CN118041611A - Method for realizing network countermeasure data resource transmission based on unidirectional security isolation gatekeeper - Google Patents
Method for realizing network countermeasure data resource transmission based on unidirectional security isolation gatekeeper Download PDFInfo
- Publication number
- CN118041611A CN118041611A CN202410143048.1A CN202410143048A CN118041611A CN 118041611 A CN118041611 A CN 118041611A CN 202410143048 A CN202410143048 A CN 202410143048A CN 118041611 A CN118041611 A CN 118041611A
- Authority
- CN
- China
- Prior art keywords
- security
- data
- server
- client
- public
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 45
- 238000002955 isolation Methods 0.000 title claims abstract description 43
- 230000005540 biological transmission Effects 0.000 title claims abstract description 39
- 230000007246 mechanism Effects 0.000 claims abstract description 21
- 230000002457 bidirectional effect Effects 0.000 claims abstract description 14
- 238000005516 engineering process Methods 0.000 claims abstract description 14
- 238000012795 verification Methods 0.000 claims abstract description 13
- 230000007175 bidirectional communication Effects 0.000 claims abstract description 9
- 230000006854 communication Effects 0.000 claims description 30
- 238000004891 communication Methods 0.000 claims description 27
- 230000008569 process Effects 0.000 claims description 14
- 230000003993 interaction Effects 0.000 abstract description 3
- 238000012423 maintenance Methods 0.000 abstract description 2
- 238000013478 data encryption standard Methods 0.000 description 33
- 230000000875 corresponding effect Effects 0.000 description 14
- 238000012544 monitoring process Methods 0.000 description 8
- 238000001914 filtration Methods 0.000 description 4
- 238000007726 management method Methods 0.000 description 4
- 238000013461 design Methods 0.000 description 3
- 230000010354 integration Effects 0.000 description 3
- 206010000117 Abnormal behaviour Diseases 0.000 description 2
- 241000700605 Viruses Species 0.000 description 2
- 230000009471 action Effects 0.000 description 2
- 230000001010 compromised effect Effects 0.000 description 2
- 230000001276 controlling effect Effects 0.000 description 2
- 238000013499 data model Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- OTZZZISTDGMMMX-UHFFFAOYSA-N 2-(3,5-dimethylpyrazol-1-yl)-n,n-bis[2-(3,5-dimethylpyrazol-1-yl)ethyl]ethanamine Chemical compound N1=C(C)C=C(C)N1CCN(CCN1C(=CC(C)=N1)C)CCN1C(C)=CC(C)=N1 OTZZZISTDGMMMX-UHFFFAOYSA-N 0.000 description 1
- 238000007792 addition Methods 0.000 description 1
- 238000012937 correction Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000005553 drilling Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000001223 reverse osmosis Methods 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/104—Peer-to-peer [P2P] networks
- H04L67/1074—Peer-to-peer [P2P] networks for supporting data block transmission mechanisms
- H04L67/1078—Resource delivery mechanisms
- H04L67/108—Resource delivery mechanisms characterised by resources being split in blocks or fragments
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method for realizing network countermeasure data resource transmission based on a unidirectional security isolation gatekeeper, belongs to the technical field of network security, and solves the problems of higher deployment cost and difficult maintenance in the prior art. The method for realizing network countermeasure data resource transmission based on the unidirectional security isolation gatekeeper comprises the following steps of; s1, adopting a bidirectional authentication mechanism to realize bidirectional communication through security verification; s2, the internal and external networks generate respective public and private key pairs, and exchange the public keys; s3, the sender encrypts the file by using the public key of the receiver, and simultaneously signs the encrypted file by using the private key of the sender; s4, the receiver decrypts the received file by using the private key of the receiver, and simultaneously, the public key of the sender is used for checking the signature of the file; s5, protecting the transmitted data by using an encryption technology, and ensuring the safety of the data. The invention has the advantages of improving the interaction and sharing capacity of data and simultaneously ensuring the safety of the data.
Description
Technical Field
The invention belongs to the technical field of network security, relates to a method for realizing network countermeasure data resource transmission, and in particular relates to a method for realizing network countermeasure data resource transmission based on a unidirectional security isolation gatekeeper.
