WO2021185314A1 - Procédé et appareil de traitement de données - Google Patents

Procédé et appareil de traitement de données Download PDF

Info

Publication number
WO2021185314A1
WO2021185314A1 PCT/CN2021/081536 CN2021081536W WO2021185314A1 WO 2021185314 A1 WO2021185314 A1 WO 2021185314A1 CN 2021081536 W CN2021081536 W CN 2021081536W WO 2021185314 A1 WO2021185314 A1 WO 2021185314A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
data packet
ciphertext
identity
identifier
Prior art date
Application number
PCT/CN2021/081536
Other languages
English (en)
Chinese (zh)
Inventor
江伟玉
刘冰洋
王闯
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2021185314A1 publication Critical patent/WO2021185314A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0407Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]

Definitions

  • This application relates to the field of communications, and in particular to data processing methods and devices.
  • the network device can forward the data packet according to the Internet Protocol (IP) address of the terminal included in the data packet, so as to forward the data packet to the receiving end.
  • IP Internet Protocol
  • the IP address of the terminal can indicate the location information of the terminal and the identity information of the terminal.
  • the IP address of the terminal is located in the header of the data packet.
  • untrusted devices or illegal eavesdroppers can easily obtain the terminal's IP address, use the terminal's IP address to identify the terminal, track the terminal, and analyze the private information of the terminal.
  • the privacy information of the terminal includes the identity information and location information of the terminal. Therefore, the IP address of the terminal may cause a security problem of leaking the private information of the terminal.
  • the network address translation (NAT) technology can be used to protect the identity information of the terminal, but the network device needs to store the translation information, which results in a large storage resource overhead.
  • use the onion network to protect the private information of the terminal.
  • each network device in the onion network encrypts the received data packet, which causes a large data transmission delay. Therefore, how to protect the IP address of the terminal and prevent the leakage of the private information of the terminal is an urgent problem to be solved.
  • the data processing method and device provided in this application solve the problem of how to protect the IP address of the terminal and prevent the leakage of the terminal's private information.
  • this application provides a data processing method that can be applied to network equipment, or the method can be applied to a data processing device that can support network equipment to implement the method, for example, the data processing device includes a chip system, Including: the network device receives the first data packet, generates the first ciphertext according to the terminal’s identity, privacy variables and the key, then replaces the terminal’s identity with the first ciphertext, and sends the second data packet to the destination device.
  • the data packet includes the first ciphertext.
  • the second data packet does not include the identification of the terminal.
  • the first data packet includes the identification of the terminal, and the identification of the terminal is used to indicate the terminal; the identification of the terminal is set in the network layer protocol header included in the first data packet; the identification of the terminal is the identity identification of the terminal or the location identification of the terminal ; The first ciphertext is set in the network layer protocol header included in the second data packet.
  • the network device conceals the terminal's identity by encrypting the terminal's identity, thereby preventing illegal attackers (such as untrusted devices or illegal eavesdroppers) from obtaining the terminal's identity.
  • the first ciphertext is used to replace the identification of the terminal included in the first data packet to obtain the second data packet, so that the second data packet does not include the terminal’s logo.
  • replacing the identity of the terminal included in the first data packet with the first ciphertext includes: replacing the identity of the terminal included in the first data packet with the first ciphertext to obtain the second data
  • the second data packet does not include the identity of the terminal;
  • the privacy variable includes at least one of time information, information related to the device transmitting or receiving the first data packet, random numbers, and regularly changing parameters.
  • replacing the identifier of the terminal included in the first data packet with the first ciphertext includes: replacing the position identifier of the terminal included in the first data packet with the first ciphertext to obtain the second ciphertext.
  • Data packet, the second data packet does not include the location identifier of the terminal; the privacy variable is the encrypted terminal identity or the terminal’s identity; or, the privacy variable includes time information and information related to the device transmitting or receiving the first data packet At least one of information, random numbers, and regularly changing parameters.
  • the information related to the device that transmits or receives the first data packet is the destination IP address included in the first data packet.
  • replacing the identification of the terminal included in the first data packet with the first ciphertext includes: replacing the identification of the encrypted terminal included in the first data packet with the first ciphertext and The location identification of the terminal obtains the second data packet; the privacy variable is the encrypted terminal identification; or the first ciphertext replaces the terminal identification and the location identification of the terminal included in the first data packet to obtain the second data Package; the privacy variable is the identity of the terminal.
  • generating the first ciphertext according to the terminal's identity, privacy variables, and keys includes: generating a second ciphertext according to the key and privacy variables; and determining the first ciphertext according to the second ciphertext and the terminal's identity.
  • Ciphertext determining the first ciphertext according to the second ciphertext and the identification of the terminal includes: performing an exclusive OR operation on the second ciphertext and the identification of the terminal to obtain the first ciphertext.
  • generating the first ciphertext according to the terminal’s identity, privacy variables, and key includes: generating the data to be encrypted according to the terminal’s identity and privacy variables; generating the first password according to the key and the data to be encrypted Arts.
  • the network device can use different privacy variables to encrypt the identification of the terminal to obtain different ciphertexts. Therefore, the data packets received by different destination devices include different ciphertexts, and it is impossible to analyze the privacy information of the terminal, and avoid analyzing the traffic of the same terminal accessing different destination devices through collusion and association.
  • the second data packet further includes a locator for addressing the network device.
  • the first data packet further includes first indication information, and the first indication information is used to instruct to encrypt the identification of the terminal.
  • the method further includes: the network device receives a third data packet, the third data packet includes a first ciphertext, and the first ciphertext is determined according to the terminal's identity, privacy variable, and key , The terminal identifier is used to indicate the terminal; the first cipher text is set in the network layer protocol header included in the third data packet; then, the network device generates the terminal identifier according to the first cipher text, the privacy variable and the key; Four data packets, the fourth data packet includes the identification of the terminal, and the identification of the terminal is set in the network layer protocol header included in the fourth data packet.
  • the network device after the network device receives the third data packet containing the ciphertext, it obtains the identification of the terminal by decrypting the ciphertext, and sends the fourth data packet containing the identification of the terminal to the terminal so that the terminal can receive To the fourth packet.
  • the first ciphertext included in the third data packet is replaced with the identification of the terminal to obtain a fourth data packet, and the fourth data packet does not include the first ciphertext .
  • replacing the first ciphertext included in the third data packet with the identity of the terminal includes: replacing the first ciphertext included in the third data packet with the identity of the terminal to obtain the fourth data Packet; privacy variables include at least one of time information, information related to the device that transmits or receives the third data packet, random numbers, and regularly changing parameters.
  • replacing the first cipher text included in the third data packet with the identifier of the terminal includes: replacing the first cipher text included in the third data packet with the location identifier of the terminal to obtain the fourth Data packet;
  • the privacy variable is the encrypted terminal’s identity or the terminal’s identity; or, the privacy variable includes time information, information related to the device that transmits or receives the third data packet, random numbers, and regularly changing parameters at least one.
  • the information related to the device that transmits or receives the third data packet is the source IP address included in the third data packet.
  • replacing the first ciphertext included in the third data packet with the terminal's identifier includes: replacing the third data packet with the terminal's location identifier and the encrypted terminal identifier
  • the first ciphertext, the fourth data packet is obtained, the decryption result includes the terminal's location identifier and the encrypted terminal's identity, and the privacy variable is the encrypted terminal's identity; or, the terminal's location identifier and the terminal's identity are used Replace the first ciphertext included in the third data packet to obtain the fourth data packet.
  • the decryption result includes the location identifier of the terminal and the identity identifier of the terminal, and the privacy variable is the identity identifier of the terminal.
  • generating the identification of the terminal according to the first ciphertext, the privacy variable and the key includes: generating the second ciphertext according to the key and the privacy variable; determining the terminal according to the second ciphertext and the first ciphertext Of the logo.
  • determining the identity of the terminal according to the second ciphertext and the first ciphertext includes: performing an exclusive OR operation on the second ciphertext and the first ciphertext to obtain the identity of the terminal.
  • generating the identification of the terminal according to the first ciphertext, the privacy variable and the key includes: generating a decryption result according to the first ciphertext and the key; and determining the identification of the terminal according to the decryption result and the privacy variable.
  • the third data packet further includes a locator for addressing the network device; before sending the fourth data packet, the method further includes: the network device replaces the locator for addressing the network device included in the third data packet with a padding value.
  • the third data packet further includes second indication information, and the second indication information is used to indicate that the identity of the terminal has been encrypted.
  • the embodiments of the present application also provide a data processing device, and the beneficial effects can be referred to the description of the first aspect and will not be repeated here.
  • the data processing device has the function of realizing the behavior in the method example of the first aspect described above.
  • the function can be realized by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the above-mentioned functions.
  • the data processing device includes: a receiving unit, a processing unit, and a sending unit.
  • the receiving unit is configured to receive a first data packet, the first data packet includes an identification of the terminal, and the identification of the terminal is used to indicate the terminal; the identification of the terminal is set in the network layer protocol header included in the first data packet; The identifier is the identity identifier of the terminal or the location identifier of the terminal.
  • the processing unit is used to generate the first ciphertext according to the terminal's identification, privacy variable and key.
  • the sending unit is configured to send a second data packet, the second data packet includes a first ciphertext, and the first ciphertext is set in a network layer protocol header included in the second data packet.
  • the processing unit is further configured to replace the identification of the terminal included in the first data packet with the first ciphertext to obtain the second data packet so that the first ciphertext is The second data packet does not include the identification of the terminal.
  • the processing unit is configured to replace the identity of the terminal included in the first data packet with the first ciphertext to obtain a second data packet, and the second data packet does not include the identity of the terminal Identification; privacy variables include at least one of time information, information related to the device that transmits or receives the first data packet, random numbers, and regularly changing parameters.
  • the processing unit is configured to replace the location identifier of the terminal included in the first data packet with the first ciphertext to obtain a second data packet, and the second data packet does not include the terminal's location identifier.
  • Location identification; the privacy variable is the encrypted terminal’s identity or the terminal’s identity; or, the privacy variable includes time information, information related to the device that transmits or receives the first data packet, random numbers, and regularly changing parameters at least one.
  • the information related to the device that transmits or receives the first data packet is the destination IP address included in the first data packet.
  • the processing unit is configured to replace the encrypted terminal identification and the location identifier of the terminal included in the first data packet with the first ciphertext to obtain the second data packet;
  • the privacy variable is the identity of the terminal after encryption; or, replacing the identity of the terminal and the location of the terminal included in the first data packet with the first ciphertext to obtain the second data packet; the privacy variable is the identity of the terminal.
  • the processing unit is configured to generate the second ciphertext according to the key and the privacy variable, and to determine the first ciphertext according to the second ciphertext and the identification of the terminal.
  • determining the first ciphertext according to the second ciphertext and the identification of the terminal includes: performing an exclusive OR operation on the second ciphertext and the identification of the terminal to obtain the first ciphertext.
  • the processing unit is configured to generate the data to be encrypted according to the identification of the terminal and the privacy variable; and generate the first ciphertext according to the key and the data to be encrypted.
  • the network device can use different privacy variables to encrypt the identification of the terminal to obtain different ciphertexts. Therefore, the data packets received by different destination devices include different ciphertexts, and it is impossible to analyze the privacy information of the terminal, and avoid analyzing the traffic of the same terminal accessing different destination devices through collusion and association.
  • the second data packet further includes a locator for addressing the network device.
  • the first data packet further includes first indication information, and the first indication information is used to instruct to encrypt the identification of the terminal.
