Determine whether the update flag reaches the threshold.
- packet analysis function parsing the flag bit of the obfuscated encryption mode, and parse the data packet according to the obfuscated encryption method in the obfuscated encryption policy database. Determine whether the update flag reaches the threshold.
- the package encapsulation function when the sender's obfuscated encryption method needs to be updated, the obfuscated encryption method flag information is encapsulated into the data packet and sent to the sender A. Receive control information issued by the controller, update the package processing strategy and package encapsulation format.
- Clock module Provides clock information.
- the computing module determines the obfuscated encryption method to be updated, it extracts the system clock from the clock module as the computing seed.
- Calculation module perform calculations on data. Including but not limited to performing AND OR and modulo operations based on the data packet timestamp and system clock; obfuscating the obfuscated encryption method in the encryption strategy database according to the operation result and providing the obfuscated encryption method to the data packet processing module.
- Obfuscated encryption strategy database including but not limited to storage obfuscated encryption strategy and obfuscated encryption strategy label, etc. Provide obfuscated encryption strategies to computing modules and data packet processing modules. Receiving the control information issued by the controller will confuse the encrypted policy database.
- Controller including but not limited to the controller sending control information to the data packet processing module, updating the packet processing strategy and packet encapsulation format.
- the controller sends control information to the obfuscated encryption policy database, and updates the obfuscated encryption policy database.
- the device should have the ability to process data packet status information, including but not limited to preprocessing the time stamp information of the data packet, dynamically sensing the network status, and determining whether the device should actively initiate a request for obfuscating encryption algorithm updates.
- FIG. 7 is a schematic diagram of an application scenario of an obfuscated transmission method for a smart financial identity network provided by an embodiment of the present application.
- a and B are users
- C and D are obfuscated transmission devices
- W1, W2, and W3 are Transmission link.
- the state-based obfuscation transmission device stores routing information and labels in the obfuscation encryption strategy database, and can change the transmission path in real time according to the network status. While alleviating network congestion, it can also effectively improve the quality of user experience.
- the obfuscated transmission device stores the protocol selection information and the label in the obfuscated encryption strategy database.
- the obfuscated transmission device changes the path selection and the data packet protocol selection according to the state.
- This embodiment describes the application description of the obfuscated transmission device in the policy update phase.
- two sources are provided for the generation of obfuscation and forwarding strategies: when the device is initialized, the obfuscation encryption strategy database provides a basic permutation matrix and round-robin routing strategy.
- the device supports user-defined obfuscation encryption strategies, and the device provides An obfuscated encrypted policy database that stores user-defined policies.
- Two methods are also provided for the import of user confusion encryption strategy database: controller online import and user manual import. Later, when the user initiates a communication request for the first time, the device will determine whether this communication is the first communication.
- the communication initiator first selects an obfuscated encryption strategy and initiates a policy request. After receiving the policy confirmation information returned by the other party, it starts to formally adopt the negotiated obfuscated encryption strategy for encrypted transmission. At the same time, the initiator of the communication needs to maintain the status information of the data packet of this communication. When the status information reaches a certain specified threshold, it initiates an update request for the obfuscated encryption strategy. After receiving the update confirmation information from the other party, the new one is officially adopted. Obfuscate the encryption strategy for encrypted communication.
- the threshold mentioned in the article can be declared by the user according to the actual situation. If no declaration is displayed, the system automatically adopts the default value.
- This embodiment describes an updated description of the obfuscated encryption strategy of the obfuscated transmission device in an emergency.
- the ultimate goal of this experimental device is to realize the user's confidential communication.
- the device itself does not provide any network scanning function, the user can apply for the permission to open compatible third-party tools.
- this device does not provide the function of identifying the security of third-party plug-ins, but it provides the user with the ability to manually update the obfuscated encryption strategy after an emergency occurs when this function is turned on.
- users can apply for permission to open compatible third-party tools, such as certain network scanning tools, which use artificial intelligence to analyze network status and assist users in discovering the risk of network being monitored.
- third-party tools such as certain network scanning tools
- users can manually
- the end user initiates an update request for obfuscating the encryption strategy, and at the same time can define the threshold for the initiation of the strategy update under the condition of uninterrupted communication, thereby improving the level of communication security.
- the obfuscated encryption strategy in the secure data transmission solution of the smart financial identity network in the embodiment of the present application supports user definition and can be continuously changed, and has higher security. Determine whether to update the obfuscation encryption strategy based on the change of the update flag, use the obfuscation strategy database to maintain the obfuscation strategy information, and randomly select a variety of obfuscation encryption methods based on the timestamp status, which is difficult to crack. Can prevent replay attacks.
