WO2024001212A1 - Information transmission method and apparatus, and storage medium and electronic apparatus - Google Patents

Information transmission method and apparatus, and storage medium and electronic apparatus Download PDF

Info

Publication number
WO2024001212A1
WO2024001212A1 PCT/CN2023/076264 CN2023076264W WO2024001212A1 WO 2024001212 A1 WO2024001212 A1 WO 2024001212A1 CN 2023076264 W CN2023076264 W CN 2023076264W WO 2024001212 A1 WO2024001212 A1 WO 2024001212A1
Authority
WO
WIPO (PCT)
Prior art keywords
key chain
target
information
server
encrypted
Prior art date
Application number
PCT/CN2023/076264
Other languages
French (fr)
Chinese (zh)
Inventor
王丹
邢文超
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2024001212A1 publication Critical patent/WO2024001212A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • Embodiments of the present invention relate to the field of communications, and specifically, to an information transmission method and device, a storage medium and an electronic device.
  • BGP Border Gateway Protocol
  • PCEP Path Computational Element Communication Protocol
  • BGP and PCEP servers are deployed directly to Linux servers.
  • the Linux server itself does not support the keychain function. Therefore, although the router supports the keychain function, the BGP and PCEP servers still cannot use the keychain function to achieve security. transmission. In other words, the existing method of information transmission in the Linux system has the technical problem of low security of information transmission.
  • Embodiments of the present invention provide an information transmission method and device, a storage medium and an electronic device, so as to at least solve the problem of low information transmission security in Linux systems in related technologies.
  • an information transmission method includes: obtaining the message information to be encrypted sent by the server; obtaining key chain parameters matching the target communication link through the key chain application module, wherein, the key chain application module is configured in the communication module of the target Linux system, and the target communication link is the communication link established between the server and the target router; in the key chain application module, The key chain parameters encrypt the message information to obtain first encrypted information; the first encrypted information is transmitted to the target router through the target communication link.
  • another information transmission method includes: sending key chain parameters determined from a preconfigured key chain parameter set through a server installed in the target Linux system. To the communication module in the target Linux system; transmit the message information to be encrypted to the communication module, so that the communication module will pass the first encrypted information obtained after encrypting the message information through the target communication link Sent to the target router, where the first encrypted information is obtained by encrypting the message information using the key chain parameters configured by the key chain application module configured in the communication module.
  • the key chain parameters Matches the target communication link.
  • an information transmission device includes: a first acquisition unit configured to acquire the message information to be encrypted sent by the server; a second acquisition unit configured to obtain the encrypted message through a key chain.
  • the application module obtains the key chain parameters matching the target communication link, wherein the key chain application module is configured in the communication module of the target Linux system, and the target communication link is established between the server and the target router. communication link; an encryption unit, configured to use the key chain parameters to encrypt the message information in the key chain application module to obtain the first encrypted information; a transmission unit, configured to pass the target A communications link transmits the first encrypted information to the target router.
  • another information transmission device includes: a sending unit configured to send the information determined from a preconfigured key chain parameter set through a server installed in the target Linux system.
  • the key chain parameters are sent to the communication module in the target Linux system;
  • the transmission unit is configured to transmit the message information to be encrypted to the communication module, so that the communication module will encrypt the message information to obtain
  • the first encrypted information is sent to the target router through the target communication link, wherein the first encrypted information is the key chain application module configured in the communication module using the key chain parameters to perform the processing on the message information. Obtained through encryption, the key chain parameters match the target communication link.
  • a computer-readable storage medium is also provided.
  • a computer program is stored in the computer-readable storage medium, wherein the computer program is configured to execute any of the above methods when running. Steps in Examples.
  • an electronic device including a memory and a processor.
  • a computer program is stored in the memory, and the processor is configured to run the computer program to perform any of the above. Steps in method embodiments.
  • Figure 1 is a schematic structural diagram of a computer terminal according to an embodiment of the present invention.
  • Figure 2 is a flow chart of an information transmission method according to an embodiment of the present invention.
  • FIG. 3 is an environmental schematic diagram of an information transmission method according to an embodiment of the present invention.
  • Figure 4 is a flow chart of an environment configuration method according to another embodiment of the present invention.
  • FIG. 5 is a sequence diagram of an information transmission method according to an embodiment of the present invention.
  • Figure 6 is a schematic structural diagram of an information transmission device according to an embodiment of the present invention.
  • Figure 7 is a schematic structural diagram of an information transmission device according to another embodiment of the present invention.
  • PCEP is a network transmission protocol.
  • the PCEP server uses the PCEP protocol to communicate with the router and send instructions to the router, or the router reports network conditions to the PCEP server.
  • SDN software define network, software defined network.
  • SDN controller A controller used to implement SDN by obtaining network status and dynamically modifying the network.
  • the gateway and SDN controller are combined to jointly manage and control the network to implement SDN.
  • keychain Keychain, including some keys and encryption algorithms.
  • docker container a system running based on docker container technology.
  • kubernetes an open source system for automating the deployment, scaling, and management of containerized applications. It combines the containers that make up an application into logical units for easier management and service discovery.
  • kubernetes IP address The IP address displayed by the kubernetes system to the external network.
  • Linux operating system Linux is a free and open source UNIX-like operating system.
  • TCP/IP module A module in the Linux operating system specifically used to create and maintain TCP links.
  • socket The handle or identification of the TCP connection.
  • FIG. 1 is a hardware structure block diagram of a computer terminal running an information transmission method according to an embodiment of the present invention.
  • the computer terminal may include one or more (only one is shown in Figure 1) processors 102 (the processor 102 may include but is not limited to a processing device such as a microprocessor MCU or a programmable logic device FPGA) and a memory 104 for storing data, wherein the above-mentioned computer terminal may also include a transmission device 106 and an input and output device 108 for communication functions.
  • processors 102 may include but is not limited to a processing device such as a microprocessor MCU or a programmable logic device FPGA
  • a memory 104 for storing data
  • the above-mentioned computer terminal may also include a transmission device 106 and an input and output device 108 for communication functions.
  • Figure 1 is only illustrative, and it does not limit the structure of the above-mentioned computer terminal.
  • the computer terminal may also include more or fewer components than shown in FIG. 1 , or have a different configuration than shown in FIG. 1 .
  • the memory 104 can be used to store computer programs, for example, software programs and modules of application software, such as computer programs corresponding to the information transmission method in the embodiment of the present invention.
  • the processor 102 executes various tasks by running the computer programs stored in the memory 104.
  • a functional application and data processing that is, to implement the above method.
  • Memory 104 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory.
  • the memory 104 may further include memory located remotely relative to the processor 102, and these remote memories may be linked to the mobile terminal through a network. Examples of the above-mentioned networks include but are not limited to the Internet, intranets, local area networks, mobile communication networks and combinations thereof.
  • the transmission device 106 is used to receive or send data via a network.
  • Specific examples of the above-mentioned network may include a wireless network provided by a communication provider of the computer terminal.
  • the transmission device 106 includes a network adapter (Network Interface Controller, NIC for short), which can be linked to other network devices through a base station to communicate with the Internet.
  • the transmission device 106 may be a radio frequency (Radio Frequency, RF for short) module, which is used to communicate with the Internet wirelessly.
  • NIC Network Interface Controller
  • FIG. 2 is a flow chart of the information transmission method according to the embodiment of the present invention. As shown in Figure 2, the process includes follows these steps:
  • Step S202 Obtain the message information to be encrypted sent by the server
  • the above server can be one of the BGP or PCEP servers running in the Linux system. It should be noted that in the era of SDN controllers, the controller needs to respond to network status changes, deliver paths to routers, and try its best to ensure that services are not interrupted. Network status changes are mainly provided by the BGP server.
  • the BGP server maintains communication with the router. According to the router The reported information notifies the controller of changes in network status; the path delivery function is mainly provided by the PCEP server.
  • the PCEP server sends the path information calculated by the controller to the router, and the router forwards service packets based on the latest path.
  • the communication module in the Linux system may be used as the execution subject to obtain the message information to be encrypted by the BGP or PCEP server.
  • Step S204 Obtain key chain parameters matching the target communication link through the key chain application module, where the key chain application module is configured in the communication module of the target Linux system, and the target communication link is between the server and the target router. Established communication links;
  • Step S206 use the key chain parameters to encrypt the message information in the key chain application module to obtain the first encrypted information
  • Step S208 Transmit the first encrypted information to the target router through the target communication link.
  • a kubernetes environment is running in the target Linux system, and a key chain configuration module is configured in the server deployed in the kubernetes environment, where the key chain configuration module is configured to obtain a key chain parameter set,
  • the server includes a first server for detecting changes in network status and a second server for calculating information transmission paths.
  • the above keychain application module can be a keychain application module configured in the TCP/IP module in the Linux system to save the keychain parameters bound to a certain TCP link and kubernetes Virtual IP address, and perform special processing on links bound to keychain parameters. For example, when sending a message, add an encryption field based on the keychain parameter and kubernetes IP address, and perform authentication based on the keychain parameter and kubernetes IP address when receiving a message.
  • the encryption algorithm is an encryption algorithm already supported by the Linux operating system.
  • the above-mentioned first server and second server may be configured with a keychain configuration module, where the keychain configuration module may be a keychain configuration module, Its function is: users need to configure keychain parameters and kubernetes IP address in the browser, and the keychain configuration module provides Configuration interface, storage configuration.
  • the keychain configuration module sets the keychain parameters and the IP address of kubernetes to the keychain application module in the TCP/IP module of the Linux operating system.
  • the Linux system processes the packets to be sent through the TCP/IP module and communicates with the router outside the system through the NAT gateway.
  • the Linux system shown in Figure 3 can run a kubernetes environment, and the Linux system running the kubernetes environment is also pre-configured with a PCEP server and a BGP server. Users can further configure the above PCEP server and BGP server through the browser, such as configuring the keychain parameters in the PCEP server and BGP server.
  • the PCEP server and the BGP server need to communicate with the router through the TCP/IP module in the Linux system.
  • the TCP/IP module configured with the keychain application module is used to encrypt the messages sent by the PCEP server and the BGP server using the keychain parameters. , and assembles the encrypted message and sends it to the router.
  • the above step before obtaining the message information sent by the server, the above step also includes receiving the link identifier of the target communication link sent by the server and the key chain parameters configured in advance for the target route; changing the key chain parameters Bind to the link identifier.
  • the method before obtaining the message information sent by the server, the method further includes: configuring the key chain application module in the communication module of the initial Linux system to obtain the target Linux system; and installing the kubernetes environment in the target Linux system; Deploy a first server for detecting network status changes and a second server for calculating information transmission paths in the kubernetes environment, where both the first server and the second server are configured with a key chain parameter set, and the server includes the first server and a second server.
  • BGP and PCEP servers integrate the keychain configuration module to provide a configuration interface for users to configure all parameters.
  • S408 configure the keychain parameters and kubernetes IP address on the BGP and PCEP servers;
  • the keychain configuration module on the BGP and PCEP servers supports setting default keychain parameters and setting certain keychain parameters.
  • the keychain parameters of a router is the external IP address of the kubernetes environment.
  • the above method can also provide a user interface.