Background
The Rui sword attack decision-making auxiliary system integrates business scenes such as social space, network space, geographic space and the like of the targets and data models, and forms the attack decision-making auxiliary system of data model integration, capability integration and collaborative combat through system integration. The method mainly solves the problems of decision assistance, tactical support and the like in business work of security personnel and first-line team, and in the one-time or continuous advancing process of business targets, data and tactical tactics are decomposed, organized and cooperated, learned, recommended, deduced and the like according to an attack system model, so that holographic data support, model support and decision basis are provided for the first-line team and decision-making mechanism.
At present, the transmission efficiency of some traditional unidirectional safety isolation gatekeepers is low: the data can only be transmitted unidirectionally due to the need to establish physical separation between the two networks, so that the transmission speed is slow. Network unavailability: once the unidirectional safety isolation gatekeeper fails, communication between two networks can not be realized, and normal operation of the service is affected. Security risk: although the unidirectional security isolation gatekeeper can guarantee unidirectional data flow, if an attacker successfully invades the receiving-end network, it is possible to acquire the information of the source-end network through reverse osmosis attack. The deployment cost is high: the unidirectional security isolation gatekeeper requires special hardware equipment and software support, and has high deployment cost. Maintenance is difficult: the unidirectional safety isolation gatekeeper needs to be maintained and upgraded regularly, and has high requirements on technicians.
Disclosure of Invention
The invention aims at solving the problems in the prior art, and provides a method for realizing network countermeasure data resource transmission based on a unidirectional security isolation gateway, which aims at solving the technical problems that: how to solve the limitation and security problems in data interaction and sharing.
The aim of the invention can be achieved by the following technical scheme:
a method for realizing network countermeasure data resource transmission based on unidirectional security isolation gatekeeper comprises the following steps;
s1, adopting a bidirectional authentication mechanism to realize bidirectional communication through security verification;
S2, the internal and external networks generate respective public and private key pairs, and exchange the public keys;
S3, the sender encrypts the file by using the public key of the receiver, and simultaneously signs the encrypted file by using the private key of the sender;
S4, the receiver decrypts the received file by using the private key of the receiver, and simultaneously, the public key of the sender is used for checking the signature of the file;
s5, protecting the transmitted data by using an encryption technology, and ensuring the safety of the data;
s6, dividing the data into a plurality of parts for transmission, and transmitting by utilizing a plurality of unidirectional safety isolation network gates, thereby realizing bidirectional communication;
And S7, examining, approving and controlling the sensitive data and resources to be transmitted.
The two-way authentication mechanism establishes a security mechanism of trust relationship between two communication parties, and in the communication process, two entities need to perform two-way identity authentication, and when a client sends a request to a server or the server receives the request of the client, the server needs to authenticate the client; the server needs to authenticate the server when the server sends a request to the client or the client receives a request from the server.
A mutual authentication mechanism is a type of security verification procedure used to ensure the identity of two communicating entities. To implement this mechanism, public-private key encryption, digital certificates, and other techniques may be employed. Two-way communication is realized through security verification:
generating a public-private key pair:
Each entity in the intranet generates its own public-private key pair.
Each entity in the external network also generates its own public-private key pair.
Distributing public keys:
The public key may be securely distributed to other entities. Typically, we will use digital certificates to distribute public keys. The digital certificate is issued by a trusted third party (e.g., a CA authority) and contains the public key and other authentication information.
When one entity wants to establish communication with another entity, it first verifies the digital certificate of the other party. This includes checking whether the certificate was issued by a trusted issuer and whether the certificate is within a validity period.
And (3) identity authentication:
Once both parties verify the identity of each other, they can encrypt and decrypt using the public key of each other.
For example, when an entity in an intranet wants to communicate with an entity in an extranet, it encrypts a message using the public key of the other party. The entity in the external network can then decrypt the message using its own private key. This process ensures that only entities with the corresponding private key can decrypt the message, thereby enabling mutual authentication.
And (3) data transmission:
Once mutual authentication is established, the two entities can securely exchange data. They may encrypt and decrypt data using a symmetric encryption algorithm (e.g., AES) or an asymmetric encryption algorithm (e.g., RSA).
With symmetric encryption, both parties can select a shared key and use the key to encrypt and decrypt data. When asymmetric encryption is used, one party encrypts data using the public key of the other party, and then the other party decrypts the data using its own private key.
Keeping safety:
Over time, it is important to ensure the security of the private key and to periodically update the public-private key pair. Private key leakage can lead to unauthorized access and potential security risks.
In addition, it is also important to ensure that all communications are encrypted to prevent the threat of man-in-the-middle attacks.