- the system time of the receiver and the value calculated by the timestamp in the data packet are used as the seed value of the selection algorithm. The sender and receiver do not need to synchronize.
- the state information processing module in the system dynamically perceives the network environment.
- the obfuscated encryption strategy is automatically and randomly updated by the communication host according to the network environment, and the encryption method can also be updated flexibly by providing controller and user control strategies.
- the package encapsulation and package parsing rules can be flexibly changed.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
Claims (10)
- 一种智融标识网络的安全数据传输方法,其特征在于,包括:步骤S110:当接收方设备收到来自发送方设备的混淆加密后的数据包后,对所述数据包进行解析,获取所述数据包中的混淆加密方式标志位和更新标志位的值;步骤S120:所述接收方设备根据所述混淆加密方式标志位的值查询加密规则数据库得到解密算法,利用所述解密算法对所述数据包进行数据解密处理,根据所述更新标志位的值判断是否需要进行混淆加密方式更新,如果是,则执行步骤S130;步骤S130:所述接收方设备以接收方系统时间和所述数据包中时间戳运算的值作为种子选择新的混淆加密方式,并将所述新的混淆加密方式返回给所述发送方设备;步骤S140:所述接收方设备收到所述新的混淆加密方式后,按照所述新的混淆加密方式混淆加密数据包,并发送混淆加密后的数据包给所述发送方设备。
- 根据权利要求1所述的方法,其特征在于,所述的数据包包括更新标志位、确认更新标志位、混淆加密方式标志位和时间戳;所述混淆标志位采用14比特长度,标志数据包采用的混淆加密方式,混淆加密方式标志位的值与混淆加密策略数据库中的混淆加密策略互为映射。
- 根据权利要求2所述的方法,其特征在于,所述的时间戳采用32比特长度,用来标记数据包的时间,所述时间戳作为策略选择运算的种子值。
- 根据权利要求2所述的方法,其特征在于,所述更新标志位采用1比特长度,当所述更新标志位为1时,更新混淆加密方式,当所述更新标志位为0时,不更新混淆加密方式;所述确认更新标志位采用1比特长度,当所述确认更新标志位为1时,表示已确认更新混淆加密方式,当所述确认更新标志位为0时,表示未更新混淆加密方式。
- 根据权利要求1至4任一项所述的方法,其特征在于,所述的步骤S110之前还包括:发送方设备首次发起通信,所述发送方设备发送的数据包的有效载荷中包含混淆加密方式数据库信息;接收方设备收到所述发送方设备首次发起通信的数据包,提取数据包中的混淆加密方式数据库信息并校对本地混淆加密方式数据库,得到所述发送方设备、接收方设备共同维护的混淆加密策略数据库信息并封装在响应数据包中,将所述响应数据包发送给所述发送方设备;所述发送方设备接收到所述响应数据包后,提取所述响应数据包中的所述发送方设备、接收方设备共同维护的混淆加密策略数据库信息并从中选择一种混淆加密策略,所述 发送方设备将所选择的混淆加密策略封装在策略确认请求数据包中并发送给接收方设备;所述接收方设备接收到所述发送方设备的策略确认请求数据包后,提取并存储所述发送方设备所选择的混淆加密策略,向所述发送方设备发送策略确认响应数据包;所述发送方设备收到所述接收方设备返回的策略确认响应数据包后,根据双方确认的混淆加密策略混淆加密数据包,并发送混淆加密后的数据包给所述接收方设备。
- 一种智融标识网络的安全数据传输装置,其特征在于,包括:数据包处理模块、时钟模块、运算模块、混淆加密策略数据库模块和控制器;所述的数据包处理模块,用于按照设定的混淆加密方式对数据包进行混淆加密,将更新标志位、确认更新标志位、混淆加密方式标志位和时间戳封装到数据包中,根据数据包的状态信息确定何时发起混淆加密算法的更新请求;对接收到的数据包进行解析,接收控制器下发的控制信息,以更新包处理策略和包封装格式;所述的时钟模块,用于提供时钟信息;所述的运算模块,用于对数据进行运算,通过对随机数进行模运算,选择更新标志位的值,从时钟提取时间戳,将时间戳提供给数据包处理模块;所述的混淆加密策略数据库模块,用于通过数据库存储混淆加密策略和混淆加密策略标号等;接收控制器下发的控制信息,以更新混淆加密策略数据库;所述的控制器,用于向数据包处理模块下发控制信息,以更新包处理策略和包封装格式,生成数据包的混淆转发策略并下发给混淆加密策略数据库模块,向混淆加密策略数据库下发控制信息,以更新混淆加密策略数据库。
- 根据权利要求6所述的装置,其特征在于,所述的装置还包括:状态信息处理模块,用于处理数据包状态信息,预处理数据包的时间戳信息,决定设备是否应主动发起混淆加密算法更新的请求。
- 根据权利要求6或7所述的装置,其特征在于,所述的装置包括:发送方设备和接收方设备,工作方式为全双工方式,在通信过程中,更新策略的发起支持两种模式:用户手动发起和设备根据数据包的状态信息选择自动发起。
- 根据权利要求8所述的装置,其特征在于,当所述装置为发送方设备时,所述的数据包处理模块,具体用于对发送的数据包进行封装:按照混淆加密策略数据库中的指定的混淆加密方式对数据包进行混淆加密,将更新标志位、确认更新标志位、混淆加密方式标志位和时间戳封装到数据包中,根据数据包的状态信息决定何时发起混淆加密算法的更新请求;根据数据包某些标志位字段定义数据包头部的解析顺序以及内容,对于接收方设备发 送的数据包,以约定好的解析方式解析混淆加密方式标志位,按照混淆加密策略数据库中的混淆加密方式,对下一组数据包进行混淆加密;接收控制器下发的控制信息,以更新包处理策略和包封装格式;当所述装置为接收方设备时,所述的数据包处理模块,具体用于收到来自发送方设备的混淆加密后的数据包后,对所述数据包进行解析,获取所述数据包中的混淆加密方式标志位和更新标志位的值,根据所述混淆加密方式标志位的值查询加密规则数据库得到解密算法,利用所述解密算法对所述数据包进行数据解密处理,根据所述更新标志位的值判断是否需要进行混淆加密方式更新,如果是,则以接收方系统时间和所述数据包中时间戳运算的值作为种子选择新的混淆加密方式,并将所述新的混淆加密方式返回给所述发送方设备;接收控制器下发的控制信息,以更新包处理策略和包封装格式。