  • the receiving unit is further configured to receive a third data packet, the third data packet includes a first ciphertext, the first ciphertext is determined according to the terminal's identity, privacy variables, and a key, and the terminal's identity is used to indicate The terminal, the terminal’s identifier is the terminal’s identity or the terminal’s location identifier; the first ciphertext is set in the network layer protocol header included in the third data packet; the processing unit is also used to And the identification of the key generation terminal; the sending unit is also used to send a fourth data packet, the fourth data packet includes an identification of the terminal, and the identification of the terminal is set in the network layer protocol header included in the fourth data packet.
  • the network device after receiving the third data packet containing the ciphertext, obtains the identification of the terminal by decrypting the ciphertext, and sends the fourth data packet containing the identification of the terminal to the terminal so that the terminal can receive the fourth data packet. data pack.
  • the processing unit is further configured to replace the first ciphertext included in the third data packet with the terminal identifier to obtain the fourth data packet.
  • the packet does not include the first ciphertext.
  • the processing unit is used to replace the first ciphertext included in the third data packet with the identity of the terminal to obtain the fourth data packet;
  • the privacy variables include time information, and transmission or At least one of information related to the device receiving the third data packet, a random number, and a parameter that changes according to the law.
  • the processing unit is configured to replace the first ciphertext included in the third data packet with the location identification of the terminal to obtain the fourth data packet;
  • the privacy variable is the encrypted terminal's location identification The identity identifier or the identity identifier of the terminal; or, the privacy variable includes at least one of time information, information related to the device that transmits or receives the third data packet, a random number, and a parameter that changes according to law.
  • the information related to the device that transmits or receives the third data packet is the source IP address included in the third data packet.
  • the processing unit is configured to replace the first ciphertext included in the third data packet with the location identifier of the terminal and the encrypted terminal identity to obtain the fourth data packet
  • the decryption result includes the terminal's location identifier and the encrypted terminal's identity, and the privacy variable is the encrypted terminal's identity; or, replace the first ciphertext included in the third data packet with the terminal's location identifier and the terminal's identity .
  • the decryption result includes the terminal's location identifier and the terminal's identity, and the privacy variable is the terminal's identity.
  • the processing unit is configured to generate the second ciphertext according to the key and the privacy variable, and determine the identity of the terminal according to the second ciphertext and the first ciphertext.
  • determining the identity of the terminal according to the second ciphertext and the first ciphertext includes: performing an exclusive OR operation on the second ciphertext and the first ciphertext to obtain the identity of the terminal.
  • the processing unit is configured to generate a decryption result according to the first ciphertext and the key, and determine the identity of the terminal according to the decryption result and the privacy variable.
  • the third data packet further includes a locator for addressing the network device; before sending the fourth data packet, the method further includes: the network device replaces the locator for addressing the network device included in the third data packet with a padding value.
  • the third data packet further includes second indication information, and the second indication information is used to indicate that the identity of the terminal has been encrypted.
  • a data processing device may be the network device in the foregoing method embodiment, or a chip set in the network device.
  • the data processing device includes a communication interface, a processor, and optionally, a memory.
  • the memory is used to store computer programs or instructions
  • the processor is coupled with the memory and a communication interface.
  • the processor executes the computer programs or instructions
  • the data processing device is caused to execute the method executed by the network device in the above method embodiment. .
  • a computer program product includes: computer program code, which when the computer program code is running, causes the methods executed by the network device in the above aspects to be executed.
  • the present application provides a chip system
  • the chip system includes a processor, and is configured to implement the functions of the network device in the methods of the foregoing aspects.
  • the chip system further includes a memory for storing program instructions and/or data.
  • the chip system can be composed of chips, and can also include chips and other discrete devices.
  • the present application provides a computer-readable storage medium that stores a computer program, and when the computer program is executed, the method executed by the network device in the above aspects is implemented.
  • FIG. 1 is a diagram of an example of the structure of an IPv6 data packet provided by an embodiment of this application;
  • FIG. 2 is a structural example diagram of a source IP address provided by an embodiment of this application.
  • FIG. 3 is a structural example diagram of a destination IP address provided by an embodiment of this application.
  • FIG. 4 is an example diagram of the architecture of a communication system provided by an embodiment of the application.
  • FIG. 5 is a flowchart of a data processing method provided by an embodiment of this application.
  • FIG. 6 is a structural example diagram of a source IP address provided by an embodiment of this application.
  • FIG. 7 is a flowchart of a data processing method provided by an embodiment of the application.
  • FIG. 8 is a schematic diagram of a source IP address encryption process provided by an embodiment of this application.
  • FIG. 9 is a schematic diagram of a source IP address encryption process provided by an embodiment of this application.
  • FIG. 10 is a flowchart of a data processing method provided by an embodiment of this application.
  • FIG. 11 is a structural example diagram of a destination IP address provided by an embodiment of this application.
  • FIG. 12 is a flowchart of a data processing method provided by an embodiment of the application.
  • FIG. 13 is a schematic diagram of the decryption process of the destination IP address provided by an embodiment of this application.
  • FIG. 14 is a schematic diagram of the decryption process of the destination IP address provided by an embodiment of this application.
  • FIG. 15 is a schematic diagram of a process of encryption of a source IP address and decryption of a destination IP address provided by an embodiment of this application;
  • FIG. 16 is a schematic diagram of an encryption process of a source IP address provided by an embodiment of this application.
  • FIG. 17 is a schematic diagram of the decryption process of the destination IP address provided by an embodiment of this application.
  • FIG. 18 is a diagram of an example of the architecture of a communication system provided by an embodiment of this application.
  • FIG. 19 is a flowchart of a data processing method provided by an embodiment of this application.
  • FIG. 20 is a flowchart of a data processing method provided by an embodiment of the application.
  • FIG. 21 is a schematic diagram of an encryption process of a source IP address provided by an embodiment of this application.
  • FIG. 22 is a schematic diagram of the decryption process of the destination IP address provided by an embodiment of this application.
  • FIG. 23 is a flowchart of a data processing method provided by an embodiment of this application.
  • FIG. 24 is a schematic structural diagram of a data processing device provided by an embodiment of the application.
  • FIG. 25 is a schematic structural diagram of a data processing device provided by an embodiment of the application.
  • words such as “exemplary” or “for example” are used as examples, illustrations, or illustrations. Any embodiment or design solution described as “exemplary” or “for example” in the embodiments of the present application should not be construed as being more preferable or advantageous than other embodiments or design solutions. To be precise, words such as “exemplary” or “for example” are used to present related concepts in a specific manner.
  • IP Internet Protocol
  • IP address Internet Protocol Address
  • Common IP addresses include IPv4 addresses and IPv6 addresses.
  • IP address is located in the header of the data packet.
  • FIG. 1 it is a structural example diagram of an IPv6 data packet provided by an embodiment of this application.
  • the IPv6 data packet includes a basic header, N extended headers and a data part.
  • the N extension headers and data parts can be called payload or payload.
  • the basic header includes version, traffic class, flow label, payload length, next header, hop limit, source Address (source address) and destination address (destination address).
  • the source address may also be referred to as the source IP address.
  • the source address refers to the IP address of the sender that sends the data packet, and the length of the source address is 128 bits.
  • the sender can be a server or a terminal. Illustratively, as shown in FIG. 2, it is a structural example diagram of a source IP address provided by an embodiment of this application.
  • the source address includes external locator bits, internal locator bits, and host identifier bits.
  • the value of the external locator bit may be the address of the network device that forwards the data packet, so that the network device can receive the returned data packet.
  • the external locator bit occupies x bits in the source address. For example, the external locator bit occupies 62 bits in the source address.
  • the internal locator bit is used to indicate the source location identifier, that is, the location identifier (source location, SrcLoc) of the sender. For example, if the sending end is a terminal, the source location identifier is the location identifier of the terminal. For another example, if the sending end is a server, the source location identifier is the location identifier of the server.
  • the internal locator bit occupies y1 bit in the source address. For example, the internal locator bit occupies 32 bits in the source address.
  • the host identifier bit is used to indicate the source identity, that is, the source identification (SrcID) of the sender. For example, if the sending end is a terminal, the source identity is the identity of the terminal. For another example, if the sender is a server, the source identity is the identity of the server.
  • the host identifier bit occupies y2 bits in the source address. For example, the host identifier bit occupies 32 bits in the source address.
  • the source identity identifier may be an identifier that uniquely distinguishes the identity of the data packet sender in a local or global scope.
  • the source identity can be the last 64-bit interface ID of the IPv6 address.
  • the locator bit is used to instruct the network layer device to find the identifier of the smallest unit where the data packet sender is located.
  • the locator bit can be a 64-bit prefix of an IPv6 address.
  • the locator position includes an external locator and an internal locator.
  • the source location indicated by the internal locator bit that needs to be encrypted is the 16-bit subnet number in the prefix.
  • the destination address can also be called the destination IP address.
  • the destination address refers to the IP address of the receiving end that receives the data packet, and the length of the destination address is 128 bits.
  • the receiving end can be a server or a terminal.
  • FIG. 3 a structural example diagram of a destination IP address provided by an embodiment of this application.
  • the destination address includes external locator bits, internal locator bits, and host identifier bits.
  • the value of the external locator bit may be the address of the network device that forwards the data packet, so that the network device can receive the returned data packet.
  • the external locator bit occupies x bits in the destination address. For example, the external locator bit occupies 62 bits in the destination address.
  • the internal locator bit is used to indicate the destination location identifier, that is, the location identifier (Destination location, DstLoc) of the receiving end. For example, if the receiving end is a terminal, the destination location identifier is the location identifier of the terminal. For another example, if the receiving end is a server, the destination location identifier is the location identifier of the server.
  • the internal locator bit occupies y1 bit in the destination address. For example, the internal locator bit occupies 32 bits in the destination address.
  • the host identifier bit is used to indicate the destination identity, that is, the receiving end's identity (DstID). For example, if the receiving end is a terminal, the destination identity is the identity of the terminal. For another example, if the receiving end is a server, the destination identity is the identity of the server.
  • the host identifier bit occupies y2 bits in the destination address. For example, the host identifier bit occupies 32 bits in the destination address.
  • the destination address is an IPv6 address.
  • the destination identity identifier may be an identifier that uniquely distinguishes the identity of the data packet receiver in a local or global scope.
  • the destination identity can be the last 64-bit interface ID of the IPv6 address.
  • the locator bit is used to instruct the network layer device to find the identifier of the smallest unit where the data packet receiving end is located.
  • the locator bit can be a 64-bit prefix of an IPv6 address.
  • the locator position includes an external locator and an internal locator.
  • the destination location indicated by the internal locator bit that needs to be encrypted is the 16-bit subnet number in the prefix.
  • an embodiment of the present application provides a data processing method.
  • the method includes: after receiving the first data packet, the network device encrypts the identification of the terminal according to the key and the privacy variable to obtain the ciphertext, and replaces the identification of the terminal with the ciphertext.
  • the network device sends a second data packet again, and the second data packet includes the ciphertext but does not include the identification of the terminal.
  • the identification of the terminal may be the identity identification of the terminal or the location identification of the terminal.
  • the network device encrypts the terminal's identity to hide the terminal's IP address, preventing illegal attackers (such as untrusted devices or illegal eavesdroppers) from obtaining the terminal's IP address, and then analyzes the terminal's identity based on the terminal's IP address Information and location information of the terminal.
  • the identification of the terminal may be a piece of information that can uniquely identify the identity of an entity, or it may be a partial identification identifier that includes information such as identity attributes (such as age, role identification, department number, and rank).
  • the location identifier of the terminal may be a locator that includes an IP address, or an identifier that includes geographic location information such as the Global Positioning System (GPS), or an identifier that includes other geographic location-related information.
  • GPS Global Positioning System
  • FIG. 4 shows an example diagram of the architecture of a communication system that can be applied to the embodiments of the present application.
  • the communication system includes at least one terminal 401, an internet network and a data center.
  • the internetwork may include at least one network device (for example, network device 402 and network device 403).
  • the network device can be a router.
  • the network device 402 may refer to a terminal-side router closer to the terminal.