The internal and external networks can realize safe bidirectional communication. It is noted that the actual application may involve more details and security measures. In implementing such a system, it is preferable to work with experienced security specialists or conduct intensive research to ensure optimal security practices.
In the authentication process, the server side can also verify the identity of the client side, so that man-in-the-middle attack is prevented, and the safety and reliability of communication are ensured.
In the bidirectional authentication mechanism, the verification of the identity of the client by the server is a key step for ensuring the security and reliability of communication. The following are several common methods to verify the identity of a client and to prevent man-in-the-middle attacks:
using digital certificates:
both the client and the server may use respective digital certificates for authentication. The digital certificate is issued by a trusted third party and contains the public key and other authentication information.
When a client connects to a server, the server verifies the client's digital certificate. This includes checking whether the certificate was issued by a trusted issuer and whether the certificate is within a validity period. If the authentication fails, the server may refuse the connection or take other security measures.
Two-way handshake process:
in two-way authentication, the server and client may perform a two-way handshake process. During the handshake, the parties exchange some pre-shared key or other authentication information and use this information to further authenticate the identity of the party.
Through this process, the server can verify the identity of the client, ensuring that it is not a man-in-the-middle attacker. At the same time, the client can also verify the identity of the server, ensuring that it communicates with the intended server.
Using encryption algorithms and protocols:
encryption algorithms and protocols are used to protect the security and confidentiality of data during communications. Common encryption algorithms include symmetric encryption algorithms (e.g., AES) and asymmetric encryption algorithms (e.g., RSA).
By encrypting data, it is difficult for an attacker to decrypt or tamper with the data even if the data is intercepted or stolen during transmission. This helps to ensure the security and reliability of the communication.
Periodically updating and verifying public-private key pairs:
the server and client should update and verify the respective public-private key pairs on a regular basis. This may be accomplished through the use of a certificate management tool or a third party certificate authority.
Leakage of the private key may lead to security risks, so appropriate measures should be taken to protect the security of the private key. For example, the private key may be stored in a hardware security module or in a trusted key management system.
Logging and monitoring:
The server should log all communications with the client for auditing and monitoring purposes. These logs may be used to detect abnormal behavior or security events and take corresponding action.
By monitoring and logging, an administrator can discover potential security threats or attacks in time and take appropriate action to deal with.
In summary, by using digital certificates, two-way handshake procedures, encryption algorithms and protocols, periodically updating and verifying public-private key pairs, logging, monitoring and other measures, the server can verify the identity of the client and prevent man-in-the-middle attacks, thereby ensuring the safety and reliability of communication.
In the step S2, each entity in the intranet and the extranet has a pair of public keys, the public keys are public, the private keys must be kept secret, the public keys are used for encrypting information, and only the corresponding private keys can be decrypted.
The private key is used for generating a digital signature, the validity of the digital signature can be verified only by the corresponding public key, and when the two-way authentication is carried out, the client and the server exchange public key certificates firstly, wherein the public key certificates comprise identity information of an entity and related digital signatures, and the identity of the other party can be verified by exchanging the public key certificates.
The public key is public and can be used by other entities to encrypt information, while the private key is secret and only the entity that owns the private key can decrypt the corresponding information.
This encryption is based on some mathematical difficulties, so that the security of the private key can be guaranteed even if the public key is widely disclosed. Thus, only the entity that owns the corresponding private key can decrypt the information encrypted by its public key.
In the context of mutual authentication, entities encrypt authentication information using the public key of the other party and then exchange such encrypted information. Only the entity with the corresponding private key can decrypt the information, thereby verifying the identity of the other party.
This mechanism is a key component in ensuring the security and reliability of communications, particularly where it is necessary to protect sensitive data and verify the identity of the communicating entity.
The encryption technology adopts AES, DES and 3DES encryption algorithm.
AES, DES and 3DES are all symmetric encryption algorithms, i.e. the same key is used for encryption and decryption.
AES (Advanced Encryption Standard): advanced encryption standards. AES is a block encryption standard adopted by the federal government in the united states and is widely used. AES is faster and safer than DES.
DES (Data Encryption Standard): data encryption standard. DES is an encryption algorithm designed by IBM and is adopted as a formal data encryption standard for non-confidential data. But because the key length of DES is easily broken by violence, more secure encryption algorithms such as 3DES and AES have emerged.