- 根据权利要求9所述的装置,其特征在于:所述发送方设备中的数据包处理模块,具体用于当发送方设备首次发起通信时,在发送的数据包的有效载荷中包含混淆加密方式数据库信息;所述接收方设备中的数据包处理模块,具体用于收到所述发送方设备首次发起通信的数据包,提取数据包中的混淆加密方式数据库信息并校对本地混淆加密方式数据库,得到所述发送方设备、接收方设备共同维护的混淆加密策略数据库信息并封装在响应数据包中,将所述响应数据包发送给所述发送方设备;所述发送方设备中的数据包处理模块,具体用于接收到所述响应数据包后,提取所述响应数据包中的所述发送方设备、接收方设备共同维护的混淆加密策略数据库信息并从中选择一种混淆加密策略,将所选择的混淆加密策略封装在策略确认请求数据包中并发送给接收方设备;所述接收方设备中的数据包处理模块,具体用于接收到所述发送方设备的策略确认请求数据包后,提取并存储所述发送方设备所选择的混淆加密策略,向所述发送方设备发送策略确认响应数据包;所述发送方设备中的数据包处理模块,具体用于收到所述接收方设备返回的策略确认响应数据包后,根据双方确认的混淆加密策略混淆加密数据包,并发送混淆加密后的数据包给所述接收方设备。
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910496313.3 | 2019-06-10 | ||
CN201910496313.3A CN110177116B (zh) | 2019-06-10 | 2019-06-10 | 智融标识网络的安全数据传输方法和装置 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2020248906A1 true WO2020248906A1 (zh) | 2020-12-17 |
Family
ID=67698086
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2020/094554 WO2020248906A1 (zh) | 2019-06-10 | 2020-06-05 | 智融标识网络的安全数据传输方法和装置 |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN110177116B (zh) |
WO (1) | WO2020248906A1 (zh) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110177116B (zh) * | 2019-06-10 | 2020-07-14 | 北京交通大学 | 智融标识网络的安全数据传输方法和装置 |
CN114205814B (zh) * | 2021-12-03 | 2023-11-21 | 中国联合网络通信集团有限公司 | 一种数据传输方法、装置、系统、电子设备及存储介质 |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110058669A1 (en) * | 2003-02-20 | 2011-03-10 | Zoran Corporation | Unique identifier per chip for digital audio/video data encryption/decryption in personal video recorders |
CN106452787A (zh) * | 2016-10-13 | 2017-02-22 | 广东欧珀移动通信有限公司 | 数据验证方法及装置 |
CN106789054A (zh) * | 2016-12-23 | 2017-05-31 | 携程旅游网络技术(上海)有限公司 | 动态加解密算法的更新方法及系统 |
CN109241760A (zh) * | 2018-09-28 | 2019-01-18 | 北京北信源信息安全技术有限公司 | 数据加密方法、解密方法、加密装置及解密装置 |
CN110177116A (zh) * | 2019-06-10 | 2019-08-27 | 北京交通大学 | 智融标识网络的安全数据传输方法和装置 |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103516702B (zh) * | 2012-06-29 | 2016-12-07 | 北京新媒传信科技有限公司 | 一种对称加密方法和系统以及一种中心服务器 |
US20170277775A1 (en) * | 2012-10-30 | 2017-09-28 | FHOOSH, Inc. | Systems and methods for secure storage of user information in a user profile |
CN106452764B (zh) * | 2016-12-02 | 2020-02-18 | 武汉理工大学 | 一种标识私钥自动更新的方法及密码系统 |
CN108965302B (zh) * | 2018-07-24 | 2021-10-15 | 苏州科达科技股份有限公司 | 媒体数据传输系统、方法、装置及存储介质 |
CN109409033A (zh) * | 2018-09-11 | 2019-03-01 | 平安科技(深圳)有限公司 | 代码加密方法、装置、计算机装置及存储介质 |
-
2019
- 2019-06-10 CN CN201910496313.3A patent/CN110177116B/zh active Active
-
2020
- 2020-06-05 WO PCT/CN2020/094554 patent/WO2020248906A1/zh active Application Filing