  • the network device 403 may refer to a border router or a near-destination router closer to the server. However, it is not limited to the network device being a router.
  • the network device can also be a switch, an access gateway, etc., with a data packet forwarding function.
  • the Internet may also include an identity management server 404, and the identity management server 404 is configured to assign the terminal 401 an identity of the terminal.
  • the data center may include at least one application server 405. Multiple application servers can be independent and different physical devices, or they can integrate the functions of multiple application servers on the same physical device (such as multiple application servers within the jurisdiction of a cloud service provider), or Some application server functions are integrated on a physical device. Each application server can run one or more services (such as game services). Services can also be called applications. Each service can be deployed on multiple application servers and supported by multiple application servers.
  • the terminal 401 is connected to the network device 402 in a wireless or wired manner.
  • the network device 402 will be connected to other network devices in a wireless or wired manner.
  • the network device 403 is connected to the application server 405 in a wireless or wired manner.
  • the terminal can be a fixed location or movable.
  • FIG. 4 is only a schematic diagram.
  • the communication system may also include other devices, such as relay devices, which are not shown in FIG. 4.
  • the embodiments of the present application do not limit the number of terminals, network devices, and application servers included in the communication system.
  • the terminal (Terminal) 401 may also be referred to as a terminal device, a user equipment (UE), a mobile station (mobile station, MS), a mobile terminal (mobile terminal, MT), and so on.
  • the terminal 401 may be a mobile phone (mobile phone), a tablet computer (Pad), a computer with wireless transceiver function, a virtual reality (VR) terminal device, an augmented reality (Augmented Reality, AR) terminal device, an industrial control (industrial control) Wireless terminals in ), wireless terminals in self-driving, wireless terminals in remote medical surgery, wireless terminals in smart grid, and wireless terminals in transportation safety Terminals, wireless terminals in smart cities, wireless terminals in smart homes, and so on.
  • the embodiments of the present application do not limit the specific technology and specific device form adopted by the terminal.
  • the terminal 401 may send a data packet to the application server 405.
  • the data packet includes a source address, and the source address indicates the identity of the terminal 401 (for example, the identity of the terminal 401 and the location of the terminal 401).
  • the terminal 401 may also receive data packets from the application server 405.
  • the data packet may include a destination address, and the destination address indicates the identity of the terminal 401.
  • a network device When a network device (such as network device 402 or network device 403) receives a data packet from terminal 401, it can encrypt the identification of terminal 401 to obtain a cipher text, replace the identification of terminal 401 with the cipher text, and forward the cipher text to the application server 405. The data packet of the text. Thus, the privacy information of the terminal is prevented from being leaked.
  • the network device can be configured with a commonly used encryption algorithm, and use the encryption algorithm to encrypt the identification of the terminal 401.
  • the identity of the terminal 401 can be encrypted in a network device (such as the network device 402) close to the terminal 401.
  • the network device (network device 403) close to the application server 405 encrypts the location identification of the terminal 401.
  • the network device When the network device receives the data packet from the application server 405, the ciphertext included in the data packet can be decrypted to obtain the identity of the terminal 401, the ciphertext is replaced with the identity of the terminal 401, and the data packet containing the identity of the terminal 401 is forwarded to the terminal 401 .
  • the network device receives the data packet from the application server 405
  • the ciphertext included in the data packet can be decrypted to obtain the identity of the terminal 401
  • the ciphertext is replaced with the identity of the terminal 401
  • the data packet containing the identity of the terminal 401 is forwarded to the terminal 401 .
  • the application server 405 can receive a data packet containing a ciphertext from the terminal 401. Since the identification of the terminal is encrypted, the application server 405 cannot obtain the identification of the terminal to avoid leaking the private information of the terminal 401, thereby preventing illegal attackers from analyzing the terminal's identity information and the terminal's location information based on the terminal's IP address. In addition, the data packet sent by the application server 405 to the terminal 401 may also contain the ciphertext.
  • the terminal 401 Because there are untrusted devices or illegal eavesdroppers on the link between the terminal 401 and the application server 405.
  • the data packet will be forwarded by multiple network devices, and the identification of the terminal 401 will be encrypted by the network device, thereby avoiding the leakage of the terminal's private information.
  • FIG. 5 is a flowchart of a data processing method provided by an embodiment of the application.
  • the terminal 401 sends data to the application server 405, and the network device 402 and the network device 403 encrypt the identification of the terminal 401 as an example.
  • the method may include:
  • the terminal 401 sends a first data packet to the network device 402.
  • the first data packet includes a basic header, N extended headers and a data part.
  • the N extension headers and data parts can be called payload or payload.
  • the basic header includes version, traffic class, flow label, payload length, next header, hop limit, source Address (source address) and destination address (destination address).
  • source address indicates the IP address of the terminal 401.
  • destination address indicates the IP address of the application server 405.
  • the terminal 401 may encrypt and transmit the first data packet to the network device 402.
  • the terminal 401 may establish a secure channel between the terminal 401 and the network device 402 by using the tunnel technology, and transmit the first data packet through the secure channel.
  • IPsec Internet Protocol Security
  • the terminal 401 uses Internet Protocol Security (IPsec) to establish a secure channel with the network device 402.
  • IPsec Internet Protocol Security
  • a virtual local area network (Virtual Private Network, VPN) channel is established between the terminal 401 and the network device 402. Since the identification of the terminal 401 is hidden through the secure channel, it is avoided that untrusted devices or illegal eavesdroppers on the link between the terminal 401 and the network device 402 steal the identification of the terminal 401.
  • VPN Virtual Private Network
  • the identification of the terminal 401 may be the IP address of the terminal 401.
  • the identity of the terminal 401 may be the identity of the terminal 401.
  • the identifier of the terminal 401 may be the address identifier of the terminal 401.
  • the network device 402 receives the first data packet from the terminal 401.
  • the network device 402 may receive the first data packet from the terminal 401 through the secure channel.
  • the first data packet includes the identification of the terminal 401.
  • the identifier of the terminal 401 is set in the network layer protocol header included in the first data packet.
  • the identifier of the terminal 401 is used to indicate the terminal 401. If the identity of the terminal 401 is the identity of the terminal 401, the identity of the terminal 401 is used to indicate the identity information of the terminal 401. If the identification of the terminal 401 is the location identification of the terminal 401, the identification of the terminal 401 is used to indicate the location information of the terminal 401.
  • the network device 402 After the network device 402 receives the first data packet from the terminal 401, it determines that the header of the first data packet includes the identification of the terminal 401, and then encrypts the identification of the terminal 401, and executes S503.
  • the first indication information is used to instruct to encrypt the identification of the terminal 401.
  • the network device 402 After receiving the first data packet from the terminal 401, the network device 402 determines to encrypt the identification of the terminal 401 according to the first instruction information, and executes S503.
  • the source address included in the first data packet includes a flag bit, and the value of the flag bit is used to indicate that the identification of the terminal 401 is encrypted.
  • the mark bit occupies z bits in the source address.
  • the tag bit occupies 2 bits in the source address.
  • the identity of the terminal 401 includes the identity of the terminal 401 and the location of the terminal 401.
  • the flag bit when the value of the flag bit is 00, it indicates that the identification of the terminal 401 does not need to be encrypted.
  • the value of the flag bit is 01, it means that the identification of the terminal 401 is encrypted.
  • the value of the flag bit when the value of the flag bit is 00, it indicates that the identification of the terminal 401 does not need to be encrypted.
  • the value of the flag bit When the value of the flag bit is 01, it means that the identity of the terminal 401 is encrypted.
  • the value of the flag bit When the value of the flag bit is 10, it means that the location identifier of the terminal 401 is encrypted.
  • the value of the flag bit when the value of the flag bit is 00, it means that the identification of the terminal 401 is encrypted. When the value of the flag bit is 01, it indicates that there is no need to encrypt the identification of the terminal 401.
  • the network device 402 generates a first ciphertext according to the identity of the terminal 401, the first privacy variable, and the first key.
  • the network device 402 can extract the identity of the terminal 401 from the IP address of the terminal 401 included in the first data packet, encrypt the identity of the terminal 401 to obtain the first ciphertext, and generate a second data packet. Including the first ciphertext.
  • the network device 402 encrypts the identification of the terminal 401 includes the following steps.
  • the network device 402 generates a second ciphertext according to the first key and the first privacy variable.
  • the network device 402 may extract the first privacy variable from the header of the first data packet, and use an encryption algorithm to perform an encryption operation according to the first privacy variable and the first key to obtain the second ciphertext.
  • the first privacy variable includes at least one of time information, information related to the device that transmits or receives the first data packet, a random number, and a parameter that changes according to law.
  • the first privacy variable can be set at any position in the network layer protocol header included in the first data packet.
  • the first privacy variable can be hidden in the host identifier bits.
  • the first privacy variable is time information, and when the terminal 401 generates the identity of the terminal 401 in the first data packet, the time information is added.
  • the network device 402 may extract the first privacy variable from the host identifier bits in the network layer protocol header included in the first data packet.
  • the first privacy variable is exposed in the network layer protocol header included in the first data packet.
  • the network device 402 may extract the first privacy variable from the network layer protocol header included in the first data packet.
  • the first privacy variable is the destination IP address.
  • the length of the first data packet is variable, and a field for setting the first privacy variable is added to the network layer protocol header included in the first data packet.
  • the information related to the device that transmits or receives the first data packet is the destination IP address included in the first data packet.
  • the destination IP address may be the address of the application server 405.
  • the network device 402 may extract the first privacy variable from the network layer protocol header included in the first data packet.
  • the second ciphertext satisfies the following formula (1).
  • C represents the second ciphertext.
  • E() represents a secure block encryption algorithm.
  • AES advanced encryption standard
  • SK1 represents the encryption key of the network device 402, that is, the first key.
  • Dst IP represents the destination IP address included in the first data packet.
  • the length of the second ciphertext is relatively long.
  • the length of the second ciphertext is 128 bits. Therefore, the network device 402 processes the second ciphertext according to the identifier of the terminal 401, and obtains a ciphertext of the same length as the identifier of the terminal 401. Perform S5032.
  • the network device 402 determines the first ciphertext according to the second ciphertext and the identity of the terminal 401.
  • the network device 402 may intercept the second ciphertext according to the length of the identity identifier of the terminal 401 to obtain the y2bit value, and determine the first ciphertext according to the intercepted y2bit value and the identity of the terminal 401.
  • the first ciphertext satisfies the following formula (2).
  • EHID represents the first ciphertext.
  • C y2 represents the value of y2 bits in the second ciphertext that is intercepted.
  • HID represents the identity of the terminal 401.
  • XOR stands for exclusive OR algorithm.
  • the length of the first ciphertext is equal to the length of the identity of the terminal 401.
  • the length of the second ciphertext is greater than the length of the identity of the terminal 401.
  • the network device 402 can use different privacy variables to encrypt the identity of the terminal to obtain different ciphertexts. Therefore, the data packets received by different destination devices include different ciphertexts, avoiding collusion and association analysis of the traffic of the same terminal accessing different destination devices.
  • the network device 402 encrypts the identity of the terminal 401, and after obtaining the first ciphertext, replaces the identity of the terminal 401 included in the first data packet with the first ciphertext to generate a second data packet.
  • the first ciphertext is set in the network layer protocol header included in the second data packet.
  • the first privacy variable is set in the network layer protocol header included in the second data packet.
  • the first privacy variable is set in the network layer protocol header included in the second data packet.
  • the first privacy variable is set in the network layer protocol header included in the second data packet, so that when the network device 402 receives the data packet containing the first ciphertext, the network device 402 extracts the data packet containing the first ciphertext
  • the first privacy variable can use the first key and the first privacy variable to decrypt the first ciphertext to obtain the identity of the terminal 401.
  • the first privacy variable is hidden in the network layer protocol header included in the first data packet.
  • the first privacy variable is time information
  • the first privacy variable can be hidden in the host identifier bit.
  • the network device 402 replaces the identity of the terminal 401 with the first ciphertext, and the first privacy variable cannot be seen in the network layer protocol header included in the second data packet.
  • the first privacy variable is hidden in the network layer protocol header included in the second data packet. Understandably, the first privacy variable is hidden in the first ciphertext.
  • the value of the external locator bit is a padding value.
  • the padding value can be a bit string agreed by the system, such as 00000.
  • the value of the internal locator bit is the location identifier of the terminal 401.
  • the value of the host identifier bit is the identity of the terminal 401. In the following, it is assumed that the identity of the terminal 401 is HID, and the first ciphertext is EHID. After the network device 402 encrypts the HID to obtain the EHID, it replaces the HID with the EHID.
  • the value of the host identifier bit may be the encrypted identity of the terminal 401, that is, the value of the host identifier bit is EHID.
  • the network device 402 forwards a second data packet, where the second data packet includes the first ciphertext.
  • the network device 402 may forward the second data packet according to a forwarding rule such as a routing table.
  • a forwarding rule such as a routing table.
  • S505 The network device 403 receives the second data packet.
  • the network device 403 may receive the second data packet from the network device 402, or the network device 403 may receive the second data packet forwarded from other network devices.
  • the network device 402 After the network device 402 receives the second data packet from the terminal 401, it determines that the header of the second data packet includes the location identifier of the terminal 401, then encrypts the location identifier of the terminal 401, and executes S506.
  • the first indication information is used to instruct to encrypt the identification of the terminal 401.
  • the network device 402 After receiving the second data packet from the terminal 401, the network device 402 determines to encrypt the location identifier of the terminal 401 according to the first indication information, and executes S506.
  • the specific implementation of the first indication information may be as described in S502 above, and will not be described in detail.
  • the network device 403 generates a third ciphertext according to the location identifier of the terminal 401, the second privacy variable, and the second key.
  • the network device 403 may extract the location identifier of the terminal 401 from the IP address of the terminal 401 included in the second data packet, encrypt the location identifier of the terminal 401 to obtain the third ciphertext, and generate the third data packet, the third data packet Including the third ciphertext.
  • the network device 403 encrypts the location identifier of the terminal 401 including the following steps.
  • the network device 403 generates data to be encrypted according to the location identifier of the terminal 401 and the second privacy variable.
  • the network device 402 may extract the second privacy variable from the network layer protocol header included in the second data packet, and compose the data to be encrypted according to the location identifier of the terminal 401 and the second privacy variable.
  • the second privacy variable is the encrypted identity of the terminal 401, that is, the first ciphertext.
  • the second data packet includes the first ciphertext.
  • the length of the data to be encrypted may be equal to the sum of the length of the terminal 401's identity identifier and the length of the terminal 401's location identifier.
  • the length of the data to be encrypted may not be equal to the sum of the length of the identity identifier of the terminal 401 and the length of the location identifier of the terminal 401.
  • the network device 403 generates a third ciphertext according to the second key and the data to be encrypted.
  • the network device 403 uses an encryption algorithm to perform an encryption operation according to the second key and the data to be encrypted to obtain the third ciphertext.
  • the third ciphertext satisfies the following formula (3).
  • EIP represents the third ciphertext.
  • F() represents a lightweight symmetric encryption algorithm, and the packet length of the encryption algorithm is the sum of y1 bits and y2 bits.
  • SK2 represents the encryption key of the network device 403, that is, the second key.
  • represents the connector.
  • EHID represents the first ciphertext.
  • SrcLoc represents the location identifier of the terminal 401.
  • the network device 403 encrypts the location identifier of the terminal 401, and after obtaining the third ciphertext, replaces the location identifier of the terminal 401 included in the second data packet with the third ciphertext to generate a third data packet.
  • the third ciphertext is set in the network layer protocol header included in the third data packet.
  • the second privacy variable is the first ciphertext
  • both the identity identifier of the terminal 401 and the location identifier of the terminal 401 have been encrypted.
  • the network device 403 replaces the first ciphertext and the location identifier of the terminal 401 with the third ciphertext.
  • the second privacy variable is hidden in the network layer protocol header included in the third data packet. Understandably, the second privacy variable is hidden in the third ciphertext.
  • the length of the third ciphertext is equal to the sum of the length of the identity identifier of the terminal 401 and the length of the location identifier of the terminal 401.
  • the length of the third ciphertext is not equal to the sum of the length of the identity identifier of the terminal 401 and the length of the location identifier of the terminal 401.
  • FIG. 9 it is a schematic diagram of the encryption process of the source IP address.
  • the value of the external locator bit is the filling value.
  • the value of the internal locator bit is the location identifier of the terminal 401.
  • the value of the host identifier bit is the identity of the terminal 401.
  • the second data packet generated by the network device 402 is different from the first data packet in that the value of the host identifier bit is EHID.
  • EHID the third ciphertext
  • the network device 403 After the network device 403 encrypts the location identifier of the terminal 401 to obtain the EIP, it replaces the value of the internal locator bit and the value of the host identifier bit with EIP, that is, replaces the location identifier and EHID of the terminal 401 with EIP.
  • the network device 402 can use different privacy variables to encrypt the location identifier of the terminal to obtain different ciphertexts. Therefore, data packets received by different destination devices include different ciphertexts, so as to avoid leaking the location identifier of the terminal 401.
  • the network device 403 may replace the value filling value of the external locator bit with the locator addressing the network device.
  • the value filling value of the external locator bit is replaced with the location identifier of the network device 403.
  • using the location identifier of the network device 403 as a new externally visible locator can prevent an untrusted destination device from analyzing the location identifier of the terminal 401.
  • the network device 403 forwards the third data packet, where the third data packet includes the third ciphertext.
  • the network device 403 may forward the third data packet according to a forwarding rule such as a routing table.
  • a forwarding rule such as a routing table.
  • the application server 405 receives the third data packet.
  • the application server 405 may receive the third data packet from the network device 403, or the application server 405 may receive the third data packet forwarded by other network devices. After receiving the third data packet, the application server 405 parses the third data packet to obtain the data sent by the terminal 401 to the application server 405.
  • the terminal 401 can use a fixed IP address to communicate with the external network.
  • multiple third-party links are usually embedded, and multiple servers can extract the IP address of the terminal 401 from the data packet for correlation analysis. For example, user A uses an IP address to visit the W1 website at a certain time and uses the same IP address to visit the W2 website at the same time. If W1 and W2 are operated by the same parent company or the providers of W1 and W2 are partners that share data, Then the user's behavior in W1 and W2 can be correlated.
  • W2 can associate the user’s real identity information based on the IP address, which will cause privacy leakage.
  • IPv6 prefix information may reveal more specific location information. Only user behavior can be associated with a certain ID. For example, a user uses an application-layer user account to log in to a server, even if the user does not tell The server's specific location information, but the server can still trace the user's location and whereabouts based on the IP address.
  • the network device 402 and the network device 403 encrypt the terminal 401's identity to hide the terminal’s IP address to prevent illegal attackers (such as untrusted devices or illegal eavesdroppers) from obtaining the terminal’s IP address.
  • the identity identifier of the terminal 401 and the location identifier of the terminal 401 are analyzed. Since the addresses of the same source host obtained by different destination hosts are not the same, it is impossible to analyze the traffic from the same source host to different destination hosts through collusion and correlation. The destination host or an illegal attacker can't analyze the IP address of the host that has fallen on the same LAN to find that the two hosts are from the same LAN.
  • the application server 405 may also use the cipher text to send the data packet to the terminal 401.
  • the specific transmission process of the data packet is described in the following embodiment.
  • FIG. 10 is a flowchart of a data processing method provided by an embodiment of the application.
  • the application server 405 sends data to the terminal 401, and the network device 402 and the network device 403 decrypt the identification of the terminal 401 as an example.
  • the method may include:
  • the application server 405 sends a fourth data packet to the network device 403.
  • the fourth data packet includes a basic header, N extended headers and a data part.
  • the basic header includes a source address (source address) and a destination address (destination address).
  • source address indicates the address of the application server 405. Since the source address contained in the third data packet sent by the terminal 401 received by the application server 405 is the third cipher text, the value of the destination address contained in the fourth data packet contains the third cipher text.
  • the third ciphertext is set in the network layer protocol header included in the fourth data packet. The third ciphertext is determined according to the location identifier of the terminal 401, the second privacy variable, and the second key.
  • the network device 403 receives the fourth data packet from the application server 405.
  • the network device 403 may receive the fourth data packet from the application server 405, or the network device 403 may receive the fourth data packet forwarded by other network devices.
  • the network device 403 after receiving the fourth data packet from the application server 405, the network device 403 determines that the header of the fourth data packet includes the third ciphertext, then decrypts the third ciphertext, and executes S1003.
  • the second indication information is used to indicate that the identity of the terminal 401 has been encrypted.
  • the network device 403 After receiving the fourth data packet from the application server 405, the network device 403 determines to decrypt the location identifier of the terminal 401 according to the second indication information, and executes S1003.
  • the destination address included in the fourth data packet includes a flag bit, and the value of the flag bit is used to indicate that the identification of the terminal 401 has been encrypted.
  • the mark bit occupies the z bit in the destination address.
  • the tag bit occupies 2 bits in the destination address.
  • the identity of the terminal 401 includes the identity of the terminal 401 and the location of the terminal 401.
  • the value of the flag bit when the value of the flag bit is 00, it means that the identification of the terminal 401 is not encrypted. When the value of the flag bit is 01, it indicates that the identification of the terminal 401 has been encrypted.
  • the value of the flag bit when the value of the flag bit is 00, it means that the identification of the terminal 401 is not encrypted.
  • the value of the flag bit When the value of the flag bit is 01, it indicates that the identity of the terminal 401 has been encrypted.
  • the value of the flag bit When the value of the flag bit is 10, it indicates that the location identifier of the terminal 401 has been encrypted.
  • the flag bit when the value of the flag bit is 00, it indicates that the identification of the terminal 401 has been encrypted. When the value of the flag bit is 01, it means that the identification of the terminal 401 is not encrypted.
  • the network device 403 generates a location identifier of the terminal 401 according to the third ciphertext, the second privacy variable, and the second key.
  • the network device 403 may extract the third ciphertext from the destination address, decrypt the third ciphertext, obtain the location identifier of the terminal 401, and generate a fifth data packet, where the fifth data packet includes the location identifier of the terminal 401.
  • the network device 403 decrypts the third ciphertext including the following steps.
  • the network device 403 generates a decryption result according to the third ciphertext and the second key.
  • the network device 403 uses a decryption algorithm to perform a decryption operation according to the second key and the third ciphertext to obtain the decryption result.
  • the decryption result satisfies the following formula (4).
  • P represents the decryption result.
  • D() is the decryption algorithm.
  • SK2 represents the encryption key of the network device 403, that is, the second key.
  • EIP stands for the third ciphertext.
  • the network device 403 determines the location identifier of the terminal 401 according to the decryption result and the second privacy variable.
  • the network device 403 may obtain the second privacy variable from the network layer protocol header included in the fourth data packet, and determine the location identifier of the terminal 401 according to the decryption result and the second privacy variable.
  • the length of the decryption result may be equal to the sum of the length of the identity identifier of the terminal 401 and the length of the location identifier of the terminal 401.
  • the length of the decryption result may not be equal to the sum of the length of the identity identifier of the terminal 401 and the length of the location identifier of the terminal 401.
  • the second privacy variable is the encrypted identity of the terminal 401, that is, the first ciphertext. It is understandable that both the identity identifier of the terminal 401 and the location identifier of the terminal 401 have been encrypted.
  • the length of the third ciphertext is equal to the sum of the length of the identity identifier of the terminal 401 and the length of the location identifier of the terminal 401.
  • the decryption result includes the first ciphertext and the location identifier of the terminal 401.
  • the second privacy variable is hidden in the network layer protocol header included in the fourth data packet. The network device 403 can obtain the second privacy variable from the decryption result.
  • the network device 403 After the network device 403 decrypts the third ciphertext to obtain the decryption result, it can replace the third ciphertext included in the fourth data packet with the location identifier of the terminal 401 and the first ciphertext to generate the fifth data packet.
  • the location identifier of the terminal 401 and the first ciphertext are set in the network layer protocol header included in the fifth data packet.
  • the value of the external locator bit is the location identifier of the network device 403.
  • the value of the internal locator bit and the value of the host identifier bit may be the third ciphertext.
  • the network device 403 decrypts the third ciphertext to obtain the location identifier of the terminal 401, and after replacing the third ciphertext, generates a fifth data packet, and the fifth data packet includes the location identifier of the terminal 401. Thereby, it is convenient to transmit the fifth data packet to the terminal 401.
  • the fourth data packet also includes a locator for addressing the network device.
  • the network device 403 may replace the value of the external locator bit to the locator of the addressing network device with the padding value. For example, replace the location identifier of the network device 403 with the value of the external locator bit with the padding value. In order to forward the fifth data packet to the terminal 401.
  • the network device 403 forwards a fifth data packet, where the fifth data packet includes the location identifier of the terminal 401 and the first ciphertext.
  • the network device 403 may forward the fifth data packet according to a forwarding rule such as a routing table. For details, reference may be made to the prior art, and details are not repeated.
  • the identifier of the terminal 401 is set in the network layer protocol header included in the fifth data packet.
  • the network device 402 receives the fifth data packet.
  • the network device 402 may receive the fifth data packet from the network device 403, or the network device 402 may receive the fifth data packet forwarded from other network devices.
  • the network device 402 after the network device 402 receives the fifth data packet from the network device 403, it determines that the network layer protocol header contained in the fifth data packet includes the first ciphertext, and then decrypts the first ciphertext, and executes S1006.
  • the second indication information is used to indicate that the identity of the terminal 401 has been encrypted.
  • the network device 402 receives the fifth data packet from the network device 403, it determines to decrypt the first ciphertext according to the second instruction information, and executes S1006.
  • the specific implementation of the second indication information can be as described in S1002 above, and will not be described in detail.
  • the network device 402 generates the identity of the terminal 401 according to the first ciphertext, the first privacy variable, and the first key.
  • the network device 402 may extract the first ciphertext from the destination address, decrypt the first ciphertext, obtain the identity of the terminal 401, and generate a sixth data packet, where the sixth data packet includes the identity of the terminal 401.
  • the network device 402 decrypting the first ciphertext includes the following steps.
  • the network device 402 generates a second ciphertext according to the first privacy variable and the first key.
  • the network device 402 may extract the first privacy variable from the network layer protocol header included in the fifth data packet, and use an encryption algorithm to perform an encryption operation according to the first privacy variable and the first key to obtain the second ciphertext.
  • the length of the second ciphertext is greater than the length of the identity of the terminal 401.
  • the first privacy variable includes at least one of time information, information related to the device that transmits or receives the fifth data packet, a random number, and a parameter that changes according to law.
  • the information related to the device that transmits or receives the fifth data packet is the source IP address included in the fifth data packet.
  • the source IP address may be the address of the application server 405.
  • the first privacy variable is set in the network layer protocol header included in the fifth data packet.
  • the fifth data packet also includes the location identifier of the terminal 401.
  • the network device 402 determines the identity of the terminal 401 according to the second ciphertext and the first ciphertext.
  • the network device 402 may intercept the second ciphertext according to the length of the identity of the terminal 401 to obtain the y2 bit value, and determine the identity of the terminal 401 according to the intercepted y2 bit value and the first ciphertext.
  • the length of the first ciphertext is equal to the length of the terminal 401's identity.
  • the length of the second ciphertext is greater than the length of the identity of the terminal 401.
  • an exclusive OR operation is performed on the second ciphertext and the first ciphertext to obtain the identity of the terminal 401.
  • the identity of the terminal 401 satisfies the following formula (5).
  • EHID represents the first ciphertext.
  • C y2 represents the value of y2 bits in the second ciphertext that is intercepted.
  • HID represents the identity of the terminal 401.
  • XOR stands for exclusive OR algorithm.
  • the network device 402 decrypts the first ciphertext to obtain the identity of the terminal 401, it replaces the first ciphertext included in the fifth data packet with the identity of the terminal 401 to generate a sixth data packet.
  • the identity of the terminal 401 is set in the network layer protocol header included in the sixth data packet.
  • FIG. 14 it is a schematic diagram of the decryption process of the destination IP address.
  • the value of the external locator bit is the location identifier of the network device 403.
  • the value of the internal locator bit and the value of the host identifier bit may be the third ciphertext.
  • the value of the external locator bit is the filling value.
  • the value of the internal locator bit is the location identifier of the terminal 401.
  • the value of the host identifier bit may be the first ciphertext.
  • the network device 402 forwards a sixth data packet, where the sixth data packet includes the identity of the terminal 401.
  • the network device 402 may forward the sixth data packet according to a forwarding rule such as a routing table.
  • a forwarding rule such as a routing table.
  • the terminal 401 receives the sixth data packet.
  • the terminal 401 may receive the sixth data packet from the network device 402, or the terminal 401 may receive the sixth data packet forwarded by other network devices. After receiving the sixth data packet, the terminal 401 parses the sixth data packet to obtain the data sent by the application server 405 to the terminal 401.
  • the network device 402 and the network device 403 decrypt the ciphertext so as to transmit the data of the application server 405 to the terminal 401.
  • the second privacy variable is the identity of the terminal 401. It is understandable that after the network device 402 receives the first data packet from the terminal 401, S503 is not executed, that is, the identity identifier of the terminal 401 is not encrypted, and the first data packet is forwarded.
  • the network device 403 receives the first data packet, and the first data packet includes the identity of the terminal 401.
  • the network device 403 can encrypt the identity of the terminal 401 and the location of the terminal 401 according to the second key to obtain the third ciphertext, and replace the identity of the terminal 401 and the location of the terminal 401 with the third ciphertext.
  • the second privacy variable may be the identity of the terminal 401.
  • the length of the third ciphertext is equal to the sum of the length of the identity identifier of the terminal 401 and the length of the location identifier of the terminal 401.
  • the value of the external locator bit is the filling value.
  • the value of the internal locator bit may be the location identifier of the terminal 401.
  • the value of the host identifier bit may be the identity of the terminal 401.
  • the network device 403 encrypts the identity of the terminal 401 and the location of the terminal 401 to obtain the third ciphertext (EIP), and replaces the value of the internal locator bit and the value of the host identifier bit with EIP, that is, replaces the terminal with EIP
  • EIP third ciphertext
  • the third ciphertext is decrypted at the network device 403 to obtain a decryption result.
  • the decryption result includes the identity of the terminal 401 and the location of the terminal 401.
  • the second privacy variable is hidden in the network layer protocol header included in the fourth data packet.
  • the second privacy variable may be the identity of the terminal 401.
  • the decryption result includes the identity of the terminal 401, and the network device 403 can obtain the second privacy variable from the decryption result.
  • the location identifier of the terminal 401 and the identity identifier of the terminal 401 may be used to replace the third ciphertext.
  • FIG. 15 it is a schematic diagram of the decryption process of the destination IP address.
  • the first privacy variable includes at least one of time information, information related to a device that transmits or receives the first data packet, a random number, and a parameter that changes regularly.
  • the information related to the device that transmits or receives the first data packet is the destination IP address included in the first data packet.
  • the destination IP address may be the address of the application server 405.
  • the network device 402 may use the first key and the first privacy variable to encrypt the identity of the terminal 401 to obtain the first ciphertext, and then replace the identity of the terminal 401 with the first ciphertext to obtain the second data packet.
  • the first ciphertext may be set in the network layer protocol header included in the second data packet.
  • the length of the first ciphertext is equal to the length of the identity of the terminal 401.
  • the length of the source address is variable. The length of the first ciphertext may not be equal to the length of the identity of the terminal 401.
  • the first privacy variable can be set at any position in the network layer protocol header included in the second data packet.
  • the first privacy variable can be hidden in the host identifier.
  • the first privacy variable is time information, and the terminal 401 adds the time information when generating the host identifier of the host identifier bit in the first data packet.
  • the network device 402 may extract the first privacy variable from the host identifier bits in the network layer protocol header included in the first data packet.
  • the first privacy variable is exposed in the network layer protocol header included in the first data packet.
  • the network device 402 may extract the first privacy variable from the network layer protocol header included in the first data packet.
  • the first privacy variable is the destination IP address.
  • the length of the first data packet is variable, and a field for setting the first privacy variable is added to the network layer protocol header included in the first data packet.
  • the network device 402 may extract the first privacy variable from the network layer protocol header included in the first data packet.
  • the network device 402 can use the encryption method of S506 or S503 to encrypt the identity of the terminal 401.
  • S506 or S503 For the detailed encryption process, please refer to the description of S506 or S503, which will not be repeated.
  • the network device 402 uses the encryption method of S503 to encrypt the identity of the terminal 401.
  • the first privacy variable is set in the network layer protocol header included in the second data packet, so that when the network device 402 receives the data packet containing the first ciphertext, the network device 402 extracts the data packet containing the first ciphertext.
  • the first privacy variable can use the first key and the first privacy variable to decrypt the first ciphertext to obtain the identity of the terminal 401.
  • the network device 402 uses the encryption method of S506 to encrypt the identity of the terminal 401.
  • the first privacy variable is hidden in the network layer protocol header included in the second data packet.
  • the network device 402 may decrypt the first ciphertext to obtain a decryption result, and the decryption result includes the first privacy variable.
  • the network device 402 obtains the first privacy variable from the decryption result.
  • the second privacy variable includes at least one of time information, information related to the device that transmits or receives the second data packet, a random number, and a parameter that changes regularly.
  • the information related to the device that transmits or receives the second data packet is the destination IP address contained in the second data packet, that is, the IP address of the application server 405.
  • the network device 403 may use the second key and the second privacy variable to encrypt the location identifier of the terminal 401 to obtain the third ciphertext, and replace the location identifier of the terminal 401 with the third ciphertext to obtain the third data packet.
  • the third ciphertext may be set in the network layer protocol header included in the third data packet.
  • the length of the third ciphertext is equal to the length of the location identifier of the terminal 401.
  • the length of the source address is variable.
  • the length of the third ciphertext may not be equal to the length of the location identifier of the terminal 401.
  • the second privacy variable can be set anywhere in the second data packet.
  • the second privacy variable is hidden in the network layer protocol header included in the second data packet.
  • the second privacy variable can be hidden in the internal locator.
  • the second privacy variable is time information. When the terminal 401 generates the internal locator of the internal locator in the first data packet, the time information is added.
  • the network device 403 may extract the second privacy variable from the internal locator bit in the network layer protocol header included in the second data packet.
  • the second privacy variable is exposed in the network layer protocol header included in the second data packet.
  • the network device 403 may extract the second privacy variable from the network layer protocol header included in the second data packet.
  • the second privacy variable is the destination IP address.
  • the length of the second data packet is variable, and a field for setting the second privacy variable is added to the network layer protocol header included in the second data packet.
  • the network device 403 can use the encryption method of S506 or S503 to encrypt the location identifier of the terminal 401.
  • S506 or S503 For the detailed encryption process, please refer to the description of S506 or S503, which will not be repeated.
  • the network device 403 uses the encryption method of S503 to encrypt the location identifier of the terminal 401.
  • the second privacy variable is set in the network layer protocol header included in the third data packet, so that when the network device 403 receives the data packet containing the third cipher text, the network device 403 extracts the data packet containing the third cipher text.
  • the second privacy variable can use the second key and the second privacy variable to decrypt the third ciphertext to obtain the location identifier of the terminal 401.
  • the network device 403 uses the encryption method of S506 to encrypt the location identifier of the terminal 401.
  • the second privacy variable is hidden in the network layer protocol header included in the third data packet.
  • the network device 403 may decrypt the third ciphertext to obtain a decryption result, and the decryption result includes the second privacy variable.
  • the network device 403 obtains the second privacy variable from the decryption result.
  • the first privacy variable and the second privacy variable may be the same.
  • the first privacy variable and the second privacy variable are both the same time information.
  • the first privacy variable and the second privacy variable may be different.
  • the value of the external locator bit can be the padding value
  • the value of the internal locator bit can be the location identifier of the terminal 401
  • the value of the host identifier bit can be the value of the terminal 401 Identification.
  • the value of the external locator bit may be a padding value
  • the value of the internal locator bit may be the location identifier of the terminal 401
  • the value of the host identifier bit may be EHID.
  • the network device 402 After the network device 402 encrypts the identity of the terminal 401 to obtain the EHID, it replaces the identity of the terminal 401 with the EHID.
  • the value of the external locator bit can be the locator of the network device 403
  • the value of the internal locator bit can be EIP
  • the value of the host identifier bit can be EHID.
  • the method for encrypting the location identifier of the terminal 401 and the identity identifier of the terminal 401 is not limited.
  • the network device 402 may use the encryption method of S503 to encrypt the identity of the terminal 401.
  • the network device 403 may use the encryption method of S503 to encrypt the location identifier of the terminal 401.
  • the network device 402 may use the encryption method of S506 to encrypt the identity of the terminal 401.
  • the network device 403 may use the encryption method of S506 to encrypt the location identifier of the terminal 401.
  • the network device 402 may use the encryption method of S503 to encrypt the identity of the terminal 401.
  • the network device 403 may use the encryption method of S506 to encrypt the location identifier of the terminal 401.
  • the network device 402 may use the encryption method of S506 to encrypt the identity of the terminal 401.
  • the network device 403 may use the encryption method of S503 to encrypt the location identifier of the terminal 401.
  • the network device 403 may use the second key and the second privacy variable to decrypt the third ciphertext to obtain the location identifier of the terminal 401, and then replace the third ciphertext with the location identifier of the terminal 401 to obtain the fifth data packet.
  • the third ciphertext may be set in the network layer protocol header included in the fourth data packet.
  • the length of the third ciphertext is equal to the length of the location identifier of the terminal 401.
  • the length of the destination address is variable. The length of the third ciphertext may not be equal to the length of the location identifier of the terminal 401.
  • the second privacy variable can be set anywhere in the fourth data packet.
  • the second privacy variable is exposed in the network layer protocol header included in the fourth data packet, and the network device 403 extracts the second privacy variable from the network layer protocol header included in the fourth data packet.
  • the second privacy variable is hidden in the network layer protocol header included in the second data packet.
  • the network device 403 may decrypt the third ciphertext to obtain a decryption result, and the decryption result includes the second privacy variable.
  • the network device 403 obtains the second privacy variable from the decryption result.
  • the second privacy variable includes at least one of time information, information related to the device that transmits or receives the fourth data packet, a random number, and a parameter that changes regularly.
  • the information related to the device that transmits or receives the fourth data packet is the source IP address included in the fourth data packet, that is, the IP address of the application server 405.
  • the network device 403 can use the decryption method of S1006 or S1003 to decrypt the location identifier of the terminal 401.
  • the fourth data packet also includes the first ciphertext.
  • the first ciphertext may be set in the network layer protocol header included in the fourth data packet.
  • the network device 402 can use the first key and the first privacy variable to decrypt the first ciphertext to obtain the identity of the terminal 401, and then replace the first ciphertext with the identity of the terminal 401 to obtain the sixth data packet.
  • the first ciphertext may be set in the network layer protocol header included in the fifth data packet.
  • the length of the first ciphertext is equal to the length of the identity of the terminal 401.
  • the length of the destination address is variable. The length of the first ciphertext may not be equal to the length of the identity of the terminal 401.
  • the first privacy variable can be set anywhere in the fifth data packet.
  • the first privacy variable is exposed in the network layer protocol header included in the fifth data packet, and the network device 402 extracts the first privacy variable from the network layer protocol header included in the fifth data packet.
  • the first privacy variable is hidden in the network layer protocol header included in the fifth data packet.
  • the network device 402 may decrypt the first ciphertext to obtain a decryption result, and the decryption result includes the first privacy variable.
  • the network device 402 obtains the first privacy variable from the decryption result.
  • the network device 402 when the network device 402 receives the fifth data packet containing the first ciphertext, it can use the first key and the first privacy variable to decrypt the first ciphertext to obtain the identity of the terminal 401.
  • the first privacy variable includes at least one of time information, information related to the device transmitting or receiving the fifth data packet, a random number, and a parameter that changes regularly.
  • the information related to the device that transmits or receives the fifth data packet is the source IP address included in the fifth data packet, that is, the IP address of the application server 405.
  • the network device 402 can use the decryption method of S1006 or S1003 to decrypt the identity of the terminal 401.
  • decryption process please refer to the description of S1006 or S1003, which will not be repeated.
  • FIG. 17 it is a schematic diagram of the decryption process of the destination IP address.
  • the value of the external locator bit is the location identifier of the network device 403.
  • the value of the internal locator bit is EIP.
  • the value of the host identifier bit can be EHID.
  • the value of the external locator bit is the filling value.
  • the value of the internal locator bit is the location identifier of the terminal 401.
  • the value of the host identifier bit can be EHID.
  • the value of the host identifier bit may also be the identity of the terminal 401.
  • the value of the external locator bit is the filling value.
  • the value of the internal locator bit is the location identifier of the terminal 401.
  • the value of the host identifier bit may be the identity identifier (HID) of the terminal 401.
  • the method for decrypting the third ciphertext to obtain the location identifier of the terminal 401 is not limited.
  • the method for decrypting the identity of the terminal 401 obtained by decrypting the first ciphertext is not limited.
  • the network device 402 may use the decryption method of S1003 to decrypt the first ciphertext to obtain the identity of the terminal 401.
  • the network device 403 may use the decryption method of S1003 to decrypt the third ciphertext to obtain the location identifier of the terminal 401.
  • the network device 402 may use the decryption method of S1006 to decrypt the first ciphertext to obtain the identity of the terminal 401.
  • the network device 403 may use the decryption method of S1006 to decrypt the third ciphertext to obtain the location identifier of the terminal 401.
  • the network device 402 may use the decryption method of S1003 to decrypt the first ciphertext to obtain the identity of the terminal 401.
  • the network device 403 may use the decryption method of S1006 to decrypt the third ciphertext to obtain the location identifier of the terminal 401.
  • the network device 402 may use the decryption method of S1006 to decrypt the first ciphertext to obtain the identity of the terminal 401.
  • the network device 403 may use the decryption method of S1003 to decrypt the third ciphertext to obtain the location identifier of the terminal 401.
  • the network device 402 receives the first data packet from the terminal 401
  • S503 is not executed, that is, the identity identifier of the terminal 401 is not encrypted, and the first data packet is forwarded.
  • the network device 403 receives the first data packet, and the first data packet includes the identity of the terminal 401.
  • the network device 403 may encrypt the location identifier of the terminal 401 according to the second key and the second privacy variable to obtain the third ciphertext, and replace the location identifier of the terminal 401 with the third ciphertext.
  • the length of the third cipher text is equal to the length of the location identifier of the terminal 401; or, the length of the third cipher text is not equal to the length of the location identifier of the terminal 401.
  • the encryption process please refer to the description of S506 or S503, which will not be repeated.
  • the second privacy variable may be the first ciphertext (EHID).
  • EHID first ciphertext
  • the identity of the terminal 401 is replaced with the EHID.
  • the network device 403 encrypts the location identifier of the terminal 401 to obtain the EIP, it replaces the value of the internal locator bit with EIP, that is, replaces the location identifier of the terminal 401 with EIP.
  • the network device 403 may generate a fourth ciphertext according to the second key and the first ciphertext, and then determine the third ciphertext (EIP) according to the fourth ciphertext and the location identifier of the terminal 401.
  • the network device 403 replaces the value of the internal locator bit with EIP, that is, replaces the location identifier of the terminal 401 with EIP.
  • the value of the host identifier bit may be the encrypted identity of the terminal 401, that is, the first cipher text (EHID).
  • the network device 403 When the network device 403 decrypts the third ciphertext, the network device 403 generates a fourth ciphertext according to the second key and the first ciphertext, and determines the location identifier of the terminal 401 according to the fourth ciphertext and the third ciphertext.
  • the network device 403 may replace the value EIP of the host identifier bit with the location identifier of the terminal 401.
  • the data processing method provided in this application can be applied in a cloud environment, enabling cloud service providers that have deployed a large number of edge nodes to provide users with privacy protection capabilities. Users can choose the cloud service that provides the privacy protection capabilities of IPv6 addresses for forwarding data packets.
  • multiple application servers 405 in FIG. 4 may be application servers within the jurisdiction of a cloud service provider.
  • Cloud service providers can deploy a large number of edge nodes to provide users with data transmission services.
  • the edge node close to the terminal may be referred to as a near-source end node, for example, the network device 402 in FIG. 4.
  • the edge node close to the website server (such as the application server 405) may be called the near-destination node, for example, the network device 403 in FIG. 4.
  • the edge node of the cloud service provider can be selected to provide services for the terminal 401.
  • FIG. 18 it is a schematic diagram of the architecture of a communication system based on cloud services.
  • the communication system includes at least one terminal 401, an internet network, and at least one application server.
  • the internetwork may include at least one network device (for example, network device 402 and network device 403).
  • network device 402 for example, IP UE
  • the IP address of the network device 402 is IP0.
  • the IP address of the network device 403 is IP1.
  • the IP address of the application server 405 is IP s1 .
  • FIG. 19 the data processing method described in the embodiment of the present application includes the following steps.
  • the terminal 401 sends a first data packet to the network device 402.
  • the terminal 401 selects the cloud service provider node closest to the terminal 401, that is, the network device 402.
  • the terminal 401 establishes a secure channel with the network device 402, and sends the first data packet sent by the terminal 401 to the network device 402 through the secure channel.
  • the inner IP header of the first data packet contains the source address and the destination address.
  • the source address includes the identification bit and the identity of the terminal 401 is HID UE .
  • the destination address includes the IP address of the application server 405 as IP s1 .
  • the outer IP header of the first data packet contains the source address and the destination address.
  • the source address is the IP address of the terminal 401 is IP UE
  • the destination address is the IP address of the network device 402 is IP0.
  • the network device 402 receives the first data packet from the terminal 401.
  • the network device 402 receives the first data packet, and first decapsulates the first data packet to obtain the destination address of the inner IP header, that is, the IP address IP s1 of the application server 405.
  • the cloud provider node closest to the application server 405, that is, the network device 403, is selected according to the IP address IP s1 of the application server 405.
  • the network device 402 forwards the second data packet to the network device 403.
  • the network device 402 establishes a secure channel with the network device 403, and sends the second data packet sent by the network device 402 to the network device 403 through the secure channel.
  • the inner IP header of the second data packet contains the source address and the destination address.
  • the source address includes the identification bit and the identity identifier HID UE of the terminal 401.
  • the destination address includes the IP address IP s1 of the application server 405.
  • the outer IP header of the second data packet contains the source address and the destination address.
  • the source address is the IP address IP0 of the network device 402, and the destination address is the IP address IP1 of the network device 403.
  • the network device 403 receives the second data packet from the network device 402.
  • the network device 403 receives the second data packet, and first decapsulates the second data packet to obtain the source address and the destination address of the inner IP header.
  • the source address is the terminal 401 and the identity is HID UE .
  • the destination address is the IP address IP s1 of the application server 405.
  • the network device 403 generates a first ciphertext according to the identity of the terminal 401, the first privacy variable, and the first key.
  • the network device 403 encrypts and protects the HID UE of the terminal 401. For example, the network device 403 generates the second ciphertext according to the first key and the first privacy variable, and determines the first ciphertext according to the second ciphertext and the HID UE of the terminal 401.
  • the first privacy variable may be the IP address IP s1 of the application server 405.
  • the network device 403 replaces the identity (HID UE ) of the terminal 401 with the first cipher text (EHID). For details, please refer to the description of S503, which will not be repeated.
  • the network device 403 generates a third ciphertext according to the location identifier of the network device 402, the second privacy variable, and the second key.
  • the network device 403 encrypts and protects the location identifier of the network device 402. For example, the network device 403 generates the data to be encrypted according to the location identifier of the network device 402 and the second privacy variable, and generates the third ciphertext (EIP) according to the second key and the data to be encrypted. The network device 403 replaces the location identifier and EHID of the network device 402 with the third ciphertext. For details, please refer to the description of S506, which will not be repeated.
  • the second privacy variable may be the first ciphertext.
  • the location identifier of the network device 402 may be an index of the network device 402.
  • the network device 403 may query the locator index mapping table according to the IP address IP0 of the network device 402 to obtain the index of the network device 402.
  • the difference from the foregoing embodiment is that the encryption of the location identifier of the terminal 401 in the foregoing embodiment is replaced by the encryption and protection of the location identifier of the network device 402.
  • the network device 403 forwards the third data packet to the application server 405.
  • the network device 403 forwards the third data packet to the application server 405.
  • the third data packet includes the third ciphertext and the IP address of the network device 403 is IP1.
  • the application server 405 receives the third data packet from the network device 403.
  • the application server 405 may also use the cipher text to send the data packet to the terminal 401.
  • the data processing method described in the embodiment of the present application further includes the following steps.
  • the application server 405 sends a fourth data packet to the network device 403.
  • the value of the destination address included in the fourth data packet includes the third ciphertext.
  • the third ciphertext is set in the network layer protocol header included in the fourth data packet.
  • the network device 403 receives the fourth data packet from the application server 405.
  • the network device 403 generates the first ciphertext according to the third ciphertext, the second privacy variable, and the second key.
  • the network device 403 decrypts the third ciphertext, that is, generates a decryption result according to the third ciphertext and the second key, and determines the location identifier of the network device 402 according to the decryption result and the second privacy variable, that is, according to the decryption result and the first ciphertext
  • the location identifier of the network device 402 is determined. For details, please refer to the description of S1103, which will not be repeated.
  • the location identifier of the network device 402 and the first ciphertext may be used to replace the third ciphertext included in the fourth data packet to generate the fifth data packet.
  • the location identifier of the network device 402 and the first ciphertext are set in the network layer protocol header included in the fifth data packet.
  • the network device 403 generates the identity of the terminal 401 according to the first ciphertext, the first privacy variable, and the first key.
  • the network device 403 decrypts the first ciphertext to obtain the identity of the terminal 401, and replaces the first ciphertext included in the fourth data packet with the identity of the terminal 401 to generate a fifth data packet.
  • the identity of the terminal 401 is set in the network layer protocol header included in the fifth data packet.
  • the network device 402 generates a second ciphertext according to the first privacy variable and the first key, and determines the identity of the terminal 401 according to the second ciphertext and the first ciphertext.
  • the first privacy variable may be the IP address IP s1 of the application server 405.
  • S1106, which will not be repeated.
  • the network device 403 forwards the fifth data packet to the network device 402.
  • the network device 403 forwards the fifth data packet to the network device 402 through the secure channel according to the location identifier of the network device 402.
  • the inner IP header of the fifth data packet contains the source address and the destination address.
  • the source address includes the IP address IP s1 of the application server 405.
  • the destination address includes the location identifier of the network device 402 and the identity identifier of the terminal 401 (HID UE ).
  • the outer IP header of the fifth data packet contains the source address and the destination address.
  • the source address is the IP address IP1 of the network device 403.
  • the destination address is the IP address IP0 of the network device 402.
  • the network device 402 receives the fifth data packet from the network device 403.
  • the network device 402 forwards the sixth data packet to the terminal 401.
  • the network device 402 forwards the sixth data packet to the terminal 401 through the secure channel.
  • the inner IP header of the sixth data packet contains the source address and the destination address.
  • the source address includes the IP address IP s1 of the application server 405.
  • the destination address includes the location identifier of the network device 402 and the identity identifier of the terminal 401 (HID UE ).
  • the outer IP header of the sixth data packet contains the source address and the destination address.
  • the source address is the IP address IP0 of the network device 402.
  • the destination address is the IP address IP UE of the terminal 401.
  • the terminal 401 receives the sixth data packet from the network device 402.
  • the network device 402 and the network device 403 encrypt the terminal 401's identity to hide the terminal’s IP address to prevent illegal attackers (such as untrusted devices or illegal eavesdroppers) from obtaining the terminal’s IP address.
  • the identity identifier of the terminal 401 and the location identifier of the terminal 401 are analyzed. Since the addresses of the same source host obtained by different destination hosts are not the same, it is impossible to analyze the traffic from the same source host to different destination hosts through collusion and correlation. The destination host or an illegal attacker can't analyze the IP address of the host that has fallen on the same LAN to find that the two hosts are from the same LAN.
  • the value of the external locator bit is the filling value.
  • the value of the internal locator bit may be the index of the network device 402.
  • the value of the host identifier bit may be the identity identifier HID UE of the terminal 401.
  • the network device 403 first encrypts the HID UE of the terminal 401 to obtain the EHID, and replaces the value of the host identifier bit with the EHID.
  • the network device 403 then encrypts the EHID and the index of the network device 402 to generate EIP, and replaces the value of the internal locator bit with the index and EHID of the network device 402.
  • EIP Equivalent Privacy
  • the external locator bit occupies x bits in the source address.
  • the external locator bit occupies 62 bits in the destination address.
  • the internal locator bit occupies y1 bit in the source address.
  • the internal locator bit occupies 48 bits in the source address.
  • the host identifier bit occupies y2 bits in the source address.
  • the host identifier bit occupies 16 bits in the source address.
  • the tag bit occupies z bits in the source address. For example, the tag bit occupies 2 bits in the source address.
  • the data packet generated by the application server 405 includes EIP.
  • the network device 403 first decrypts the EIP to obtain the index and EHID of the network device 402, which are used to replace the EIP with the index and EHID of the network device 402.
  • the network device 403 decrypts the EHID to obtain the HID UE , and replaces the EHID with the HID UE.
  • the specific decryption method please refer to the description of the above-mentioned embodiment, which will not be repeated.
  • the network device encrypts the terminal's identity according to the key and privacy variables to obtain the ciphertext, and replace the terminal's identity with the ciphertext.
  • the network device sends the second data packet again, and the second data packet includes the ciphertext. Therefore, the network device encrypts the terminal's identity to hide the terminal's IP address, preventing illegal attackers (such as untrusted devices or illegal eavesdroppers) from obtaining the terminal's IP address, and analyzes the terminal's identity based on the terminal's IP address And the location identification of the terminal.
  • FIG. 23 a flowchart of a data processing method provided by an embodiment of the present application.
  • the method can include the following steps:
  • the terminal sends a first data packet to a network device, where the first data packet includes an identifier of the terminal.
  • the terminal identifier is used to indicate the terminal; the terminal identifier is set in the network layer protocol header included in the first data packet.
  • the network device receives the first data packet.
  • the network device generates a first ciphertext according to the terminal's identity, privacy variable, and key.
  • the identity of the terminal may be the identity of the terminal or the location of the terminal. If the network device and key for encrypting the terminal's identity identifier and the terminal's location identifier can be different or the same, it is not limited. For details, please refer to the descriptions of S503, S506, S1905, and S1906, which will not be repeated.
  • the network device sends a second data packet, where the second data packet includes the first ciphertext.
  • the first ciphertext is set in the network layer protocol header included in the second data packet.
  • the application server receives the second data packet.
  • the application server sends a third data packet to the network device, where the third data packet includes the first ciphertext.
  • the first ciphertext is determined according to the terminal's identity, privacy variables, and keys.
  • the identifier of the terminal is used to indicate the terminal, and the first ciphertext is set in the network layer protocol header included in the third data packet.
  • the network device receives the third data packet.
  • the network device generates an identification of the terminal according to the first ciphertext, the privacy variable, and the key.
  • the network device sends a fourth data packet, where the fourth data packet includes the identifier of the terminal.
  • the identification of the terminal is set in the network layer protocol header included in the fourth data packet.
  • the terminal receives the fourth data packet.
  • the network device includes hardware structures and/or software modules corresponding to each function.
  • the present application can be implemented in the form of hardware or a combination of hardware and computer software. Whether a certain function is executed by hardware or computer software-driven hardware depends on the specific application scenarios and design constraints of the technical solution.
  • FIG. 24 and FIG. 25 are schematic structural diagrams of possible data processing apparatuses provided by embodiments of this application. These data processing apparatuses can be used to implement the functions of the network equipment in the foregoing method embodiments, and therefore can also achieve the beneficial effects of the foregoing method embodiments.
  • the data processing apparatus may be a network device 402 or a network device 403 as shown in FIG. 4, and may also be a module (such as a chip) applied to a network device.
  • the data processing device 2400 includes a receiving unit 2410, a processing unit 2420, and a sending unit 2430.
  • the data processing apparatus 2400 is used to implement the functions of the network device in the method embodiment shown in FIG. 5, FIG. 7, FIG. 10, FIG. 12, FIG. 19, FIG. 20, or FIG. 23.
  • the receiving unit 2410 is used to perform S502; the processing unit 2420 is used to perform S503; and the sending unit 2430 is used to perform S504.
  • the receiving unit 2410 is used to perform S505; the processing unit 2420 is used to perform S506; and the sending unit 2430 is used to perform S507.
  • the receiving unit 2410 is used to perform S502; the processing unit 2420 is used to perform S5031 and S5032; and the sending unit 2430 is used to perform S504.
  • the receiving unit 2410 is used to perform S505; the processing unit 2420 is used to perform S5061 and S5062; and the sending unit 2430 is used to perform S507.
  • the receiving unit 2410 is used to perform S1005; the processing unit 2420 is used to perform S1006; and the sending unit 2430 is used to perform S1007.
  • the receiving unit 2410 is used to perform S1002; the processing unit 2420 is used to perform S1003; and the sending unit 2430 is used to perform S1004.
  • the receiving unit 2410 is used to perform S1005; the processing unit 2420 is used to perform S1006a and S1006b; and the sending unit 2430 is used to perform S1007.
  • the receiving unit 2410 is used to perform S1002; the processing unit 2420 is used to perform S1003a and S1003b; and the sending unit 2430 is used to perform S1004.
  • the receiving unit 2410 is used to perform S1902; the sending unit 2430 is used to perform S1903.
  • the receiving unit 2410 is used to perform S1904; the processing unit 2420 is used to perform S1905 and S1906; and the sending unit 2430 is used to perform S1907.
  • the receiving unit 2410 is used to perform S1914; the sending unit 2430 is used to perform S1915.
  • the receiving unit 2410 is used to perform S1910; the processing unit 2420 is used to perform S1911 and S1912; and the sending unit 2430 is used to perform S1913.
  • the receiving unit 2410 is used to perform S2302 and S2307; the processing unit 2420 is used to perform S2303 and S2308; the sending unit 2430 is used to perform S2304 And S2309.
  • the data processing device 2500 includes a processor 2510 and an interface circuit 2520.
  • the processor 2510 and the interface circuit 2520 are coupled with each other.
  • the interface circuit 2520 may be a transceiver or an input/output interface.
  • the data processing apparatus 2500 may further include a memory 2530 for storing instructions executed by the processor 2510 or storing input data required by the processor 2510 to run the instructions or storing data generated after the processor 2510 runs the instructions.
  • processor in the embodiment of the present application may be a central processing unit (Central
  • CPU Central Processing Unit
  • DSP Digital Signal Processor
  • ASIC Application Specific Integrated Circuit
  • FPGA Field Programmable Gate Array
  • the general-purpose processor may be a microprocessor or any conventional processor.
  • the method steps in the embodiments of the present application can be implemented by hardware, and can also be implemented by a processor executing software instructions.
  • Software instructions can be composed of corresponding software modules, which can be stored in random access memory (Random Access Memory, RAM), flash memory, read-only memory (Read-Only Memory, ROM), and programmable read-only memory (Programmable ROM) , PROM), erasable programmable read-only memory (Erasable PROM, EPROM), electrically erasable programmable read-only memory (Electrically EPROM, EEPROM), register, hard disk, mobile hard disk, CD-ROM or well-known in the art Any other form of storage medium.
  • RAM Random Access Memory
  • ROM read-only memory
  • PROM programmable read-only memory
  • Erasable PROM Erasable PROM
  • EPROM electrically erasable programmable read-only memory
  • register hard disk, mobile hard disk, CD-ROM or well-known in the art Any other form of storage medium.
  • An exemplary storage medium is coupled to the processor, so that the processor can read information from the storage medium and write information to the storage medium.
  • the storage medium may also be an integral part of the processor.
  • the processor and the storage medium may be located in the ASIC.
  • the ASIC can be located in a network device or a terminal device.
  • the processor and the storage medium may also exist as discrete components in the network device or the terminal device.
  • the above-mentioned embodiments it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof.
  • software it can be implemented in the form of a computer program product in whole or in part.
  • the computer program product includes one or more computer programs or instructions.
  • the computer may be a general-purpose computer, a special-purpose computer, a computer network, network equipment, user equipment, or other programmable devices.
  • the computer program or instruction may be stored in a computer-readable storage medium, or transmitted from one computer-readable storage medium to another computer-readable storage medium.
  • the computer program or instruction may be downloaded from a website, computer, The server or data center transmits to another website site, computer, server or data center through wired or wireless means.
  • the computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server or a data center that integrates one or more available media.
  • the usable medium may be a magnetic medium, such as a floppy disk, a hard disk, and a magnetic tape; it may also be an optical medium, such as a digital video disc (digital video disc, DVD); and it may also be a semiconductor medium, such as a solid state drive (solid state drive). , SSD).
  • “at least one” refers to one or more, and “multiple” refers to two or more.
  • “And/or” describes the association relationship of the associated objects, indicating that there can be three relationships, for example, A and/or B, which can mean: A alone exists, A and B exist at the same time, and B exists alone, where A, B can be singular or plural.
  • the character “/” generally indicates that the associated object before and after is an “or” relationship; in the formula of this application, the character “/” indicates that the associated object before and after is a kind of "division" Relationship.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention concerne un procédé et un appareil de traitement de données, qui se rapportent au domaine des communications, et résolvent le problème de la manière de protéger une adresse IP d'un terminal pour empêcher la fuite d'informations privées du terminal. Le procédé comprend : après réception d'un premier paquet de données, un dispositif de réseau chiffrant un identifiant d'un terminal selon une clé et une variable de confidentialité, de manière à obtenir un texte chiffré, et remplaçant l'identifiant du terminal par le texte chiffré ; et le dispositif de réseau envoyant un second paquet de données, dans lequel le second paquet de données comprend le texte chiffré et ne comprend pas l'identifiant du terminal.
PCT/CN2021/081536 2020-03-20 2021-03-18 Procédé et appareil de traitement de données WO2021185314A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010203158.4A CN113497788A (zh) 2020-03-20 2020-03-20 数据处理方法及装置
CN202010203158.4 2020-03-20

Publications (1)

Publication Number Publication Date
WO2021185314A1 true WO2021185314A1 (fr) 2021-09-23

Family

ID=77770161

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/081536 WO2021185314A1 (fr) 2020-03-20 2021-03-18 Procédé et appareil de traitement de données

Country Status (2)

Country Link
CN (1) CN113497788A (fr)
WO (1) WO2021185314A1 (fr)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114844729B (zh) * 2022-07-04 2022-09-30 中国人民解放军国防科技大学 一种网络信息隐藏方法及系统

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050141531A1 (en) * 2003-12-25 2005-06-30 Hitachi, Ltd. Communication relay method and relay device
US7131141B1 (en) * 2001-07-27 2006-10-31 At&T Corp. Method and apparatus for securely connecting a plurality of trust-group networks, a protected resource network and an untrusted network
CN101383831A (zh) * 2008-10-15 2009-03-11 华东师范大学 网络流量规范化的流量伪装方法
US20110103394A1 (en) * 2009-11-05 2011-05-05 Telefonaktiebolaget L M Ericsson Network topology concealment using address permutation
CN103746893A (zh) * 2013-12-19 2014-04-23 柳州职业技术学院 一种针对ip数据包的安全型隐蔽通信方法

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7131141B1 (en) * 2001-07-27 2006-10-31 At&T Corp. Method and apparatus for securely connecting a plurality of trust-group networks, a protected resource network and an untrusted network
US20050141531A1 (en) * 2003-12-25 2005-06-30 Hitachi, Ltd. Communication relay method and relay device
CN101383831A (zh) * 2008-10-15 2009-03-11 华东师范大学 网络流量规范化的流量伪装方法
US20110103394A1 (en) * 2009-11-05 2011-05-05 Telefonaktiebolaget L M Ericsson Network topology concealment using address permutation
CN103746893A (zh) * 2013-12-19 2014-04-23 柳州职业技术学院 一种针对ip数据包的安全型隐蔽通信方法

Also Published As

Publication number Publication date
CN113497788A (zh) 2021-10-12

Similar Documents

Publication Publication Date Title
US10992654B2 (en) Secure WAN path selection at campus fabric edge
JP4752510B2 (ja) 暗号化通信システム
CN109981633B (zh) 访问服务器的方法、设备及计算机可读存储介质
CN113852552B (zh) 一种网络通讯方法、系统与存储介质
CN109981820B (zh) 一种报文转发方法及装置
CN106209401B (zh) 一种传输方法及装置
WO2021185314A1 (fr) Procédé et appareil de traitement de données
CN109905310B (zh) 数据传输方法、装置、电子设备
TW201236430A (en) Efficient NEMO security with IBE
Kouachi et al. Per packet flow anonymization in 6lowpan iot networks
US8514777B1 (en) Method and apparatus for protecting location privacy of a mobile device in a wireless communications network
KR100816309B1 (ko) 이동 통신 단말기간의 통신 경로 변경을 고속화시키는 통신시스템
CN116527405B (zh) 一种srv6报文加密传输方法、装置及电子设备
US8897441B2 (en) Packet transmitting and receiving apparatus and packet transmitting and receiving method
CN109150793B (zh) 一种隐私保护方法及设备
CN115865845A (zh) 一种基于SegmentRouting实现的跨Region虚拟网络通信的方法
Leshov et al. Content name privacy in tactical named data networking
CN117375862A (zh) 报文转发方法、系统、网络设备、存储介质及程序产品
CN112470438B (zh) 用于发现中间功能和选择两个通信装置之间的路径的方法
JP7391496B2 (ja) パケット通信システム
KR102538061B1 (ko) 의료 정보 보안 데이터 전송 시스템 및 전송 방법
Tujner et al. QSOR: Quantum-Safe Onion Routing
Freudiger et al. Private sharing of user location over online social networks
Prakoso et al. Performance analysis of OLSR Routing for secure medical data transmission for rural areas with Delay Tolerant Network
KR102208144B1 (ko) Dtls 패킷을 포함하는 프레임의 사이즈를 감소시키기 위한 방법

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21771337

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21771337

Country of ref document: EP

Kind code of ref document: A1