3DES (TRIPLE DATA Encryption Standard): triple data encryption standard. 3DES is a more secure variant of DES, avoiding similar attacks by increasing the key length of DES. The 3DES encrypts data three times using 2 or 3 keys of 56 bits.
The unidirectional security isolation gatekeeper is used for ensuring that data in the high-security level network cannot flow to the low-security level network, but data in the low-security level network can flow to the high-security level network.
The unidirectional security isolation gatekeeper is used for realizing the security data transmission among different security level networks. The design principle of the technology is that data is allowed to flow from one direction only, so that the data in a high-security network cannot flow to a low-security network, and meanwhile, the data in the low-security network can flow to the high-security network.
Specifically, the unidirectional security isolation gatekeeper isolates the two networks by way of physical isolation. It allows only unidirectional transmission of data from the low-security network to the high-security network and not backward transmission from the high-security network to the low-security network. This prevents data in the high-level network from being compromised into the low-level network, thereby protecting the confidentiality and integrity of sensitive data.
In addition, the unidirectional security isolation gatekeeper can also adopt other security measures such as data filtration, virus killing, content filtration and the like, so that the security of the unidirectional security isolation gatekeeper is further enhanced. By these measures, it is possible to effectively prevent the spread of malicious code, unauthorized access and data leakage, thereby protecting the security and stability of the network.
The unidirectional security isolation gatekeeper is an effective technology, and can be used for realizing secure data transmission between different security level networks, and preventing sensitive data from being leaked and unauthorized access.
Compared with the prior art, the invention has the following advantages:
1. The invention mainly combines the main characteristics of the gatekeeper, such as no complete network connection: the data exchange area and the internal and external networks can not be connected at any time through the ferry control of the network gate. The design interrupts the direct connection of the internal and external networks, so that the internal and external networks achieve the physical isolation effect.
2. The method and the device can effectively solve the defects of a data resource transmission method and device based on the unidirectional security isolation gatekeeper, improve the interaction and sharing capacity of data, and simultaneously ensure the security of the data.
Drawings
Fig. 1 is a flow chart of the present invention.
Fig. 2 is a schematic diagram of a two-way authentication mechanism of the present invention.
Fig. 3 is a schematic diagram of a public-private key pair of the present invention.
Detailed Description
The following are specific embodiments of the present invention and the technical solutions of the present invention will be further described with reference to the accompanying drawings, but the present invention is not limited to these embodiments.
As shown in fig. 1-3, the method for realizing network countermeasure data resource transmission based on the unidirectional security isolation gatekeeper comprises the following steps of;
s1, adopting a bidirectional authentication mechanism to realize bidirectional communication through security verification;
S2, the internal and external networks generate respective public and private key pairs, and exchange the public keys;
S3, the sender encrypts the file by using the public key of the receiver, and simultaneously signs the encrypted file by using the private key of the sender;
S4, the receiver decrypts the received file by using the private key of the receiver, and simultaneously, the public key of the sender is used for checking the signature of the file;
s5, protecting the transmitted data by using an encryption technology, and ensuring the safety of the data;
s6, dividing the data into a plurality of parts for transmission, and transmitting by utilizing a plurality of unidirectional safety isolation network gates, thereby realizing bidirectional communication;
And S7, examining, approving and controlling the sensitive data and resources to be transmitted.
Two-way authentication, also known as two-way authentication or two-way authentication, is a security mechanism that establishes a trust relationship between two parties in a communication. In the communication process, two entities need to perform bidirectional identity authentication, specifically, when a client sends a request to a server or the server receives the request of the client, the server needs to authenticate the client; the server needs to authenticate the server when the server sends a request to the client or the client receives a request from the server. Thus, communication is allowed only when both parties pass the authentication request of the other party.
For example, in standard SSL/TLS authentication, only the client typically verifies the identity of the server, whereas in mutual authentication, the server also verifies the identity of the client. The main purpose of the mutual authentication is to prevent man-in-the-middle attacks and ensure the safety and reliability of communication. Such mechanisms are typically used in situations where high security is required, such as financial services, medical information transfer, etc.
In step S2, the principle of mutual authentication is based on the idea of public key cryptography, where each entity in the intranet and the extranet has a pair of public keys, which can be disclosed, and the private keys must be kept secret. The public key is used for encrypting information, and only the corresponding private key can be decrypted; the private key is used to generate a digital signature, and only the corresponding public key can verify the validity of the digital signature. In performing the mutual authentication, the client and the server exchange public key certificates first. These certificates contain identity information of the entity and the associated digital signature. By exchanging public key certificates, the client and the server can verify the identity of each other.