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110058669A1 (en) * | 2003-02-20 | 2011-03-10 | Zoran Corporation | Unique identifier per chip for digital audio/video data encryption/decryption in personal video recorders |
CN106452787A (zh) * | 2016-10-13 | 2017-02-22 | 广东欧珀移动通信有限公司 | 数据验证方法及装置 |
CN106789054A (zh) * | 2016-12-23 | 2017-05-31 | 携程旅游网络技术(上海)有限公司 | 动态加解密算法的更新方法及系统 |
CN109241760A (zh) * | 2018-09-28 | 2019-01-18 | 北京北信源信息安全技术有限公司 | 数据加密方法、解密方法、加密装置及解密装置 |
CN110177116A (zh) * | 2019-06-10 | 2019-08-27 | 北京交通大学 | 智融标识网络的安全数据传输方法和装置 |
Also Published As
Publication number | Publication date |
---|---|
CN110177116A (zh) | 2019-08-27 |
CN110177116B (zh) | 2020-07-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Hasan et al. | Lightweight cryptographic algorithms for guessing attack protection in complex internet of things applications | |
CN104023013B (zh) | 数据传输方法、服务端和客户端 | |
CN112398651B (zh) | 一种量子保密通信方法、装置、电子设备以及存储介质 | |
WO2019143463A1 (en) | Hardware offload for quic connections | |
Perazzo et al. | An implementation and evaluation of the security features of RPL | |
WO2013127492A1 (en) | Content-centric networking | |
KR20030078873A (ko) | 패킷 암호화 시스템 및 방법 | |
JP2010157998A (ja) | トラフィック可視性を備えたエンドツーエンド・ネットワークのセキュリティのための効率的な鍵の導出 | |
WO2020248906A1 (zh) | 智融标识网络的安全数据传输方法和装置 | |
CN106850191A (zh) | 分布式存储系统通信协议的加密、解密方法及装置 | |
CN109218451A (zh) | 一种分布式集群系统的数据传输方法、装置、设备及介质 | |
US20190068762A1 (en) | Packet Parsing Method and Device | |
WO2016068942A1 (en) | Encryption for transactions in a memory fabric | |
Puthal et al. | A synchronized shared key generation method for maintaining end-to-end security of big data streams | |
CN115001686B (zh) | 一种全域量子安全设备及系统 | |
CN114938312B (zh) | 一种数据传输方法和装置 | |
CN106209401B (zh) | 一种传输方法及装置 | |
AU2004297923A1 (en) | Method and apparatus to inline encryption and decryption for a wireless station | |
CN115766002A (zh) | 采用量子密钥分发及软件定义实现以太数据加解密的方法 | |
CN113472634B (zh) | 即时通讯方法、装置及系统、存储介质、电子装置 | |
JP2003204326A (ja) | 通信システムと暗号処理機能付きlan制御装置、及び通信制御プログラム | |
CN113973007A (zh) | 基于广播加密和洋葱路由的时控性加密匿名查询方法和系统 | |
Kottur et al. | Implementing chacha based crypto primitives on programmable smartnics | |
US6920556B2 (en) | Methods, systems and computer program products for multi-packet message authentication for secured SSL-based communication sessions | |
CN103249035A (zh) | 无线传感网络数据加密传送方法 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 20823536 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 20823536 Country of ref document: EP Kind code of ref document: A1 |
|
32PN | Ep: public notification in the ep bulletin as address of the adressee cannot be established |
Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 24.03.2022) |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 20823536 Country of ref document: EP Kind code of ref document: A1 |