  • the user needs to configure the keychain parameters, kubernetes IP address, whether the router enables the keychain function, and the keychain parameters bound to the router on the gateway interface or similar network management tools. . Users can also set default keychain parameters and select certain routers to bind default keychain parameters in batches to reduce user operations.
  • the above-mentioned encrypting the message information using the key chain parameters in the key chain application module to obtain the first encrypted information includes: encrypting the message information based on the key chain parameters to obtain the encrypted field ; Obtain the message header and message content of the message information, and package the message header, message content and encrypted fields into the first encrypted information.
  • the method further includes: obtaining the second encrypted information sent by the target router through the target communication link, wherein the second encrypted information is the target router.
  • the router uses the key chain parameters to encrypt the message information to be transmitted to the server. It performs security verification on the second encrypted information based on the key chain parameters. If the verification passes, the router sends the second encrypted information to Server; in case of verification failure, discard the second encrypted information.
  • encrypting the message information using key chain parameters in the key chain application module to obtain the first encrypted information also includes: obtaining the first communication address configured for the target Linux system, where , the first communication address is a virtual address corresponding to the kubernetes environment pre-configured in the target Linux system; use the first communication address to replace the second communication address in the message information to obtain the reference message information, where the second communication address is the server The communication address; encrypt the reference message content in the reference message information based on the key chain parameters to obtain the reference encryption field; combine the reference message header, reference message content and reference encryption field in the reference message information to form the first An encrypted message.
  • the method further includes: obtaining the third encrypted information sent by the target router through the target communication link, wherein the third encrypted information is the target router.
  • the router uses the key chain parameters to encrypt the message information to be transmitted to the server.
  • the communication address carried in the third encrypted information is the first communication address; security verification is performed based on the key chain parameters and the three encrypted information. ; If the verification passes, replace the first communication address in the third encrypted information with the second communication address, and send the third encrypted information to the server; if the verification fails, discard the third encrypted information.
  • the message information to be encrypted sent by the server is obtained; the key chain parameters matching the target communication link are obtained through the key chain application module, wherein the key chain application module is configured in the target Linux
  • the target communication link is the communication link established between the server and the target router; in the key chain application module, the key chain parameters are used to encrypt the message information to obtain the first encrypted information; through the target The communication link transmits the first encrypted information to the destination router.
  • This embodiment provides another information transmission method, which can be through the PCEP server or BGP server in Figure 3
  • Execution implementation includes: sending the key chain parameters determined from the pre-configured key chain parameter set to the communication module in the target Linux system through the server installed in the target Linux system; transmitting the report to be encrypted to the communication module message information, so that the communication module sends the first encrypted information obtained after encrypting the message information to the target router through the target communication link, where the first encrypted information is the key used by the key chain application module configured in the communication module
  • the key chain parameters are obtained by encrypting the message information, and the key chain parameters match the target communication link.
  • the method before sending the key chain parameters determined from the pre-configured key chain parameter set to the communication module in the target Linux system, the method further includes: searching in the key chain parameter set. Key chain parameters that match the target router, where the key chain parameter set stores multiple router identities and multiple preconfigured key chain parameters.
  • the method further includes: sending a link establishment request to the communication module to establish a target communication link between the server and the target router through the communication module; when the target communication link is successfully established, obtaining and The link ID matched by the target communication link.
  • the method further includes: a kubernetes environment is running in the target Linux system, and a key chain configuration module is configured in the server deployed in the kubernetes environment, wherein the key chain configuration module is configured to obtain the key chain
  • the parameter set server includes a first server for detecting changes in network status and a second server for calculating information transmission paths.
  • the method further includes: obtaining the second encrypted information sent by the communication module, wherein , the second encrypted information is the encrypted information obtained by the target router using the key chain parameters to encrypt the message information to be transmitted to the server, and the second encrypted information has passed the security verification of the communication module.
  • the above-mentioned transmission of message information to be encrypted to the communication module further includes: sending the first communication address currently configured for the target Linux system to the communication module, so that the communication module sends encrypted messages based on the first communication address.
  • the method further includes: obtaining the third encrypted information sent by the communication module, where the third encrypted information is encrypted information that has passed security verification, and the third The communication address carried in the encrypted information is the second communication address, where the second communication address is the communication address of the server.
  • step S502 to step S506 the user configures the default keychain parameters and kubernetes IP address on the BGP or PCEP server, adds the configuration of router A (including keychain parameters), and triggers the BGP or PCEP server to actively establish a link to router A;
  • the BGP or PCEP server attempts to establish a TCP link with router A.
  • the TCP/IP module of the Linux operating system requests router A through the kubernetes gateway based on the IP address of router A. Establish a TCP link. After the link is successfully established, the TCP/IP module returns the linked socket to the BGP or PCEP server;
  • the keychain configuration module in the server finds that router A has bound the keychain parameters, and configures the keychain parameters and kubernetes IP address bound to router A to the keychain application module through the socket.
  • the keychain application module adds the keychain parameters. Bind the kubernetes IP address to the socket;
  • step S5128 the BGP or PCEP server calls the TCP/IP module according to the protocol and sends messages to router A based on the socket.
  • the TCP/IP module uses the socket to send a message to Router A
  • the keychain application module adds an encryption field to the message based on the keychain parameters bound to the socket and the kubernetes IP address.
  • router A when router A receives the message, it will use the encrypted field for security authentication. If the authentication passes, it will reply the message to the BGP or PCEP server. If the authentication does not pass, it will discard the message. Similarly, Router A will also add an encryption field when sending a message to the BGP or PCEP server.
  • the TCP/IP module of the BGP or PCEP server receives the encrypted message on the socket, the keychain application module performs security authentication on the message based on the keychain parameters bound to the socket and the kubernetes IP address. If the authentication passes, the TCP/IP module will hand the message to the BGP or PCEP server for processing. If the authentication does not pass, the message will be discarded.
  • the message information to be encrypted sent by the server is obtained; the key chain parameters matching the target communication link are obtained through the key chain application module, wherein the key chain application module is configured in the target Linux system
  • the target communication link is the communication link established between the server and the target router; in the key chain application module, the key chain parameters are used to encrypt the message information to obtain the first encrypted information; through the target communication The link transmits the first encrypted information to the destination router.
  • the method according to the above embodiments can be implemented by means of software plus the necessary general hardware platform. Of course, it can also be implemented by hardware, but in many cases the former is Better implementation.
  • the technical solutions of the embodiments of the present invention can be embodied in the form of software products in essence or in part that contribute to the existing technology.
  • the computer software products are stored in a storage medium (such as ROM/RAM, magnetic disc, optical disk), including several instructions to cause a terminal device (which can be a mobile phone, computer, server, or network device, etc.) to execute the methods described in various embodiments of the present invention.
  • module may be a combination of software and/or hardware that implements a predetermined function.
  • the apparatus described in the following embodiments is preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.
  • Figure 6 is a schematic structural diagram of an information transmission device according to an embodiment of the present invention. As shown in Figure 6, the information transmission device includes a first acquisition unit 602, a second acquisition unit 604, an encryption unit 606 and a transmission unit 608.
  • the first obtaining unit 602 is configured to obtain the message information to be encrypted sent by the server;
  • the second acquisition unit 604 is configured to obtain key chain parameters matching the target communication link through the key chain application module, where the key chain application module is configured in the communication module of the target Linux system, and the target communication link is a server. and goals Communication links established between routers;
  • the encryption unit 606 is configured to encrypt the message information using the key chain parameters in the key chain application module to obtain the first encrypted information
  • the transmission unit 608 is configured to transmit the first encrypted information to the target router through the target communication link.
  • Figure 7 is a schematic structural diagram of an information transmission device according to another embodiment of the present invention. As shown in Figure 7, the information transmission device includes a sending unit 702 and a transmission unit 704.
  • the sending unit 702 is configured to send the key chain parameters determined from the preconfigured key chain parameter set to the communication module in the target Linux system through the server installed in the target Linux system;
  • the transmission unit 704 is configured to transmit the message information to be encrypted to the communication module, so that the communication module sends the first encrypted information obtained by encrypting the message information to the target router through the target communication link, where the first encrypted information It is obtained by the key chain application module configured in the communication module using the key chain parameters to encrypt the message information.
  • the key chain parameters match the target communication link.
  • each of the above modules can be implemented through software or hardware.
  • it can be implemented in the following ways, but is not limited to this: the above modules are all located in the same processor; or the above modules can be implemented in any combination.
  • the forms are located in different processors.
  • Embodiments of the present invention also provide a computer-readable storage medium that stores a computer program, wherein the computer program is configured to execute the steps in any of the above method embodiments when running.
  • the computer-readable storage medium may include but is not limited to: U disk, read-only memory (Read-Only Memory, referred to as ROM), random access memory (Random Access Memory, referred to as RAM) , mobile hard disk, magnetic disk or optical disk and other media that can store computer programs.
  • ROM read-only memory
  • RAM random access memory
  • mobile hard disk magnetic disk or optical disk and other media that can store computer programs.
  • An embodiment of the present invention also provides an electronic device, including a memory and a processor.
  • a computer program is stored in the memory, and the processor is configured to run the computer program to perform the steps in any of the above method embodiments.
  • the above-mentioned electronic device may further include a transmission device and an input-output device, wherein the transmission device is linked to the above-mentioned processor, and the input-output device is linked to the above-mentioned processor.
  • each module or each step of the above-mentioned embodiments of the present invention can be implemented by a general-purpose computing device. They can be concentrated on a single computing device, or distributed among multiple computing devices. over a network, they may be implemented with program code executable by a computing device, such that they may be stored in a storage device for execution by the computing device, and in some cases, may be executed in a sequence different from that described here.
  • the steps shown or described may be implemented by fabricating them separately into individual integrated circuit modules, or by fabricating multiple modules or steps among them into a single integrated circuit module. As such, the invention is not limited to any specific combination of hardware and software.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Provided in the embodiments of the present invention are an information transmission method and apparatus, and a storage medium and an electronic apparatus. The method comprises: acquiring message information to be encrypted, which is sent by means of a server; by means of a key chain application module, acquiring a key chain parameter, which matches a target communication link, wherein the key chain application module is configured in a communication module of a target linux system, and the target communication link is a communication link which is established between the server and a target router; in the key chain application module, encrypting the message information by using the key chain parameter, so as to obtain first encrypted information; and transmitting the first encrypted information to the target router by means of the target communication link.