When a client initiates a request to a server, the client uses a private key of the client to sign, and after the server receives data, the public key of the client is used for checking the signature, so that the data is verified to originate from a trusted client. The client receives the data from the server, the server signs the returned data by using its own private key, and after the client receives the data, the client verifies the signature by using the public key of the server, so that the verification indicates that the data originates from the trusted server.
The implementation of mutual authentication typically employs the SSL/TLS protocol, where mutual authentication is achieved through a handshake process. During the handshake, the client and server exchange credentials, negotiate encryption algorithms, generate session keys, etc. Through the handshake process, the client and the server can mutually verify the identity of each other and negotiate encryption parameters required for subsequent communication. In the SSL/TLS protocol, certificates are key to achieving mutual authentication. Certificates are issued by an authoritative Certificate Authority (CA) and contain identity information of entities and public keys. During the handshake, the client verifies whether the certificate chain of the server is complete and valid and encrypts the random number using the public key of the server. Similarly, the server verifies that the client's certificate chain is complete and valid and encrypts the random number using the client's public key.
A mutual authentication mechanism is a type of security verification procedure used to ensure the identity of two communicating entities. To implement this mechanism, public-private key encryption, digital certificates, and other techniques may be employed. Two-way communication is realized through security verification:
generating a public-private key pair:
Each entity in the intranet generates its own public-private key pair.
Each entity in the external network also generates its own public-private key pair.
Distributing public keys:
The public key may be securely distributed to other entities. Typically, we will use digital certificates to distribute public keys. The digital certificate is issued by a trusted third party (e.g., a CA authority) and contains the public key and other authentication information.
When one entity wants to establish communication with another entity, it first verifies the digital certificate of the other party. This includes checking whether the certificate was issued by a trusted issuer and whether the certificate is within a validity period.
And (3) identity authentication:
Once both parties verify the identity of each other, they can encrypt and decrypt using the public key of each other.
For example, when an entity in an intranet wants to communicate with an entity in an extranet, it encrypts a message using the public key of the other party. The entity in the external network can then decrypt the message using its own private key. This process ensures that only entities with the corresponding private key can decrypt the message, thereby enabling mutual authentication.
And (3) data transmission:
Once mutual authentication is established, the two entities can securely exchange data. They may encrypt and decrypt data using a symmetric encryption algorithm (e.g., AES) or an asymmetric encryption algorithm (e.g., RSA).
With symmetric encryption, both parties can select a shared key and use the key to encrypt and decrypt data. When asymmetric encryption is used, one party encrypts data using the public key of the other party, and then the other party decrypts the data using its own private key.
Keeping safety:
Over time, it is important to ensure the security of the private key and to periodically update the public-private key pair. Private key leakage can lead to unauthorized access and potential security risks.
In addition, it is also important to ensure that all communications are encrypted to prevent the threat of man-in-the-middle attacks.
The internal and external networks can realize safe bidirectional communication. It is noted that the actual application may involve more details and security measures. In implementing such a system, it is preferable to work with experienced security specialists or conduct intensive research to ensure optimal security practices.
In the bidirectional authentication mechanism, the verification of the identity of the client by the server is a key step for ensuring the security and reliability of communication. The following are several common methods to verify the identity of a client and to prevent man-in-the-middle attacks:
using digital certificates:
both the client and the server may use respective digital certificates for authentication. The digital certificate is issued by a trusted third party and contains the public key and other authentication information.
When a client connects to a server, the server verifies the client's digital certificate. This includes checking whether the certificate was issued by a trusted issuer and whether the certificate is within a validity period. If the authentication fails, the server may refuse the connection or take other security measures.
Two-way handshake process:
in two-way authentication, the server and client may perform a two-way handshake process. During the handshake, the parties exchange some pre-shared key or other authentication information and use this information to further authenticate the identity of the party.
Through this process, the server can verify the identity of the client, ensuring that it is not a man-in-the-middle attacker. At the same time, the client can also verify the identity of the server, ensuring that it communicates with the intended server.
Using encryption algorithms and protocols:
encryption algorithms and protocols are used to protect the security and confidentiality of data during communications. Common encryption algorithms include symmetric encryption algorithms (e.g., AES) and asymmetric encryption algorithms (e.g., RSA).
By encrypting data, it is difficult for an attacker to decrypt or tamper with the data even if the data is intercepted or stolen during transmission. This helps to ensure the security and reliability of the communication.
Periodically updating and verifying public-private key pairs:
the server and client should update and verify the respective public-private key pairs on a regular basis. This may be accomplished through the use of a certificate management tool or a third party certificate authority.
Leakage of the private key may lead to security risks, so appropriate measures should be taken to protect the security of the private key. For example, the private key may be stored in a hardware security module or in a trusted key management system.
Logging and monitoring:
The server should log all communications with the client for auditing and monitoring purposes. These logs may be used to detect abnormal behavior or security events and take corresponding action.
By monitoring and logging, an administrator can discover potential security threats or attacks in time and take appropriate action to deal with.
In summary, by using digital certificates, two-way handshake procedures, encryption algorithms and protocols, periodically updating and verifying public-private key pairs, logging, monitoring and other measures, the server can verify the identity of the client and prevent man-in-the-middle attacks, thereby ensuring the safety and reliability of communication.
The public key is public and can be used by other entities to encrypt information, while the private key is secret and only the entity that owns the private key can decrypt the corresponding information.
This encryption is based on some mathematical difficulties, so that the security of the private key can be guaranteed even if the public key is widely disclosed. Thus, only the entity that owns the corresponding private key can decrypt the information encrypted by its public key.
In the context of mutual authentication, entities encrypt authentication information using the public key of the other party and then exchange such encrypted information. Only the entity with the corresponding private key can decrypt the information, thereby verifying the identity of the other party.
This mechanism is a key component in ensuring the security and reliability of communications, particularly where it is necessary to protect sensitive data and verify the identity of the communicating entity.
Of course, the bidirectional authentication can be performed at the data level without the help of SSL/TLS protocol, and the bidirectional authentication can be performed at the protocol level. And then when the client initiates a request to the server, the private key of the client is used for signing, the public key of the client is used for checking the signature of the received data by the server, and the verification proves that the data is sourced from the trusted client. The server signs the returned data by using a private key of the server, the client verifies the signature by using a public key of the server after receiving the data, and the verification indicates that the data is sourced from the trusted server, so that the bidirectional authentication is completed at the data layer.
The encryption technique adopts AES, DES and 3DES encryption algorithm.
The AES encryption algorithm (Advanced Encryption Standard) is a symmetric encryption algorithm, also known as the advanced encryption standard. It was published by the national institute of standards and technology in 2001 as an alternative to DES encryption algorithms. The AES encryption algorithm uses 128-bit, 192-bit or 256-bit keys to encrypt and decrypt data, and has the advantages of high strength, high speed, easiness in implementation and the like;
The DES encryption algorithm is a symmetric key algorithm that uses the same key for encryption and decryption. In the encryption and decryption processes, the DES algorithm divides data into data blocks of 64 bits, and performs a series of operations, such as permutation, substitution, confusion, and anti-confusion, for 16 rounds of operations, each round of operations being related to a key. The finally output ciphertext is associated with the 64-bit initial key, and the original data can be decrypted and restored only by using the correct key;
3DES (also known as TRIPLE DES) is a generic term for triple data encryption algorithm [ TDEA, triple Data Encryption Algorithm ] block ciphers. It is equivalent to applying the DES encryption algorithm three times per data block. The key length of the original edition DES cipher is easy to be broken by violence due to the enhancement of the computer operation capability; rather than designing a completely new block cipher algorithm, 3DES is designed to provide a relatively simple method of avoiding similar attacks by increasing the key length of DES.
AES, DES and 3DES are all symmetric encryption algorithms, i.e. the same key is used for encryption and decryption.
AES (Advanced Encryption Standard): advanced encryption standards. AES is a block encryption standard adopted by the federal government in the united states and is widely used. AES is faster and safer than DES.
DES (Data Encryption Standard): data encryption standard. DES is an encryption algorithm designed by IBM and is adopted as a formal data encryption standard for non-confidential data. But because the key length of DES is easily broken by violence, more secure encryption algorithms such as 3DES and AES have emerged.
3DES (TRIPLE DATA Encryption Standard): triple data encryption standard. 3DES is a more secure variant of DES, avoiding similar attacks by increasing the key length of DES. The 3DES encrypts data three times using 2 or 3 keys of 56 bits.