Description

信息传输方法及装置、存储介质和电子装置Information transmission method and device, storage medium and electronic device
相关申请的交叉引用Cross-references to related applications
本申请基于2022年6月29日提交的发明名称为“信息传输方法及装置、存储介质和电子装置”的中国专利申请CN202210753855.6,并且要求该专利申请的优先权,通过引用将其所公开的内容全部并入本申请。This application is based on the Chinese patent application CN202210753855.6 with the invention title "Information transmission method and device, storage medium and electronic device" submitted on June 29, 2022, and claims the priority of this patent application, and the disclosure is disclosed by reference All contents are incorporated into this application.
技术领域Technical field
本发明实施例涉及通信领域,具体而言,涉及一种信息传输方法及装置、存储介质和电子装置。Embodiments of the present invention relate to the field of communications, and specifically, to an information transmission method and device, a storage medium and an electronic device.
背景技术Background technique
在软件定义网络(software define network,SDN)控制器时代,控制器需要响应网络状态变化、下发路径给路由器,尽力保证业务不中断,其中网络状态变化主要由边界网关协议(Border Gateway Protocol,BGP)服务器提供,BGP服务器与路由器保持通信,根据路由器上报的信息,通知控制器网络状态发生了哪些变化;下发路径功能主要由路径计算单元通信协议(Path Computational ElementCommunication Protocol,PCEP)服务器提供,PCEP服务器将控制器算出来的路径信息发送给路由器,路由器根据最新路径转发业务报文。BGP、PCEP服务器与路由器的传输安全性,对于业务正确性至关重要。In the era of software-defined network (SDN) controllers, the controller needs to respond to network status changes, deliver paths to routers, and try its best to ensure that services are not interrupted. Network status changes are mainly controlled by the Border Gateway Protocol (BGP). ) provided by the server, the BGP server maintains communication with the router, and notifies the controller of changes in network status based on the information reported by the router; the path delivery function is mainly provided by the Path Computational Element Communication Protocol (PCEP) server, PCEP The server sends the path information calculated by the controller to the router, and the router forwards the service packets based on the latest path. The transmission security of BGP, PCEP servers and routers is crucial to business correctness.
传统的部署场景中,BGP、PCEP服务器被直接部署到Linux服务器上,Linux服务器本身不支持keychain(密钥链)功能,因此虽然路由器支持keychain功能,但BGP、PCEP服务器仍然不能使用keychain功能实现安全传输。也就是说,现有的在linux系统中进行信息传输的方法存在信息传输的安全性较低的技术问题。In traditional deployment scenarios, BGP and PCEP servers are deployed directly to Linux servers. The Linux server itself does not support the keychain function. Therefore, although the router supports the keychain function, the BGP and PCEP servers still cannot use the keychain function to achieve security. transmission. In other words, the existing method of information transmission in the Linux system has the technical problem of low security of information transmission.
针对上述的问题,目前尚未提出有效的解决方案To address the above problems, no effective solutions have yet been proposed.
发明内容Contents of the invention
本发明实施例提供了一种信息传输方法及装置、存储介质和电子装置,以至少解决相关技术中在linux系统中信息传输安全性较低的问题。Embodiments of the present invention provide an information transmission method and device, a storage medium and an electronic device, so as to at least solve the problem of low information transmission security in Linux systems in related technologies.
根据本发明的一个实施例,提供了一种信息传输方法,该方法包括:获取服务器发送的待加密的报文信息;通过密钥链应用模块获取与目标通信链路匹配的密钥链参数,其中,所述密钥链应用模块配置于目标linux系统的通信模块中,所述目标通信链路为所述服务器和目标路由器之间建立的通信链路;在所述密钥链应用模块中利用所述密钥链参数对所述报文信息进行加密,得到第一加密信息;通过所述目标通信链路向所述目标路由器传输所述第一加密信息。 According to an embodiment of the present invention, an information transmission method is provided, which method includes: obtaining the message information to be encrypted sent by the server; obtaining key chain parameters matching the target communication link through the key chain application module, Wherein, the key chain application module is configured in the communication module of the target Linux system, and the target communication link is the communication link established between the server and the target router; in the key chain application module, The key chain parameters encrypt the message information to obtain first encrypted information; the first encrypted information is transmitted to the target router through the target communication link.
根据本发明的另一个实施例,提供了另一种信息传输方法,该方法包括:通过目标linux系统中安装的服务器,将从预先配置的密钥链参数集合中确定出的密钥链参数发送给所述目标linux系统中的通信模块;向所述通信模块传输待加密的报文信息,以使所述通信模块将对所述报文信息加密后得到的第一加密信息通过目标通信链路发送给目标路由器,其中,所述第一加密信息是所述通信模块中配置的密钥链应用模块利用所述密钥链参数对所述报文信息进行加密得到的,所述密钥链参数与所述目标通信链路匹配。According to another embodiment of the present invention, another information transmission method is provided. The method includes: sending key chain parameters determined from a preconfigured key chain parameter set through a server installed in the target Linux system. To the communication module in the target Linux system; transmit the message information to be encrypted to the communication module, so that the communication module will pass the first encrypted information obtained after encrypting the message information through the target communication link Sent to the target router, where the first encrypted information is obtained by encrypting the message information using the key chain parameters configured by the key chain application module configured in the communication module. The key chain parameters Matches the target communication link.
根据本发明的又一个实施例,提供了一种信息传输装置,该装置包括:第一获取单元,设置为获取服务器发送的待加密的报文信息;第二获取单元,设置为通过密钥链应用模块获取与目标通信链路匹配的密钥链参数,其中,所述密钥链应用模块配置于目标linux系统的通信模块中,所述目标通信链路为所述服务器和目标路由器之间建立的通信链路;加密单元,设置为在所述密钥链应用模块中利用所述密钥链参数对所述报文信息进行加密,得到第一加密信息;传输单元,设置为通过所述目标通信链路向所述目标路由器传输所述第一加密信息。According to another embodiment of the present invention, an information transmission device is provided. The device includes: a first acquisition unit configured to acquire the message information to be encrypted sent by the server; a second acquisition unit configured to obtain the encrypted message through a key chain. The application module obtains the key chain parameters matching the target communication link, wherein the key chain application module is configured in the communication module of the target Linux system, and the target communication link is established between the server and the target router. communication link; an encryption unit, configured to use the key chain parameters to encrypt the message information in the key chain application module to obtain the first encrypted information; a transmission unit, configured to pass the target A communications link transmits the first encrypted information to the target router.
根据本发明的又一个实施例,提供了另一种信息传输装置,该装置包括:发送单元,设置为通过目标linux系统中安装的服务器,将从预先配置的密钥链参数集合中确定出的密钥链参数发送给所述目标linux系统中的通信模块;传输单元,设置为向所述通信模块传输待加密的报文信息,以使所述通信模块将对所述报文信息加密后得到的第一加密信息通过目标通信链路发送给目标路由器,其中,所述第一加密信息是所述通信模块中配置的密钥链应用模块利用所述密钥链参数对所述报文信息进行加密得到的,所述密钥链参数与所述目标通信链路匹配。According to yet another embodiment of the present invention, another information transmission device is provided. The device includes: a sending unit configured to send the information determined from a preconfigured key chain parameter set through a server installed in the target Linux system. The key chain parameters are sent to the communication module in the target Linux system; the transmission unit is configured to transmit the message information to be encrypted to the communication module, so that the communication module will encrypt the message information to obtain The first encrypted information is sent to the target router through the target communication link, wherein the first encrypted information is the key chain application module configured in the communication module using the key chain parameters to perform the processing on the message information. Obtained through encryption, the key chain parameters match the target communication link.
根据本发明的又一个实施例,还提供了一种计算机可读存储介质,所述计算机可读存储介质中存储有计算机程序,其中,所述计算机程序被设置为运行时执行上述任一项方法实施例中的步骤。According to yet another embodiment of the present invention, a computer-readable storage medium is also provided. A computer program is stored in the computer-readable storage medium, wherein the computer program is configured to execute any of the above methods when running. Steps in Examples.
根据本发明的又一个实施例,还提供了一种电子装置,包括存储器和处理器,所述存储器中存储有计算机程序,所述处理器被设置为运行所述计算机程序以执行上述任一项方法实施例中的步骤。According to yet another embodiment of the present invention, an electronic device is also provided, including a memory and a processor. A computer program is stored in the memory, and the processor is configured to run the computer program to perform any of the above. Steps in method embodiments.
附图说明Description of drawings
图1是根据本发明实施例的计算机终端结构示意图;Figure 1 is a schematic structural diagram of a computer terminal according to an embodiment of the present invention;
图2是根据本发明实施例的信息传输方法流程图;Figure 2 is a flow chart of an information transmission method according to an embodiment of the present invention;
图3是根据本发明实施例的信息传输方法的环境示意图;Figure 3 is an environmental schematic diagram of an information transmission method according to an embodiment of the present invention;
图4是根据本发明另一实施例的环境配置方法流程图;Figure 4 is a flow chart of an environment configuration method according to another embodiment of the present invention;
图5是根据本发明实施例的信息传输方法时序图;Figure 5 is a sequence diagram of an information transmission method according to an embodiment of the present invention;
图6是根据本发明实施例的信息传输装置结构示意图;Figure 6 is a schematic structural diagram of an information transmission device according to an embodiment of the present invention;
图7是根据本发明另一实施例的信息传输装置结构示意图。 Figure 7 is a schematic structural diagram of an information transmission device according to another embodiment of the present invention.
具体实施方式Detailed ways
下文中将参考附图并结合实施例来详细说明本发明的实施例。Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings and embodiments.
需要说明的是,本发明的说明书和权利要求书及上述附图中的术语“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。It should be noted that the terms "first", "second", etc. in the description and claims of the present invention and the above-mentioned drawings are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence.
首先,对本申请涉及的术语进行说明:First, an explanation of the terms involved in this application:
PCEP服务器:PCEP是一种网络传输协议,PCEP服务器采用PCEP协议与路由器通信,向路由器发送指令,或者路由器向PCEP服务器上报网络情况。PCEP server: PCEP is a network transmission protocol. The PCEP server uses the PCEP protocol to communicate with the router and send instructions to the router, or the router reports network conditions to the PCEP server.
SDN:software define network,软件定义网络。SDN: software define network, software defined network.
SDN控制器:用于实现SDN的控制器,通过获取网络状态、动态修改网络。SDN controller: A controller used to implement SDN by obtaining network status and dynamically modifying the network.
管控系统:网关和SDN控制器结合,共同管理控制网络,实现SDN。Management and control system: The gateway and SDN controller are combined to jointly manage and control the network to implement SDN.
keychain:密钥链,包括一些密钥和加密算法。keychain: Keychain, including some keys and encryption algorithms.
docker容器:基于docker容器技术运行的一个系统。docker container: a system running based on docker container technology.
kubernetes:用于自动部署,扩展和管理容器化应用程序的开源系统。它将组成应用程序的容器组合成逻辑单元,以便于管理和服务发现。kubernetes: an open source system for automating the deployment, scaling, and management of containerized applications. It combines the containers that make up an application into logical units for easier management and service discovery.
kubernetes IP地址:kubernetes系统对外部网络展示的IP地址。kubernetes IP address: The IP address displayed by the kubernetes system to the external network.
Linux操作系统:Linux是一种自由和开放源码的类UNIX操作系统。Linux operating system: Linux is a free and open source UNIX-like operating system.
TCP/IP模块:Linux操作系统中专门用于创建、维护TCP链接的模块。TCP/IP module: A module in the Linux operating system specifically used to create and maintain TCP links.
socket:TCP链接的句柄或标识。socket: The handle or identification of the TCP connection.
本申请实施例中所提供的方法实施例可以在移动终端、计算机终端或者类似的运算装置中执行。以运行在计算机终端上为例,图1是本发明实施例的一种信息传输方法所运行的计算机终端的硬件结构框图。如图1所示,计算机终端可以包括一个或多个(图1中仅示出一个)处理器102(处理器102可以包括但不限于微处理器MCU或可编程逻辑器件FPGA等的处理装置)和用于存储数据的存储器104,其中,上述计算机终端还可以包括用于通信功能的传输设备106以及输入输出设备108。本领域普通技术人员可以理解,图1所示的结构仅为示意,其并不对上述计算机终端的结构造成限定。例如,计算机终端还可包括比图1中所示更多或者更少的组件,或者具有与图1所示不同的配置。The method embodiments provided in the embodiments of this application can be executed in a mobile terminal, a computer terminal, or a similar computing device. Taking running on a computer terminal as an example, FIG. 1 is a hardware structure block diagram of a computer terminal running an information transmission method according to an embodiment of the present invention. As shown in Figure 1, the computer terminal may include one or more (only one is shown in Figure 1) processors 102 (the processor 102 may include but is not limited to a processing device such as a microprocessor MCU or a programmable logic device FPGA) and a memory 104 for storing data, wherein the above-mentioned computer terminal may also include a transmission device 106 and an input and output device 108 for communication functions. Persons of ordinary skill in the art can understand that the structure shown in Figure 1 is only illustrative, and it does not limit the structure of the above-mentioned computer terminal. For example, the computer terminal may also include more or fewer components than shown in FIG. 1 , or have a different configuration than shown in FIG. 1 .
存储器104可用于存储计算机程序,例如,应用软件的软件程序以及模块,如本发明实施例中的信息传输方法对应的计算机程序,处理器102通过运行存储在存储器104内的计算机程序,从而执行各种功能应用以及数据处理,即实现上述的方法。存储器104可包括高速随机存储器,还可包括非易失性存储器,如一个或者多个磁性存储装置、闪存、或者其他非易失性固态存储器。在一些实例中,存储器104可进一步包括相对于处理器102远程设置的存储器,这些远程存储器可以通过网络链接至移动终端。上述网络的实例包括但不限于互联网、企业内部网、局域网、移动通信网及其组合。 The memory 104 can be used to store computer programs, for example, software programs and modules of application software, such as computer programs corresponding to the information transmission method in the embodiment of the present invention. The processor 102 executes various tasks by running the computer programs stored in the memory 104. A functional application and data processing, that is, to implement the above method. Memory 104 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely relative to the processor 102, and these remote memories may be linked to the mobile terminal through a network. Examples of the above-mentioned networks include but are not limited to the Internet, intranets, local area networks, mobile communication networks and combinations thereof.
传输装置106用于经由一个网络接收或者发送数据。上述的网络具体实例可包括计算机终端的通信供应商提供的无线网络。在一个实例中,传输装置106包括一个网络适配器(Network Interface Controller,简称为NIC),其可通过基站与其他网络设备相链从而可与互联网进行通讯。在一个实例中,传输装置106可以为射频(Radio Frequency,简称为RF)模块,其用于通过无线方式与互联网进行通讯。The transmission device 106 is used to receive or send data via a network. Specific examples of the above-mentioned network may include a wireless network provided by a communication provider of the computer terminal. In one example, the transmission device 106 includes a network adapter (Network Interface Controller, NIC for short), which can be linked to other network devices through a base station to communicate with the Internet. In one example, the transmission device 106 may be a radio frequency (Radio Frequency, RF for short) module, which is used to communicate with the Internet wirelessly.
在本实施例中提供了一种信息传输方法,该方法可以通过linux系统中的通信模块执行实现,图2是根据本发明实施例的信息传输方法流程图,如图2所示,该流程包括如下步骤:This embodiment provides an information transmission method, which can be implemented through the communication module in the Linux system. Figure 2 is a flow chart of the information transmission method according to the embodiment of the present invention. As shown in Figure 2, the process includes Follow these steps:
步骤S202,获取服务器发送的待加密的报文信息;Step S202: Obtain the message information to be encrypted sent by the server;
作为一种可选的方式,上述服务器可以是运行于linux系统中的BGP或PCEP服务器中的一种。需要说明的是,在SDN控制器时代,控制器需要响应网络状态变化、下发路径给路由器,尽力保证业务不中断,其中网络状态变化主要由BGP服务器提供,BGP服务器与路由器保持通信,根据路由器上报的信息,通知控制器网络状态发生了哪些变化;下发路径功能主要由PCEP服务器提供,PCEP服务器将控制器算出来的路径信息发送给路由器,路由器根据最新路径转发业务报文。As an optional method, the above server can be one of the BGP or PCEP servers running in the Linux system. It should be noted that in the era of SDN controllers, the controller needs to respond to network status changes, deliver paths to routers, and try its best to ensure that services are not interrupted. Network status changes are mainly provided by the BGP server. The BGP server maintains communication with the router. According to the router The reported information notifies the controller of changes in network status; the path delivery function is mainly provided by the PCEP server. The PCEP server sends the path information calculated by the controller to the router, and the router forwards service packets based on the latest path.
在本申请的上述实施例中,可以是由linux系统中的通信模块作为执行主体,以获取上述BGP或PCEP服务器待加密的报文信息。In the above-mentioned embodiment of the present application, the communication module in the Linux system may be used as the execution subject to obtain the message information to be encrypted by the BGP or PCEP server.
步骤S204,通过密钥链应用模块获取与目标通信链路匹配的密钥链参数,其中,密钥链应用模块配置于目标linux系统的通信模块中,目标通信链路为服务器和目标路由器之间建立的通信链路;Step S204: Obtain key chain parameters matching the target communication link through the key chain application module, where the key chain application module is configured in the communication module of the target Linux system, and the target communication link is between the server and the target router. Established communication links;
步骤S206,在密钥链应用模块中利用密钥链参数对报文信息进行加密,得到第一加密信息;Step S206, use the key chain parameters to encrypt the message information in the key chain application module to obtain the first encrypted information;
步骤S208,通过目标通信链路向目标路由器传输第一加密信息。Step S208: Transmit the first encrypted information to the target router through the target communication link.
在一个示例性实施例中,在目标linux系统中运行有kubernetes环境,且kubernetes环境内部署的服务器中配置有密钥链配置模块,其中,密钥链配置模块设置为获取密钥链参数集合,服务器包括用于检测网络状态变化的第一服务器和用于计算信息传输路径的第二服务器。In an exemplary embodiment, a kubernetes environment is running in the target Linux system, and a key chain configuration module is configured in the server deployed in the kubernetes environment, where the key chain configuration module is configured to obtain a key chain parameter set, The server includes a first server for detecting changes in network status and a second server for calculating information transmission paths.
如图3所示,对本实施中一种可选的信息传输方法的环境示意图进行说明。作为一种可选的方式,上述密钥链应用模块可以是一种keychain应用模块,配置于linux系统中的TCP/IP模块中,用于保存与某个TCP链接绑定的keychain参数和kubernetes的虚拟IP地址,并对绑定了keychain参数的链接进行特殊处理,如发送报文时根据keychain参数和kubernetes IP地址添加加密字段,接收报文时根据keychain参数和kubernetes IP地址进行认证。其中加密算法是Linux操作系统已经支持的加密算法。As shown in Figure 3, an environmental schematic diagram of an optional information transmission method in this implementation is illustrated. As an optional method, the above keychain application module can be a keychain application module configured in the TCP/IP module in the Linux system to save the keychain parameters bound to a certain TCP link and kubernetes Virtual IP address, and perform special processing on links bound to keychain parameters. For example, when sending a message, add an encryption field based on the keychain parameter and kubernetes IP address, and perform authentication based on the keychain parameter and kubernetes IP address when receiving a message. The encryption algorithm is an encryption algorithm already supported by the Linux operating system.
如图3所示,上述第一服务器和第二服务器(即图中的PCEP服务器和BGP服务器)中可以配置有密钥链配置模块,其中,密钥链配置模块可以是一种keychain配置模块,其功能在于:用户需要在浏览器中配置keychain参数、kubernetes IP地址,keychain配置模块提供 配置界面,存储配置。当BGP、PCEP服务器与路由器建立链接,keychain配置模块将keychain参数和kubernetes的IP地址设置到Linux操作系统TCP/IP模块中的keychain应用模块。As shown in Figure 3, the above-mentioned first server and second server (ie, the PCEP server and the BGP server in the figure) may be configured with a keychain configuration module, where the keychain configuration module may be a keychain configuration module, Its function is: users need to configure keychain parameters and kubernetes IP address in the browser, and the keychain configuration module provides Configuration interface, storage configuration. When the BGP and PCEP servers establish a link with the router, the keychain configuration module sets the keychain parameters and the IP address of kubernetes to the keychain application module in the TCP/IP module of the Linux operating system.
以下结合图3对上述方法可执行的环境进行进一步说明。如图3所示,linux系统通过TCP/IP模块对待发送的报文进行处理,并通过NAT网关与系统外的路由器进行通信。在具体的实施方式中,图3中所示的linux系统中可以运行有kubernetes环境,在运行了kubernetes环境的linux系统还预先配置有PCEP服务器和BGP服务器。用户可以通过浏览器对上述PCEP服务器和BGP服务器进行进一步配置,如配置PCEP服务器和BGP服务器中的keychain参数。PCEP服务器和BGP服务器需要通过linux系统中TCP/IP模块才能与路由器建立通信,其中,配置了keychain应用模块的TCP/IP模块用于将PCEP服务器和BGP服务器下发的报文利用keychain参数进行加密,并组装得加密报文后,发送给路由器。The environment in which the above method can be executed will be further described below in conjunction with Figure 3. As shown in Figure 3, the Linux system processes the packets to be sent through the TCP/IP module and communicates with the router outside the system through the NAT gateway. In a specific implementation, the Linux system shown in Figure 3 can run a kubernetes environment, and the Linux system running the kubernetes environment is also pre-configured with a PCEP server and a BGP server. Users can further configure the above PCEP server and BGP server through the browser, such as configuring the keychain parameters in the PCEP server and BGP server. The PCEP server and the BGP server need to communicate with the router through the TCP/IP module in the Linux system. The TCP/IP module configured with the keychain application module is used to encrypt the messages sent by the PCEP server and the BGP server using the keychain parameters. , and assembles the encrypted message and sends it to the router.
在一个示例性实施例中,上述获取服务器发送的报文信息之前,还包括接收服务器发送的目标通信链路的链路标识,及预先为目标路由配置的密钥链参数;将密钥链参数和链路标识进行绑定。In an exemplary embodiment, before obtaining the message information sent by the server, the above step also includes receiving the link identifier of the target communication link sent by the server and the key chain parameters configured in advance for the target route; changing the key chain parameters Bind to the link identifier.
在一个示例性实施例中,上述获取服务器发送的报文信息之前,还包括:在初始linux系统的通信模块中配置密钥链应用模块,得到目标linux系统;在目标linux系统中安装kubernetes环境;在kubernetes环境中部署用于检测网络状态变化的第一服务器和用于计算信息传输路径的第二服务器,其中,第一服务器和第二服务器中均配置有密钥链参数集合,服务器包括第一服务器和第二服务器。In an exemplary embodiment, before obtaining the message information sent by the server, the method further includes: configuring the key chain application module in the communication module of the initial Linux system to obtain the target Linux system; and installing the kubernetes environment in the target Linux system; Deploy a first server for detecting network status changes and a second server for calculating information transmission paths in the kubernetes environment, where both the first server and the second server are configured with a key chain parameter set, and the server includes the first server and a second server.
以下结合图4对本申请的一种环境配置方法进行说明:An environment configuration method of this application will be described below with reference to Figure 4:
S402,安装支持keychain功能的linux操作系统;S402, install a Linux operating system that supports the keychain function;
S404,安装kubernetes;S404, install kubernetes;
S406,安装BGP、PCEP服务器;S406, install BGP and PCEP servers;
可以理解的,本步骤可以是在安装管控版本时进行安装,也可以单独安装BGP、PCEP。BGP、PCEP服务器集成了keychain配置模块,提供配置界面共用户配置所有参数。It is understandable that this step can be performed when installing the controlled version, or BGP and PCEP can be installed separately. BGP and PCEP servers integrate the keychain configuration module to provide a configuration interface for users to configure all parameters.
S408,配置BGP、PCEP服务器上的keychain参数和kubernetes IP地址;S408, configure the keychain parameters and kubernetes IP address on the BGP and PCEP servers;
需要说明的是,由于BGP、PCEP服务器会连接一个或多个路由器,这些路由器绑定的keychain参数可能相同也可能不同,所以BGP、PCEP服务器上的keychain配置模块支持设置默认keychain参数、支持设置某个路由器的keychain参数。kubernetes IP地址是kubernetes环境的外网IP地址。It should be noted that since BGP and PCEP servers will connect to one or more routers, the keychain parameters bound to these routers may be the same or different. Therefore, the keychain configuration module on the BGP and PCEP servers supports setting default keychain parameters and setting certain keychain parameters. The keychain parameters of a router. The kubernetes IP address is the external IP address of the kubernetes environment.
S410,配置路由器上的keychain参数;S410, configure the keychain parameters on the router;
可以在网管上配置一个或多个路由器的keychain参数,也可以在路由器上配置keychain参数,再触发网管从路由器上同步配置。You can configure the keychain parameters of one or more routers on the network management system, or you can configure the keychain parameters on the routers, and then trigger the network management system to synchronize the configuration from the routers.
S412,配置BGP、PCEP服务器上的路由器参数;S412, configure router parameters on the BGP and PCEP servers;
配置BGP、PCEP服务器可以连接的路由器集合。在对路由器进行配置时,可以设置该路 由器是否使用keychain功能。Configure the set of routers that the BGP and PCEP servers can connect to. When configuring the router, you can set this path Whether the router uses the keychain function.
S414,BGP、PCEP服务器和路由器进行基于keychain参数的加密传输。S414, BGP, PCEP servers and routers perform encrypted transmission based on keychain parameters.
可以理解的是,在信息传输开始之前,先确定是否使用keychain功能,如果使用keychain功能,且S408中用户也配置了该路由器绑定的keychain参数,则使用该绑定的keychain参数进行加密传输;如果S408中用户没有给该路由器配置keychain参数,则使用默认keychain参数进行加密传输。如果传输开始之前确定不使用keychain功能,则进行普通TCP/IP通信。It is understandable that before information transmission starts, it is first determined whether to use the keychain function. If the keychain function is used, and the user also configures the keychain parameters bound to the router in S408, the bound keychain parameters will be used for encrypted transmission; If the user does not configure keychain parameters for the router in S408, the default keychain parameters will be used for encrypted transmission. If it is determined not to use the keychain function before the transmission is started, normal TCP/IP communication is performed.
作为一种可选的方式,上述方法还可以提供一种用户界面,用户需要在网关界面或类似网络管理工具上,配置keychain参数、kubernetes IP地址、路由器是否开启keychain功能、路由器绑定的keychain参数。用户还可以设置默认keychain参数,批量选择某些路由器绑定默认keychain参数,减少用户操作。As an optional method, the above method can also provide a user interface. The user needs to configure the keychain parameters, kubernetes IP address, whether the router enables the keychain function, and the keychain parameters bound to the router on the gateway interface or similar network management tools. . Users can also set default keychain parameters and select certain routers to bind default keychain parameters in batches to reduce user operations.
在一个示例性实施例中,上述在密钥链应用模块中利用密钥链参数对报文信息进行加密,得到第一加密信息包括:基于密钥链参数对报文信息进行加密,得到加密字段;获取报文信息的报文头和报文内容,将报文头、报文内容和加密字段打包成第一加密信息。In an exemplary embodiment, the above-mentioned encrypting the message information using the key chain parameters in the key chain application module to obtain the first encrypted information includes: encrypting the message information based on the key chain parameters to obtain the encrypted field ; Obtain the message header and message content of the message information, and package the message header, message content and encrypted fields into the first encrypted information.
在一个示例性实施例中,上述通过目标通信链路向目标路由器发送第一加密信息之后,还包括:通过目标通信链路获取目标路由器发送的第二加密信息,其中,第二加密信息为目标路由器利用密钥链参数对将要传输给服务器的报文信息进行加密得到的加密信息;基于密钥链参数对第二加密信息进行安全验证;在验证通过的情况下,将第二加密信息发送至服务器;在验证失败的情况下,丢弃第二加密信息。In an exemplary embodiment, after the above-mentioned sending the first encrypted information to the target router through the target communication link, the method further includes: obtaining the second encrypted information sent by the target router through the target communication link, wherein the second encrypted information is the target router. The router uses the key chain parameters to encrypt the message information to be transmitted to the server. It performs security verification on the second encrypted information based on the key chain parameters. If the verification passes, the router sends the second encrypted information to Server; in case of verification failure, discard the second encrypted information.
在一个示例性实施例中,上述在密钥链应用模块中利用密钥链参数对报文信息进行加密,得到第一加密信息,还包括:获取为目标linux系统配置的第一通信地址,其中,第一通信地址为预先配置于目标linux系统的kubernetes环境对应的虚拟地址;利用第一通信地址替换报文信息中的第二通信地址,得到参考报文信息,其中,第二通信地址为服务器的通信地址;基于密钥链参数对参考报文信息中的参考报文内容进行加密,得到参考加密字段;将参考报文信息中的参考报文头、参考报文内容和参考加密字段组成第一加密信息。In an exemplary embodiment, encrypting the message information using key chain parameters in the key chain application module to obtain the first encrypted information also includes: obtaining the first communication address configured for the target Linux system, where , the first communication address is a virtual address corresponding to the kubernetes environment pre-configured in the target Linux system; use the first communication address to replace the second communication address in the message information to obtain the reference message information, where the second communication address is the server The communication address; encrypt the reference message content in the reference message information based on the key chain parameters to obtain the reference encryption field; combine the reference message header, reference message content and reference encryption field in the reference message information to form the first An encrypted message.
在一个示例性实施例中,上述通过目标通信链路向目标路由器发送第一加密信息之后,还包括:通过目标通信链路获取目标路由器发送的第三加密信息,其中,第三加密信息为目标路由器利用密钥链参数对将要传输给服务器的报文信息进行加密得到的加密信息,第三加密信息中携带的通信地址为第一通信地址;基于密钥链参数和对三加密信息进行安全验证;在验证通过的情况下,将第三加密信息中的第一通信地址替换为第二通信地址,并将第三加密信息发送至服务器;在验证失败的情况下,丢弃第三加密信息。In an exemplary embodiment, after the above-mentioned sending the first encrypted information to the target router through the target communication link, the method further includes: obtaining the third encrypted information sent by the target router through the target communication link, wherein the third encrypted information is the target router. The router uses the key chain parameters to encrypt the message information to be transmitted to the server. The communication address carried in the third encrypted information is the first communication address; security verification is performed based on the key chain parameters and the three encrypted information. ; If the verification passes, replace the first communication address in the third encrypted information with the second communication address, and send the third encrypted information to the server; if the verification fails, discard the third encrypted information.
在本发明的上述实施例中,获取服务器发送的待加密的报文信息;通过密钥链应用模块获取与目标通信链路匹配的密钥链参数,其中,密钥链应用模块配置于目标linux系统的通信模块中,目标通信链路为服务器和目标路由器之间建立的通信链路;在密钥链应用模块中利用密钥链参数对报文信息进行加密,得到第一加密信息;通过目标通信链路向目标路由器传输第一加密信息。从而解决了在linux系统中信息传输的安全性较低的技术问题。In the above embodiment of the present invention, the message information to be encrypted sent by the server is obtained; the key chain parameters matching the target communication link are obtained through the key chain application module, wherein the key chain application module is configured in the target Linux In the communication module of the system, the target communication link is the communication link established between the server and the target router; in the key chain application module, the key chain parameters are used to encrypt the message information to obtain the first encrypted information; through the target The communication link transmits the first encrypted information to the destination router. This solves the technical problem of low security of information transmission in Linux systems.
在本实施例中提供了另一种信息传输方法,可以通过图3中的PCEP服务器或BGP服务器 执行实现,包括:通过目标linux系统中安装的服务器,将从预先配置的密钥链参数集合中确定出的密钥链参数发送给目标linux系统中的通信模块;向通信模块传输待加密的报文信息,以使通信模块将对报文信息加密后得到的第一加密信息通过目标通信链路发送给目标路由器,其中,第一加密信息是通信模块中配置的密钥链应用模块利用密钥链参数对报文信息进行加密得到的,密钥链参数与目标通信链路匹配。This embodiment provides another information transmission method, which can be through the PCEP server or BGP server in Figure 3 Execution implementation includes: sending the key chain parameters determined from the pre-configured key chain parameter set to the communication module in the target Linux system through the server installed in the target Linux system; transmitting the report to be encrypted to the communication module message information, so that the communication module sends the first encrypted information obtained after encrypting the message information to the target router through the target communication link, where the first encrypted information is the key used by the key chain application module configured in the communication module The key chain parameters are obtained by encrypting the message information, and the key chain parameters match the target communication link.
在一个示例性实施例中,上述在将从预先配置的密钥链参数集合中确定出的密钥链参数发送给目标linux系统中的通信模块之前,还包括:在密钥链参数集合中查找与目标路由器匹配的密钥链参数,其中,密钥链参数集合中保存有多个路由器标识以及各自预先配置的多个密钥链参数。In an exemplary embodiment, before sending the key chain parameters determined from the pre-configured key chain parameter set to the communication module in the target Linux system, the method further includes: searching in the key chain parameter set. Key chain parameters that match the target router, where the key chain parameter set stores multiple router identities and multiple preconfigured key chain parameters.
在一个示例性实施例中,还包括:向通信模块发送链路建立请求,以通过通信模块建立服务器与目标路由器之间的目标通信链路;在目标通信链路建立成功的情况下,获取与目标通信链路匹配的链路标识。In an exemplary embodiment, the method further includes: sending a link establishment request to the communication module to establish a target communication link between the server and the target router through the communication module; when the target communication link is successfully established, obtaining and The link ID matched by the target communication link.
在一个示例性实施例中,还包括:在目标linux系统内运行有kubernetes环境,且kubernetes环境内部署的服务器中配置有密钥链配置模块,其中,密钥链配置模块设置为获取密钥链参数集合,服务器包括用于检测网络状态变化的第一服务器和用于计算信息传输路径的第二服务器。In an exemplary embodiment, the method further includes: a kubernetes environment is running in the target Linux system, and a key chain configuration module is configured in the server deployed in the kubernetes environment, wherein the key chain configuration module is configured to obtain the key chain The parameter set server includes a first server for detecting changes in network status and a second server for calculating information transmission paths.
在一个示例性实施例中,上述向通信模块发送待加密的报文信息,以通过目标通信链路向目标路由器发送第一加密信息之后,还包括:获取通信模块发送的第二加密信息,其中,第二加密信息为目标路由器利用密钥链参数对将要传输给服务器的报文信息进行加密得到的加密信息,第二加密信息已通过通信模块的安全验证。In an exemplary embodiment, after the above-mentioned sending the message information to be encrypted to the communication module to send the first encrypted information to the target router through the target communication link, the method further includes: obtaining the second encrypted information sent by the communication module, wherein , the second encrypted information is the encrypted information obtained by the target router using the key chain parameters to encrypt the message information to be transmitted to the server, and the second encrypted information has passed the security verification of the communication module.
在一个示例性实施例中,上述向通信模块传输待加密的报文信息,还包括:向通信模块发送当前为目标linux系统配置的第一通信地址,以通过通信模块基于第一通信地址发送加密信息,其中,第一通信地址为预先配置于目标linux系统的kubernetes环境对应的虚拟地址。In an exemplary embodiment, the above-mentioned transmission of message information to be encrypted to the communication module further includes: sending the first communication address currently configured for the target Linux system to the communication module, so that the communication module sends encrypted messages based on the first communication address. Information, wherein the first communication address is a virtual address corresponding to the kubernetes environment pre-configured in the target Linux system.
在一个示例性实施例中,上述向通信模块发送待加密的报文信息之后,还包括:获取通信模块发送的第三加密信息,其中,第三加密信息为通过安全验证的加密信息,第三加密信息中携带的通信地址为第二通信地址,其中,第二通信地址为服务器的通信地址。In an exemplary embodiment, after sending the message information to be encrypted to the communication module, the method further includes: obtaining the third encrypted information sent by the communication module, where the third encrypted information is encrypted information that has passed security verification, and the third The communication address carried in the encrypted information is the second communication address, where the second communication address is the communication address of the server.
为了便于对本发明实施例所提供的技术方案的理解,下面将结合具体场景的实施例进行详细描述。In order to facilitate understanding of the technical solutions provided by the embodiments of the present invention, a detailed description will be given below in conjunction with embodiments of specific scenarios.
如图5所示的信息传输方法时序图,对本申请的各模块的具体工作协调流程进行说明:The information transmission method sequence diagram shown in Figure 5 explains the specific work coordination process of each module of this application:
如步骤S502至步骤S506,用户到BGP或PCEP服务器上配置默认keychain参数、kubernetes IP地址,添加路由器A的配置(包含keychain参数),触发BGP或PCEP服务器向路由器A主动建链;For example, from step S502 to step S506, the user configures the default keychain parameters and kubernetes IP address on the BGP or PCEP server, adds the configuration of router A (including keychain parameters), and triggers the BGP or PCEP server to actively establish a link to router A;
接着,如步骤S508至步骤S512,BGP或PCEP服务器尝试与路由器A建立TCP链接,Linux操作系统的TCP/IP模块根据路由器A的IP地址,通过kubernetes的网关,向路由器A请求 建立TCP链接。建链成功后,TCP/IP模块向BGP或PCEP服务器返回链接的socket;Then, as in steps S508 to S512, the BGP or PCEP server attempts to establish a TCP link with router A. The TCP/IP module of the Linux operating system requests router A through the kubernetes gateway based on the IP address of router A. Establish a TCP link. After the link is successfully established, the TCP/IP module returns the linked socket to the BGP or PCEP server;
如步骤S514和步骤S516,服务器中的keychain配置模块发现路由器A已经绑定了keychain参数,就通过socket将路由器A绑定的keychain参数和kubernetes IP地址配置到keychain应用模块,keychain应用模块将keychain参数和kubernetes IP地址绑定到socket上;As shown in step S514 and step S516, the keychain configuration module in the server finds that router A has bound the keychain parameters, and configures the keychain parameters and kubernetes IP address bound to router A to the keychain application module through the socket. The keychain application module adds the keychain parameters. Bind the kubernetes IP address to the socket;
如步骤S518,BGP或PCEP服务器根据协议,调用TCP/IP模块,基于socket,和路由器A相互发送报文。TCP/IP模块使用socket向路由器A发送报文时,keychain应用模块根据socket绑定的keychain参数和kubernetes IP地址,向报文添加加密字段。In step S518, the BGP or PCEP server calls the TCP/IP module according to the protocol and sends messages to router A based on the socket. When the TCP/IP module uses the socket to send a message to Router A, the keychain application module adds an encryption field to the message based on the keychain parameters bound to the socket and the kubernetes IP address.
如步骤S520至步骤S524,路由器A在收到报文时,会使用加密字段进行安全认证,如果认证通过了,就向BGP或PCEP服务器回复报文,如果认证没有通过,就会丢弃报文。同样的,路由器A在向BGP或PCEP服务器发送报文时,也会添加加密字段。BGP或PCEP服务器的TCP/IP模块收到socket上的加密报文时,keychain应用模块根据socket绑定的keychain参数和kubernetes IP地址,对报文进行安全认证。如果认证通过了,TCP/IP模块就会把报文交给BGP或PCEP服务器处理,如果认证没有通过,就会丢弃报文。As shown in steps S520 to S524, when router A receives the message, it will use the encrypted field for security authentication. If the authentication passes, it will reply the message to the BGP or PCEP server. If the authentication does not pass, it will discard the message. Similarly, Router A will also add an encryption field when sending a message to the BGP or PCEP server. When the TCP/IP module of the BGP or PCEP server receives the encrypted message on the socket, the keychain application module performs security authentication on the message based on the keychain parameters bound to the socket and the kubernetes IP address. If the authentication passes, the TCP/IP module will hand the message to the BGP or PCEP server for processing. If the authentication does not pass, the message will be discarded.
通过本申请的上述实施方式,获取服务器发送的待加密的报文信息;通过密钥链应用模块获取与目标通信链路匹配的密钥链参数,其中,密钥链应用模块配置于目标linux系统的通信模块中,目标通信链路为服务器和目标路由器之间建立的通信链路;在密钥链应用模块中利用密钥链参数对报文信息进行加密,得到第一加密信息;通过目标通信链路向目标路由器传输第一加密信息。实现基于kubernetes的keychain安全传输,能够提高通信安全性,避免安全问题,避免业务被攻击、被中断,从而解决了在linux系统中信息传输的安全性较低的技术问题。Through the above implementation of the present application, the message information to be encrypted sent by the server is obtained; the key chain parameters matching the target communication link are obtained through the key chain application module, wherein the key chain application module is configured in the target Linux system In the communication module, the target communication link is the communication link established between the server and the target router; in the key chain application module, the key chain parameters are used to encrypt the message information to obtain the first encrypted information; through the target communication The link transmits the first encrypted information to the destination router. Implementing keychain secure transmission based on Kubernetes can improve communication security, avoid security issues, and avoid business attacks and interruptions, thus solving the technical problem of low security of information transmission in Linux systems.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到根据上述实施例的方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本发明实施例的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质(如ROM/RAM、磁碟、光盘)中,包括若干指令用以使得一台终端设备(可以是手机,计算机,服务器,或者网络设备等)执行本发明各个实施例所述的方法。Through the description of the above embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by means of software plus the necessary general hardware platform. Of course, it can also be implemented by hardware, but in many cases the former is Better implementation. Based on this understanding, the technical solutions of the embodiments of the present invention can be embodied in the form of software products in essence or in part that contribute to the existing technology. The computer software products are stored in a storage medium (such as ROM/RAM, magnetic disc, optical disk), including several instructions to cause a terminal device (which can be a mobile phone, computer, server, or network device, etc.) to execute the methods described in various embodiments of the present invention.
在本实施例中还提供了一种信息传输装置,该装置用于实现上述实施例及优选实施方式,已经进行过说明的不再赘述。如以下所使用的,术语“模块”可以实现预定功能的软件和/或硬件的组合。尽管以下实施例所描述的装置较佳地以软件来实现,但是硬件,或者软件和硬件的组合的实现也是可能并被构想的。This embodiment also provides an information transmission device, which is used to implement the above embodiments and preferred implementations. What has been described will not be described again. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. Although the apparatus described in the following embodiments is preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.
图6是根据本发明实施例的信息传输装置的结构示意图,如图6所示,该信息传输装置包括第一获取单元602、第二获取单元604、加密单元606和传输单元608。Figure 6 is a schematic structural diagram of an information transmission device according to an embodiment of the present invention. As shown in Figure 6, the information transmission device includes a first acquisition unit 602, a second acquisition unit 604, an encryption unit 606 and a transmission unit 608.
第一获取单元602,设置为获取服务器发送的待加密的报文信息;The first obtaining unit 602 is configured to obtain the message information to be encrypted sent by the server;
第二获取单元604,设置为通过密钥链应用模块获取与目标通信链路匹配的密钥链参数,其中,密钥链应用模块配置于目标linux系统的通信模块中,目标通信链路为服务器和目标 路由器之间建立的通信链路;The second acquisition unit 604 is configured to obtain key chain parameters matching the target communication link through the key chain application module, where the key chain application module is configured in the communication module of the target Linux system, and the target communication link is a server. and goals Communication links established between routers;
加密单元606,设置为在密钥链应用模块中利用密钥链参数对报文信息进行加密,得到第一加密信息;The encryption unit 606 is configured to encrypt the message information using the key chain parameters in the key chain application module to obtain the first encrypted information;
传输单元608,设置为通过目标通信链路向目标路由器传输第一加密信息。The transmission unit 608 is configured to transmit the first encrypted information to the target router through the target communication link.
图7是根据本发明另一实施例的信息传输装置的结构示意图,如图7所示,该信息传输装置包括发送单元702和传输单元704。Figure 7 is a schematic structural diagram of an information transmission device according to another embodiment of the present invention. As shown in Figure 7, the information transmission device includes a sending unit 702 and a transmission unit 704.
发送单元702,设置为通过目标linux系统中安装的服务器,将从预先配置的密钥链参数集合中确定出的密钥链参数发送给目标linux系统中的通信模块;The sending unit 702 is configured to send the key chain parameters determined from the preconfigured key chain parameter set to the communication module in the target Linux system through the server installed in the target Linux system;
传输单元704,设置为向通信模块传输待加密的报文信息,以使通信模块将对报文信息加密后得到的第一加密信息通过目标通信链路发送给目标路由器,其中,第一加密信息是通信模块中配置的密钥链应用模块利用密钥链参数对报文信息进行加密得到的,密钥链参数与目标通信链路匹配。The transmission unit 704 is configured to transmit the message information to be encrypted to the communication module, so that the communication module sends the first encrypted information obtained by encrypting the message information to the target router through the target communication link, where the first encrypted information It is obtained by the key chain application module configured in the communication module using the key chain parameters to encrypt the message information. The key chain parameters match the target communication link.
需要说明的是,上述各个模块是可以通过软件或硬件来实现的,对于后者,可以通过以下方式实现,但不限于此:上述模块均位于同一处理器中;或者,上述各个模块以任意组合的形式分别位于不同的处理器中。It should be noted that each of the above modules can be implemented through software or hardware. For the latter, it can be implemented in the following ways, but is not limited to this: the above modules are all located in the same processor; or the above modules can be implemented in any combination. The forms are located in different processors.
本发明的实施例还提供了一种计算机可读存储介质,该计算机可读存储介质中存储有计算机程序,其中,该计算机程序被设置为运行时执行上述任一项方法实施例中的步骤。Embodiments of the present invention also provide a computer-readable storage medium that stores a computer program, wherein the computer program is configured to execute the steps in any of the above method embodiments when running.
在一个示例性实施例中,上述计算机可读存储介质可以包括但不限于:U盘、只读存储器(Read-Only Memory,简称为ROM)、随机存取存储器(Random Access Memory,简称为RAM)、移动硬盘、磁碟或者光盘等各种可以存储计算机程序的介质。In an exemplary embodiment, the computer-readable storage medium may include but is not limited to: U disk, read-only memory (Read-Only Memory, referred to as ROM), random access memory (Random Access Memory, referred to as RAM) , mobile hard disk, magnetic disk or optical disk and other media that can store computer programs.
本发明的实施例还提供了一种电子装置,包括存储器和处理器,该存储器中存储有计算机程序,该处理器被设置为运行计算机程序以执行上述任一项方法实施例中的步骤。An embodiment of the present invention also provides an electronic device, including a memory and a processor. A computer program is stored in the memory, and the processor is configured to run the computer program to perform the steps in any of the above method embodiments.
在一个示例性实施例中,上述电子装置还可以包括传输设备以及输入输出设备,其中,该传输设备和上述处理器链接,该输入输出设备和上述处理器链接。In an exemplary embodiment, the above-mentioned electronic device may further include a transmission device and an input-output device, wherein the transmission device is linked to the above-mentioned processor, and the input-output device is linked to the above-mentioned processor.
本实施例中的具体示例可以参考上述实施例及示例性实施方式中所描述的示例,本实施例在此不再赘述。For specific examples in this embodiment, reference may be made to the examples described in the above-mentioned embodiments and exemplary implementations, and details will not be described again in this embodiment.
显然,本领域的技术人员应该明白,上述的本发明实施例的各模块或各步骤可以用通用的计算装置来实现,它们可以集中在单个的计算装置上,或者分布在多个计算装置所组成的网络上,它们可以用计算装置可执行的程序代码来实现,从而,可以将它们存储在存储装置中由计算装置来执行,并且在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤,或者将它们分别制作成各个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。这样,本发明不限制于任何特定的硬件和软件结合。Obviously, those skilled in the art should understand that each module or each step of the above-mentioned embodiments of the present invention can be implemented by a general-purpose computing device. They can be concentrated on a single computing device, or distributed among multiple computing devices. over a network, they may be implemented with program code executable by a computing device, such that they may be stored in a storage device for execution by the computing device, and in some cases, may be executed in a sequence different from that described here. The steps shown or described may be implemented by fabricating them separately into individual integrated circuit modules, or by fabricating multiple modules or steps among them into a single integrated circuit module. As such, the invention is not limited to any specific combination of hardware and software.
以上所述仅为本发明的优选实施例而已,并不用于限制本发明,对于本领域的技术人员来说,本发明可以有各种更改和变化。凡在本发明的原则之内,所作的任何修改、等同替换、 改进等,均应包含在本发明的保护范围之内。 The above descriptions are only preferred embodiments of the present invention and are not intended to limit the present invention. For those skilled in the art, the present invention may have various modifications and changes. Any modifications, equivalent substitutions, Improvements, etc., should be included in the protection scope of the present invention.

Claims (18)

  1. 一种信息传输方法,包括:An information transmission method including:
    获取服务器发送的待加密的报文信息;Obtain the message information to be encrypted sent by the server;
    通过密钥链应用模块获取与目标通信链路匹配的密钥链参数,其中,所述密钥链应用模块配置于目标linux系统的通信模块中,所述目标通信链路为所述服务器和目标路由器之间建立的通信链路;The key chain parameters matching the target communication link are obtained through the key chain application module, wherein the key chain application module is configured in the communication module of the target Linux system, and the target communication link is the server and the target Communication links established between routers;
    在所述密钥链应用模块中利用所述密钥链参数对所述报文信息进行加密,得到第一加密信息;Use the key chain parameters to encrypt the message information in the key chain application module to obtain first encrypted information;
    通过所述目标通信链路向所述目标路由器传输所述第一加密信息。The first encrypted information is transmitted to the target router over the target communication link.
  2. 根据权利要求1所述的方法,其中,所述获取服务器发送的报文信息之前,还包括:The method according to claim 1, wherein before obtaining the message information sent by the server, it further includes:
    接收所述服务器发送的所述目标通信链路的链路标识,及预先为所述目标路由配置的所述密钥链参数;Receive the link identifier of the target communication link sent by the server and the key chain parameters configured in advance for the target route;
    将所述密钥链参数和所述链路标识进行绑定。Bind the key chain parameter and the link identifier.
  3. 根据权利要求2所述的方法,其中,在所述目标linux系统中运行有kubernetes环境,且所述kubernetes环境内部署的服务器中配置有密钥链配置模块,其中,所述密钥链配置模块设置为获取所述密钥链参数集合,所述服务器包括用于检测网络状态变化的第一服务器和用于计算信息传输路径的第二服务器。The method according to claim 2, wherein a kubernetes environment is running in the target Linux system, and a key chain configuration module is configured in a server deployed in the kubernetes environment, wherein the key chain configuration module Set to obtain the key chain parameter set, the server includes a first server for detecting changes in network status and a second server for calculating an information transmission path.
  4. 根据权利要求1所述的方法,其中,所述在所述密钥链应用模块中利用所述密钥链参数对所述报文信息进行加密,得到第一加密信息,包括:The method according to claim 1, wherein said using the key chain parameters in the key chain application module to encrypt the message information to obtain the first encrypted information includes:
    基于所述密钥链参数对所述报文信息进行加密,得到加密字段;Encrypt the message information based on the key chain parameters to obtain encrypted fields;
    获取所述报文信息的报文头和报文内容,将所述报文头、所述报文内容和所述加密字段打包成所述第一加密信息。Obtain the message header and message content of the message information, and package the message header, the message content and the encrypted field into the first encrypted information.
  5. 根据权利要求1所述的方法,其中,所述通过所述目标通信链路向所述目标路由器发送第一加密信息之后,还包括:The method according to claim 1, wherein after sending the first encrypted information to the target router through the target communication link, it further includes:
    通过所述目标通信链路获取所述目标路由器发送的第二加密信息,其中,所述第二加密信息为所述目标路由器利用所述密钥链参数对将要传输给所述服务器的报文信息进行加密得到的加密信息;Obtain the second encrypted information sent by the target router through the target communication link, where the second encrypted information is the message information to be transmitted to the server by the target router using the key chain parameters. Encrypted information obtained by encryption;
    基于所述密钥链参数对所述第二加密信息进行安全验证;Perform security verification on the second encrypted information based on the key chain parameters;
    在验证通过的情况下,将所述第二加密信息发送至所述服务器;If the verification passes, send the second encrypted information to the server;
    在验证失败的情况下,丢弃所述第二加密信息。In the event of verification failure, the second encrypted information is discarded.
  6. 根据权利要求1所述的方法,所述在所述密钥链应用模块中利用所述密钥链参数对所述报文信息进行加密,得到第一加密信息,还包括: The method according to claim 1, using the key chain parameters to encrypt the message information in the key chain application module to obtain the first encrypted information, further comprising:
    获取为所述目标linux系统配置的第一通信地址,其中,所述第一通信地址为预先配置于所述目标linux系统的kubernetes环境对应的虚拟地址;Obtain the first communication address configured for the target Linux system, wherein the first communication address is a virtual address corresponding to the kubernetes environment pre-configured in the target Linux system;
    利用所述第一通信地址替换所述报文信息中的第二通信地址,得到参考报文信息,其中,所述第二通信地址为所述服务器的通信地址;Use the first communication address to replace the second communication address in the message information to obtain reference message information, where the second communication address is the communication address of the server;
    基于所述密钥链参数对所述参考报文信息中的参考报文内容进行加密,得到参考加密字段;Encrypt the reference message content in the reference message information based on the key chain parameters to obtain a reference encryption field;
    将所述参考报文信息中的参考报文头、所述参考报文内容和所述参考加密字段组成所述第一加密信息。The first encrypted information is composed of the reference message header, the reference message content and the reference encryption field in the reference message information.
  7. 根据权利要求6所述的方法,所述通过所述目标通信链路向所述目标路由器发送第一加密信息之后,还包括:The method according to claim 6, after sending the first encrypted information to the target router through the target communication link, further comprising:
    通过所述目标通信链路获取所述目标路由器发送的第三加密信息,其中,所述第三加密信息为所述目标路由器利用所述密钥链参数对将要传输给所述服务器的报文信息进行加密得到的加密信息,所述第三加密信息中携带的通信地址为所述第一通信地址;Obtain the third encrypted information sent by the target router through the target communication link, where the third encrypted information is the message information to be transmitted to the server by the target router using the key chain parameters. The encrypted information obtained by encrypting, the communication address carried in the third encrypted information is the first communication address;
    基于所述密钥链参数和对所述三加密信息进行安全验证;Perform security verification based on the key chain parameters and the three encrypted information;
    在验证通过的情况下,将所述第三加密信息中的所述第一通信地址替换为所述第二通信地址,并将所述第三加密信息发送至所述服务器;If the verification passes, replace the first communication address in the third encrypted information with the second communication address, and send the third encrypted information to the server;
    在验证失败的情况下,丢弃所述第三加密信息。In the event of verification failure, the third encrypted information is discarded.
  8. 一种信息传输方法,包括:An information transmission method including:
    通过目标linux系统中安装的服务器,将从预先配置的密钥链参数集合中确定出的密钥链参数发送给所述目标linux系统中的通信模块;Through the server installed in the target Linux system, the key chain parameters determined from the preconfigured key chain parameter set are sent to the communication module in the target Linux system;
    向所述通信模块传输待加密的报文信息,以使所述通信模块将对所述报文信息加密后得到的第一加密信息通过目标通信链路发送给目标路由器,其中,所述第一加密信息是所述通信模块中配置的密钥链应用模块利用所述密钥链参数对所述报文信息进行加密得到的,所述密钥链参数与所述目标通信链路匹配。Transmit the message information to be encrypted to the communication module, so that the communication module will send the first encrypted information obtained after encrypting the message information to the target router through the target communication link, wherein the first The encrypted information is obtained by using the key chain parameters to encrypt the message information by the key chain application module configured in the communication module, and the key chain parameters match the target communication link.
  9. 根据权利要求8所述的方法,其中,在所述将从预先配置的密钥链参数集合中确定出的密钥链参数发送给所述目标linux系统中的通信模块之前,还包括:The method according to claim 8, wherein before sending the key chain parameters determined from the pre-configured key chain parameter set to the communication module in the target Linux system, it further includes:
    在所述密钥链参数集合中查找与所述目标路由器匹配的所述密钥链参数,其中,所述密钥链参数集合中保存有多个路由器标识以及各自预先配置的多个密钥链参数。Search the key chain parameter set for the key chain parameter that matches the target router, wherein the key chain parameter set stores multiple router identifiers and multiple preconfigured key chains. parameter.
  10. 根据权利要求9所述的方法,其中,还包括:The method of claim 9, further comprising:
    向所述通信模块发送链路建立请求,以通过所述通信模块建立所述服务器与所述目标路由器之间的所述目标通信链路;Send a link establishment request to the communication module to establish the target communication link between the server and the target router through the communication module;
    在所述目标通信链路建立成功的情况下,获取与所述目标通信链路匹配的链路标识。If the target communication link is successfully established, a link identifier matching the target communication link is obtained.
  11. 根据权利要求9所述的方法,其中,在所述目标linux系统内运行有kubernetes环 境,且所述kubernetes环境内部署的服务器中配置有密钥链配置模块,其中,所述密钥链配置模块设置为获取所述密钥链参数集合,所述服务器包括用于检测网络状态变化的第一服务器和用于计算信息传输路径的第二服务器。The method according to claim 9, wherein a kubernetes environment is running in the target linux system. environment, and the server deployed in the kubernetes environment is configured with a key chain configuration module, wherein the key chain configuration module is configured to obtain the key chain parameter set, and the server includes a key chain configuration module for detecting network status changes a first server and a second server for calculating the information transmission path.
  12. 根据权利要求8所述的方法,其中,所述向所述通信模块发送待加密的报文信息,以通过目标通信链路向目标路由器发送第一加密信息之后,还包括:The method according to claim 8, wherein after sending the message information to be encrypted to the communication module to send the first encrypted information to the target router through the target communication link, it further includes:
    获取所述通信模块发送的第二加密信息,其中,所述第二加密信息为所述目标路由器利用所述密钥链参数对将要传输给所述服务器的报文信息进行加密得到的加密信息,所述第二加密信息已通过所述通信模块的安全验证。Obtain the second encrypted information sent by the communication module, wherein the second encrypted information is the encrypted information obtained by the target router using the key chain parameters to encrypt the message information to be transmitted to the server, The second encrypted information has passed the security verification of the communication module.
  13. 根据权利要求8所述的方法,其中,所述向所述通信模块传输待加密的报文信息,还包括:The method according to claim 8, wherein said transmitting the message information to be encrypted to the communication module further includes:
    向所述通信模块发送当前为所述目标linux系统配置的第一通信地址,以通过所述通信模块基于所述第一通信地址发送所述加密信息,其中,所述第一通信地址为预先配置于所述目标linux系统的kubernetes环境对应的虚拟地址。Send the first communication address currently configured for the target Linux system to the communication module to send the encrypted information based on the first communication address through the communication module, wherein the first communication address is preconfigured The virtual address corresponding to the kubernetes environment of the target Linux system.
  14. 根据权利要求13所述的方法,其中,所述向所述通信模块发送待加密的报文信息之后,还包括:The method according to claim 13, wherein after sending the message information to be encrypted to the communication module, it further includes:
    获取所述通信模块发送的第三加密信息,其中,所述第三加密信息为通过安全验证的加密信息,所述第三加密信息中携带的通信地址为第二通信地址,其中,所述第二通信地址为所述服务器的通信地址。Obtain the third encrypted information sent by the communication module, wherein the third encrypted information is encrypted information that has passed security verification, and the communication address carried in the third encrypted information is a second communication address, wherein the third encrypted information is the second communication address. The second communication address is the communication address of the server.
  15. 一种信息传输装置,包括:An information transmission device including:
    第一获取单元,设置为获取服务器发送的待加密的报文信息;The first acquisition unit is configured to acquire the message information to be encrypted sent by the server;
    第二获取单元,设置为通过密钥链应用模块获取与目标通信链路匹配的密钥链参数,其中,所述密钥链应用模块配置于目标linux系统的通信模块中,所述目标通信链路为所述服务器和目标路由器之间建立的通信链路;The second acquisition unit is configured to acquire the key chain parameters matching the target communication link through the key chain application module, wherein the key chain application module is configured in the communication module of the target Linux system, and the target communication link The path is the communication link established between the server and the target router;
    加密单元,设置为在所述密钥链应用模块中利用所述密钥链参数对所述报文信息进行加密,得到第一加密信息;An encryption unit configured to encrypt the message information using the key chain parameters in the key chain application module to obtain the first encrypted information;
    传输单元,设置为通过所述目标通信链路向所述目标路由器传输所述第一加密信息。A transmission unit configured to transmit the first encrypted information to the target router through the target communication link.
  16. 一种信息传输装置,包括:An information transmission device including:
    发送单元,设置为通过目标linux系统中安装的服务器,将从预先配置的密钥链参数集合中确定出的密钥链参数发送给所述目标linux系统中的通信模块;The sending unit is configured to send the key chain parameters determined from the preconfigured key chain parameter set to the communication module in the target Linux system through the server installed in the target Linux system;
    传输单元,设置为向所述通信模块传输待加密的报文信息,以使所述通信模块将对所述报文信息加密后得到的第一加密信息通过目标通信链路发送给目标路由器,其中,所述第一加密信息是所述通信模块中配置的密钥链应用模块利用所述密钥链参数对所述报文信息进行加密得到的,所述密钥链参数与所述目标通信链路匹配。The transmission unit is configured to transmit the message information to be encrypted to the communication module, so that the communication module will send the first encrypted information obtained after encrypting the message information to the target router through the target communication link, wherein , the first encrypted information is obtained by using the key chain parameters to encrypt the message information by the key chain application module configured in the communication module. The key chain parameters are consistent with the target communication chain. Road matching.
  17. 一种计算机可读存储介质,所述计算机可读存储介质中存储有计算机程序,其中,所 述计算机程序被处理器执行时实现所述权利要求1至7或8至14任一项中所述的方法的步骤。A computer-readable storage medium having a computer program stored in the computer-readable storage medium, wherein the The computer program, when executed by a processor, implements the steps of the method described in any one of claims 1 to 7 or 8 to 14.
  18. 一种电子装置,包括存储器.处理器以及存储在所述存储器上并可在所述处理器上运行的计算机程序,所述处理器执行所述计算机程序时实现所述权利要求1至7或8至14任一项中所述的方法的步骤。 An electronic device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, which implements claims 1 to 7 or 8 when the processor executes the computer program. to the steps of the method described in any one of 14.
PCT/CN2023/076264 2022-06-29 2023-02-15 Information transmission method and apparatus, and storage medium and electronic apparatus WO2024001212A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210753855.6 2022-06-29
CN202210753855.6A CN117375859A (en) 2022-06-29 2022-06-29 Information transmission method and device, storage medium and electronic device

Publications (1)

Publication Number Publication Date
WO2024001212A1 true WO2024001212A1 (en) 2024-01-04

Family

ID=89383950

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/076264 WO2024001212A1 (en) 2022-06-29 2023-02-15 Information transmission method and apparatus, and storage medium and electronic apparatus

Country Status (2)

Country Link
CN (1) CN117375859A (en)
WO (1) WO2024001212A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1965280A (en) * 2004-06-10 2007-05-16 西姆毕恩软件有限公司 Computing device with a process-based keystore and method for operating a computing device
WO2018090508A1 (en) * 2016-11-15 2018-05-24 平安科技(深圳)有限公司 Keychain-based data management method, terminal and device, and computer readable storage medium
US10356087B1 (en) * 2016-08-26 2019-07-16 Intelligent Waves Llc System, method and computer program product for credential provisioning in a mobile device platform
WO2021262753A1 (en) * 2020-06-26 2021-12-30 Urugus S.A. Anonymous, authenticated and private satellite tasking system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1965280A (en) * 2004-06-10 2007-05-16 西姆毕恩软件有限公司 Computing device with a process-based keystore and method for operating a computing device
US10356087B1 (en) * 2016-08-26 2019-07-16 Intelligent Waves Llc System, method and computer program product for credential provisioning in a mobile device platform
WO2018090508A1 (en) * 2016-11-15 2018-05-24 平安科技(深圳)有限公司 Keychain-based data management method, terminal and device, and computer readable storage medium
WO2021262753A1 (en) * 2020-06-26 2021-12-30 Urugus S.A. Anonymous, authenticated and private satellite tasking system

Also Published As

Publication number Publication date
CN117375859A (en) 2024-01-09

Similar Documents

Publication Publication Date Title
US20200007507A1 (en) Internet Protocol Security Tunnel Maintenance Method, Apparatus, and System
EP2850776B1 (en) Tls abbreviated session identifier protocol
US8817815B2 (en) Traffic optimization over network link
CN101138218A (en) Security protocols on incompatible transports
KR101938623B1 (en) Openflow communication method, system, controller, and service gateway
CN106878199B (en) Configuration method and device of access information
CN110011892B (en) Communication method of virtual private network and related device
US10021030B2 (en) Method and system for forwarding information in distributed network
KR101386809B1 (en) Communication Terminal creating Multiple MTU and Data Transferring Method Using The Same
CN111786867B (en) Data transmission method and server
CN103179100A (en) Method and device for preventing the attack on a domain name system tunnel
CN112671763A (en) Data synchronization method and device under networking environment and computer equipment
EP3152873B1 (en) Communication apparatus, communication method, and communication system
CN108924157B (en) Message forwarding method and device based on IPSec VPN
JP2006185194A (en) Server device, communication control method, and program
CN100365990C (en) Automatic setting of security in communication network system
WO2024001212A1 (en) Information transmission method and apparatus, and storage medium and electronic apparatus
WO2015157947A1 (en) Software defined network based networking method and device
CN115225414B (en) Encryption strategy matching method and device based on IPSEC (Internet protocol Security) and communication system
WO2023071522A1 (en) Connection establishment method and device, storage medium and electronic device
CN107135226B (en) Transport layer proxy communication method based on socks5
US20230319111A1 (en) Ipsec load balancing in a session-aware load balanced cluster (slbc) network device
CN113824789A (en) Configuration method, device, equipment and storage medium of path descriptor
CN108259292B (en) Method and device for establishing tunnel
CN114374582B (en) Communication method and device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23829405

Country of ref document: EP

Kind code of ref document: A1