The unidirectional safety isolation gatekeeper is used for ensuring that data in the high-security-level network cannot flow to the low-security-level network, but the data in the low-security-level network can flow to the high-security-level network, so that the problem of information leakage of the high-security-level network is thoroughly solved, and only a feedback-free unidirectional transmission technology is adopted. The developed safety isolation and information unidirectional import system adopts a unique unidirectional feedback-free transmission technology, and ensures absolute unidirectional flow of data from a physical link layer and a transmission layer. Meanwhile, the system adopts original and advanced error correction coding technology, ASIC parallel processing technology and MRP to ensure high reliability, high fault tolerance, high safety and high stability of the system.
The unidirectional security isolation gatekeeper is used for realizing the security data transmission among different security level networks. The design principle of the technology is that data is allowed to flow from one direction only, so that the data in a high-security network cannot flow to a low-security network, and meanwhile, the data in the low-security network can flow to the high-security network.
Specifically, the unidirectional security isolation gatekeeper isolates the two networks by way of physical isolation. It allows only unidirectional transmission of data from the low-security network to the high-security network and not backward transmission from the high-security network to the low-security network. This prevents data in the high-level network from being compromised into the low-level network, thereby protecting the confidentiality and integrity of sensitive data.
In addition, the unidirectional security isolation gatekeeper can also adopt other security measures such as data filtration, virus killing, content filtration and the like, so that the security of the unidirectional security isolation gatekeeper is further enhanced. By these measures, it is possible to effectively prevent the spread of malicious code, unauthorized access and data leakage, thereby protecting the security and stability of the network.
The unidirectional security isolation gatekeeper is an effective technology, and can be used for realizing secure data transmission between different security level networks, and preventing sensitive data from being leaked and unauthorized access.
The invention realizes the data resource transmission from the source equipment to the target equipment based on the unidirectional safety isolation gatekeeper by the device, and realizes the data resource transmission requirement across the network area in the network countermeasure stage. Specifically, the source device transmits the file to the target device through the unidirectional security isolation gatekeeper, and meanwhile, the source device cannot access the target device, so that the security of data is ensured. The method and the device can be applied to scenes needing high security, such as the fields of first-line combat, attack and defense drilling and the like.
The specific embodiments described herein are offered by way of example only to illustrate the spirit of the invention. Those skilled in the art may make various modifications or additions to the described embodiments or substitutions thereof without departing from the spirit of the invention or exceeding the scope of the invention as defined in the accompanying claims.
Claims (7)
1. A method for realizing network countermeasure data resource transmission based on a unidirectional security isolation gatekeeper is characterized by comprising the following steps of;
s1, adopting a bidirectional authentication mechanism to realize bidirectional communication through security verification;
S2, the internal and external networks generate respective public and private key pairs, and exchange the public keys;
S3, the sender encrypts the file by using the public key of the receiver, and simultaneously signs the encrypted file by using the private key of the sender;
S4, the receiver decrypts the received file by using the private key of the receiver, and simultaneously, the public key of the sender is used for checking the signature of the file;
s5, protecting the transmitted data by using an encryption technology, and ensuring the safety of the data;
s6, dividing the data into a plurality of parts for transmission, and transmitting by utilizing a plurality of unidirectional safety isolation network gates, thereby realizing bidirectional communication;
And S7, examining, approving and controlling the sensitive data and resources to be transmitted.
2. The method for implementing network countermeasure data resource transmission based on unidirectional security isolation gatekeeper according to claim 1, wherein the bidirectional authentication mechanism establishes a security mechanism of trust relationship between two parties of communication, and in the communication process, two entities need to perform bidirectional identity authentication, and when a client sends a request to a server or the server receives a request from the client, the server needs to authenticate the client; the server needs to authenticate the server when the server sends a request to the client or the client receives a request from the server.
3. The method for realizing network countermeasure data resource transmission based on the unidirectional security isolation gatekeeper according to claim 2, wherein the bidirectional authentication mechanism also verifies the identity of the client in the authentication process, prevents man-in-the-middle attacks, and ensures the security and reliability of communication.
4. The method for implementing network countermeasure data resource transmission based on unidirectional security isolation gatekeeper according to claim 1, wherein in step S2, each entity in the internal and external networks has a pair of public key private keys, the public keys are public, the private keys must be kept secret, the public keys are used for encrypting information, and only the corresponding private keys can be decrypted.
5. The method for implementing network countermeasure data resource transmission based on unidirectional security isolation gatekeeper according to claim 4, wherein the private key is used to generate a digital signature, and only the corresponding public key can verify the validity of the digital signature, and during bidirectional authentication, the client and the server exchange public key certificates first, the public key certificates containing identity information of the entity and related digital signatures, and the client and the server can verify the identity of each other by exchanging the public key certificates.
6. The method for realizing network countermeasure data resource transmission based on the unidirectional security isolation gatekeeper according to claim 1, wherein the encryption technique adopts AES, DES and 3DES encryption algorithms.
7. The method for implementing network countermeasure data resource transmission based on unidirectional security isolation gatekeeper according to claim 1, wherein the unidirectional security isolation gatekeeper is used for ensuring that data in a high-security-class network cannot flow to a low-security-class network, but data in the low-security-class network can flow to a high-security-class network.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410143048.1A CN118041611A (en) | 2024-02-01 | 2024-02-01 | Method for realizing network countermeasure data resource transmission based on unidirectional security isolation gatekeeper |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410143048.1A CN118041611A (en) | 2024-02-01 | 2024-02-01 | Method for realizing network countermeasure data resource transmission based on unidirectional security isolation gatekeeper |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN118041611A true CN118041611A (en) | 2024-05-14 |
Family
ID=91001696
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410143048.1A Pending CN118041611A (en) | 2024-02-01 | 2024-02-01 | Method for realizing network countermeasure data resource transmission based on unidirectional security isolation gatekeeper |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118041611A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118540135A (en) * | 2024-05-30 | 2024-08-23 | 博大视野(厦门)科技有限公司 | System component communication method and storage medium applied to port network security |
| CN119312387A (en) * | 2024-09-18 | 2025-01-14 | 浪潮卓数大数据产业发展有限公司 | A distributed aggregation method based on unidirectional isolated network |
-
2024
- 2024-02-01 CN CN202410143048.1A patent/CN118041611A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118540135A (en) * | 2024-05-30 | 2024-08-23 | 博大视野(厦门)科技有限公司 | System component communication method and storage medium applied to port network security |
| CN119312387A (en) * | 2024-09-18 | 2025-01-14 | 浪潮卓数大数据产业发展有限公司 | A distributed aggregation method based on unidirectional isolated network |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7457411B2 (en) | Information security via dynamic encryption with hash function | |
| WO2017147503A1 (en) | Techniques for confidential delivery of random data over a network | |
| WO2015135063A1 (en) | System and method for secure deposit and recovery of secret data | |
| CN118041611A (en) | Method for realizing network countermeasure data resource transmission based on unidirectional security isolation gatekeeper | |
| WO2006091396A2 (en) | Payload layer security for file transfer | |
| CN114036539A (en) | Blockchain-based secure and auditable IoT data sharing system and method | |
| JP2022540653A (en) | Data protection and recovery system and method | |
| CN117278214A (en) | Network safety communication method for power system | |
| CN118540164B (en) | Quantum security enhancement method for Internet key exchange protocol | |
| CN117081815A (en) | Method, device, computer equipment and storage medium for data security transmission | |
| Hazra et al. | Data encryption and secure communication protocols | |
| US7376232B2 (en) | Computer system security via dynamic encryption | |
| CN110519222B (en) | External network access identity authentication method and system based on disposable asymmetric key pair and key fob | |
| Khatun et al. | Cryptography algorithms to prevent different security attacks | |
| Wang et al. | EBIAS: ECC-enabled blockchain-based identity authentication scheme for IoT device | |
| CN113676330B (en) | Digital certificate application system and method based on secondary secret key | |
| CN118984224A (en) | End-to-end encrypted data transmission and privacy security protection method | |
| Hussien et al. | Scheme for ensuring data security on cloud data storage in a semi-trusted third party auditor | |
| CN118214558A (en) | Data circulation processing method, system, device and storage medium | |
| CN118265030A (en) | 5G-based power regulation and control service safety communication method | |
| Sarker et al. | Voting credential management system for electronic voting privacy | |
| CN112069487B (en) | Intelligent equipment network communication safety implementation method based on Internet of things | |
| Silviya et al. | Dynamic Key Generationfor Secure File Sharing System Using Time Stamp | |
| US12261946B2 (en) | System and method of creating symmetric keys using elliptic curve cryptography | |
| Obeidat et al. | An authentication model based on cryptography |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |