[go: up one dir, main page]

CN118174942A - Data transmission method, device and readable storage medium - Google Patents

Data transmission method, device and readable storage medium Download PDF

Info

Publication number
CN118174942A
CN118174942A CN202410362440.5A CN202410362440A CN118174942A CN 118174942 A CN118174942 A CN 118174942A CN 202410362440 A CN202410362440 A CN 202410362440A CN 118174942 A CN118174942 A CN 118174942A
Authority
CN
China
Prior art keywords
ccn
content
target content
target
path
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410362440.5A
Other languages
Chinese (zh)
Inventor
任梦璇
薛淼
李焕
林琳
王泽林
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN202410362440.5A priority Critical patent/CN118174942A/en
Publication of CN118174942A publication Critical patent/CN118174942A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/568Storing data temporarily at an intermediate stage, e.g. caching
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses a data transmission method, a data transmission device and a readable storage medium, which relate to the technical field of communication and are used for improving the safety of cache data in a CCN (common carrier network). Applied to a Content Centric Network (CCN); the CCN network is configured with a plurality of CCN routers, and the plurality of CCN routers are configured with a Trusted Execution Environment (TEE) module; the method comprises the following steps: receiving a request message from a first terminal; the request message is used for requesting target content; for each CCN router included in the path, encrypting the target content by using a TEE module of the CCN router, and caching the encrypted target content into the CCN router included in the path; the path is a path for the CCN network to send the target content to the first terminal; the CCN router included in the utilization path transmits the target content to the first terminal.

Description

数据传输方法、装置及可读存储介质Data transmission method, device and readable storage medium

技术领域Technical Field

本申请实施例涉及通信技术领域,尤其涉及一种数据传输方法、装置及可读存储介质。The embodiments of the present application relate to the field of communication technology, and in particular, to a data transmission method, device, and readable storage medium.

背景技术Background technique

随着网络业务量正在日益增长,传输控制协议(transmission controlprotocol,TCP)/互联网协议地址(internet protocol,IP)体系结构下的数据传输效率越来越差。信息中心网络(information-centric networking,ICN)在这一背景下应运而生,ICN通过改变当前互联网端到端的通信机制,把内容与终端位置剥离,通过发布/订阅方式(publish/subscribe paradigm)来提供存储和多方通信等服务。As network traffic is growing, the data transmission efficiency under the transmission control protocol (TCP)/internet protocol (IP) architecture is getting worse and worse. Information-centric networking (ICN) has emerged in this context. ICN changes the current end-to-end communication mechanism of the Internet, separates content from terminal locations, and provides storage and multi-party communication services through a publish/subscribe paradigm.

内容中心网络(Content Centric Networking,CCN)为ICN的一种具体实现。CCN网络中的路由器会对用户的请求内容进行沿路缓存,当其他用户具有同样的请求内容时,路由器可以先确定本地缓存去是否拥有该请求内容,如果有则直接反馈给相应用户。然而,在CCN网络中的多个路由器都缓存有该请求内容的情况下,请求内容的泄露风险会大大增加。Content Centric Networking (CCN) is a specific implementation of ICN. Routers in a CCN network will cache user request content along the way. When other users have the same request content, the router can first determine whether the local cache has the requested content. If so, it will directly feedback to the corresponding user. However, if multiple routers in a CCN network cache the requested content, the risk of leakage of the requested content will be greatly increased.

发明内容Summary of the invention

本申请提供了一种数据传输方法、装置及可读存储介质,用于提高CCN网络中的缓存数据的安全性。The present application provides a data transmission method, device and readable storage medium for improving the security of cached data in a CCN network.

为达到上述目的,本申请采用如下技术方案:In order to achieve the above objectives, this application adopts the following technical solutions:

第一方面,提供了一种数据传输方法,应用于内容中心网络CCN;CCN网络配置有多个CCN路由器、多个CCN路由器配置有可信执行环境TEE模块,该方法包括:接收来自第一终端的请求消息;请求消息用于请求目标内容;对于途径路径所包括的每个CCN路由器,利用CCN路由器的TEE模块对目标内容进行加密,并将加密后的目标内容缓存至途径路径所包括的CCN路由器中;途径路径为CCN网络向第一终端发送目标内容的路径;利用途径路径所包括的CCN路由器向第一终端发送目标内容。In a first aspect, a data transmission method is provided, which is applied to a content centric network CCN; the CCN network is configured with multiple CCN routers, and the multiple CCN routers are configured with a trusted execution environment TEE module, and the method includes: receiving a request message from a first terminal; the request message is used to request target content; for each CCN router included in the path, the target content is encrypted using the TEE module of the CCN router, and the encrypted target content is cached in the CCN router included in the path; the path is the path for the CCN network to send the target content to the first terminal; and the target content is sent to the first terminal using the CCN router included in the path.

可选的,请求消息包括目标内容的内容标识;方法还包括:根据内容标识,在CCN网络中获取目标内容。Optionally, the request message includes a content identifier of the target content; and the method further includes: acquiring the target content in the CCN network according to the content identifier.

可选的,根据内容标识,在CCN网络中获取目标内容;包括:确定前向转发表是否包括内容标识;前向转发表包括多个端口以及每个端口所包括的多个预设内容标识;在前向转发表包括内容标识的情况下,从前向转发表确定内容标识对应的目标端口;从目标端口获取目标内容。Optionally, according to the content identifier, the target content is obtained in the CCN network; including: determining whether the forward forwarding table includes the content identifier; the forward forwarding table includes multiple ports and multiple preset content identifiers included in each port; when the forward forwarding table includes the content identifier, determining the target port corresponding to the content identifier from the forward forwarding table; and obtaining the target content from the target port.

可选的,确定前向转发表是否包括内容标识,包括:确定CCN网络的缓存数据中是否缓存有目标内容;在CCN网络的缓存数据中未缓存有目标内容的情况下,确定前向转发表是否包括内容标识。Optionally, determining whether the forward forwarding table includes the content identifier includes: determining whether the target content is cached in the cache data of the CCN network; and determining whether the forward forwarding table includes the content identifier when the target content is not cached in the cache data of the CCN network.

可选的,根据内容标识,在CCN网络中获取目标内容,包括:在CCN网络的缓存数据中缓存有目标内容的情况下,基于内容标识从CCN网络的缓存数据获取目标内容。Optionally, acquiring the target content in the CCN network according to the content identifier includes: acquiring the target content from the cache data of the CCN network based on the content identifier when the target content is cached in the cache data of the CCN network.

可选的,请求消息还包括目标内容的可信标识;可信标识用于指示目标内容的重要程度;利用CCN路由器的TEE模块对目标内容进行加密,包括:在可信标识为目标可信标识的情况下,利用CCN路由器的TEE模块对目标内容进行加密。Optionally, the request message also includes a trusted identifier of the target content; the trusted identifier is used to indicate the importance of the target content; and the target content is encrypted using the TEE module of the CCN router, including: when the trusted identifier is a target trusted identifier, the target content is encrypted using the TEE module of the CCN router.

可选的,在CCN网络的缓存数据中缓存有目标内容的情况下,TEE模块存储有每个目标内容对应的原始数字签名,利用途径路径所包括的CCN路由器向第一终端发送目标内容,包括:获取目标内容的内容摘要;利用TEE模块中的内容签名密钥对内容摘要进行处理,生成目标内容对应的当前时刻的数字签名;在当前时刻的数字签名与原始数字签名相同的情况下,利用途径路径所包括的CCN路由器向第一终端发送目标内容。Optionally, when the target content is cached in the cache data of the CCN network, the TEE module stores the original digital signature corresponding to each target content, and uses the CCN router included in the path to send the target content to the first terminal, including: obtaining a content summary of the target content; using the content signature key in the TEE module to process the content summary to generate a digital signature at the current moment corresponding to the target content; when the digital signature at the current moment is the same as the original digital signature, using the CCN router included in the path to send the target content to the first terminal.

基于本申请提供的技术方案,在接收来自第一终端的请求消息之后;利用TEE模块对目标内容进行加密,并将加密后的目标内容缓存至途径路径所包括的CCN路由器中,利用途径路径所包括的CCN路由器向第一终端发送目标内容。也即,本申请通过加入TEE模块,构建了全新的CCN网络架构。由于TEE模块是通过硬件的方式在设备提供的一个安全区域,仅能通过授权接口对安全区域内的信息进行访问。这样,在加密后的目标内容缓存至途径路径所包括的CCN路由器后,第三方解密或篡改目标内容的难度较大,可以减少目标内容被第三方解密或篡改的概率,提高了CCN网络中的缓存数据的安全性。Based on the technical solution provided by the present application, after receiving the request message from the first terminal, the target content is encrypted using the TEE module, and the encrypted target content is cached in the CCN router included in the path, and the target content is sent to the first terminal using the CCN router included in the path. That is, the present application constructs a new CCN network architecture by adding the TEE module. Since the TEE module is a secure area provided by the device in a hardware manner, information in the secure area can only be accessed through an authorized interface. In this way, after the encrypted target content is cached in the CCN router included in the path, it is more difficult for a third party to decrypt or tamper with the target content, which can reduce the probability of the target content being decrypted or tampered with by a third party, and improve the security of cached data in the CCN network.

第二方面,提供了一种数据传输装置,应用于内容中心网络CCN;CCN网络配置有多个CCN路由器、多个CCN路由器配置有可信执行环境TEE模块,装置包括:接收单元、处理单元、发送单元;接收单元,用于接收来自第一终端的请求消息;请求消息用于请求目标内容;处理单元,用于对于途径路径所包括的每个CCN路由器,利用CCN路由器的TEE模块对目标内容进行加密,并将加密后的目标内容缓存至途径路径所包括的CCN路由器中;途径路径为CCN网络向第一终端发送目标内容的路径;发送单元,用于利用途径路径所包括的CCN路由器向第一终端发送目标内容。In a second aspect, a data transmission device is provided, which is applied to a content-centric network CCN; the CCN network is configured with multiple CCN routers, and multiple CCN routers are configured with a trusted execution environment TEE module, and the device includes: a receiving unit, a processing unit, and a sending unit; the receiving unit is used to receive a request message from a first terminal; the request message is used to request target content; the processing unit is used to encrypt the target content using the TEE module of the CCN router for each CCN router included in the path, and cache the encrypted target content to the CCN router included in the path; the path is the path for the CCN network to send the target content to the first terminal; the sending unit is used to send the target content to the first terminal using the CCN router included in the path.

可选的,请求消息包括目标内容的内容标识;处理单元还用于:根据内容标识,在CCN网络中获取目标内容。Optionally, the request message includes a content identifier of the target content; and the processing unit is further configured to: obtain the target content in the CCN network according to the content identifier.

可选的,处理单元,具体用于:确定前向转发表是否包括内容标识;前向转发表包括多个端口以及每个端口所包括的多个预设内容标识;在前向转发表包括内容标识的情况下,从前向转发表确定内容标识对应的目标端口;从目标端口获取目标内容。Optionally, the processing unit is specifically used to: determine whether the forward forwarding table includes a content identifier; the forward forwarding table includes multiple ports and multiple preset content identifiers included in each port; when the forward forwarding table includes the content identifier, determine the target port corresponding to the content identifier from the forward forwarding table; and obtain the target content from the target port.

可选的,处理单元,具体还用于:确定CCN网络的缓存数据中是否缓存有目标内容;在CCN网络的缓存数据中未缓存有目标内容的情况下,确定前向转发表是否包括内容标识。Optionally, the processing unit is further configured to: determine whether the target content is cached in the cache data of the CCN network; and if the target content is not cached in the cache data of the CCN network, determine whether the forward forwarding table includes the content identifier.

可选的,处理单元,具体还用于:在CCN网络的缓存数据中缓存有目标内容的情况下,基于内容标识从CCN网络的缓存数据获取目标内容。Optionally, the processing unit is further configured to: when the target content is cached in the cache data of the CCN network, obtain the target content from the cache data of the CCN network based on the content identifier.

可选的,请求消息还包括目标内容的可信标识;可信标识用于指示目标内容的重要程度;处理单元,具体还用于:在可信标识为目标可信标识的情况下,利用CCN路由器的TEE模块对目标内容进行加密。Optionally, the request message also includes a trusted identifier of the target content; the trusted identifier is used to indicate the importance of the target content; the processing unit is specifically used to: when the trusted identifier is a target trusted identifier, encrypt the target content using the TEE module of the CCN router.

可选的,在CCN网络的缓存数据中缓存有目标内容的情况下,TEE模块存储有每个目标内容对应的原始数字签名,发送单元,具体用于:获取目标内容的内容摘要;利用TEE模块中的内容签名密钥对内容摘要进行处理,生成目标内容对应的当前时刻的数字签名;在当前时刻的数字签名与原始数字签名相同的情况下,利用途径路径所包括的CCN路由器向第一终端发送目标内容。Optionally, when the target content is cached in the cache data of the CCN network, the TEE module stores the original digital signature corresponding to each target content, and the sending unit is specifically used to: obtain a content summary of the target content; use the content signature key in the TEE module to process the content summary to generate a digital signature corresponding to the target content at the current moment; when the digital signature at the current moment is the same as the original digital signature, use the CCN router included in the path to send the target content to the first terminal.

第三方面,提供了一种数据传输装置,该数据传输装置可以实现上述各方面或者各可能的设计中数据传输装置所执行的功能,功能可以通过硬件实现,如:一种可能的设计中,该数据传输装置可以包括:处理器和通信接口,处理器可以用于支持数据传输装置实现上述第一方面或者第一方面的任一种可能的设计中所涉及的功能。In a third aspect, a data transmission device is provided, which can implement the functions performed by the data transmission device in the above-mentioned aspects or possible designs, and the functions can be implemented through hardware, such as: in one possible design, the data transmission device may include: a processor and a communication interface, and the processor can be used to support the data transmission device to implement the functions involved in the above-mentioned first aspect or any possible design of the first aspect.

在又一种可能的设计中,数据传输装置还可以包括存储器,存储器用于保存数据传输装置必要的计算机执行指令和数据。当该数据传输装置运行时,该处理器执行该存储器存储的该计算机执行指令,以使该数据传输装置执行上述第一方面或者第一方面的任一种可能的数据传输方法。In another possible design, the data transmission device may further include a memory, the memory being used to store computer-executable instructions and data necessary for the data transmission device. When the data transmission device is running, the processor executes the computer-executable instructions stored in the memory, so that the data transmission device performs the first aspect or any possible data transmission method of the first aspect.

第四方面,提供了一种计算机可读存储介质,该计算机可读存储介质可以为可读的非易失性存储介质,该计算机可读存储介质存储有计算机指令或者程序,当其在计算机上运行时,使得计算机可以执行上述第一方面或者上述方面的任一种可能的数据传输方法。In a fourth aspect, a computer-readable storage medium is provided, which may be a readable non-volatile storage medium, and which stores computer instructions or programs. When the computer-readable storage medium is run on a computer, the computer can execute the first aspect or any possible data transmission method of the above aspects.

第五方面,提供了一种包含指令的计算机程序产品,当其在计算机上运行时,使得计算机可以执行上述第一方面或者上述方面的任一种可能的设计的数据传输方法。In a fifth aspect, a computer program product comprising instructions is provided, which, when executed on a computer, enables the computer to execute the data transmission method of the first aspect or any possible design of the above aspects.

第六方面,提供了一种电子设备,该电子设备包括一个或者多个处理器以及和一个或多个存储器。一个或多个存储器与一个或多个处理器耦合,一个或多个存储器用于存储计算机程序代码,计算机程序代码包括计算机指令,当一个或多个处理器执行计算机指令时,使得电子设备执行如上述第一方面或者第一方面的任一可能的设计的数据传输方法。In a sixth aspect, an electronic device is provided, the electronic device comprising one or more processors and one or more memories. The one or more memories are coupled to the one or more processors, the one or more memories are used to store computer program codes, the computer program codes include computer instructions, and when the one or more processors execute the computer instructions, the electronic device executes the data transmission method as described in the first aspect or any possible design of the first aspect.

第七方面,提供了一种芯片系统,该芯片系统包括处理器以及通信接口,该芯片系统可以用于实现上述第一方面或第一方面的任一可能的设计中数据传输装置所执行的功能。在一种可能的设计中,芯片系统还包括存储器,存储器,用于保存程序指令和/或数据。该芯片系统可以由芯片构成,也可以包含芯片和其他分立器件,不予限制。In a seventh aspect, a chip system is provided, the chip system including a processor and a communication interface, the chip system can be used to implement the function performed by the data transmission device in the first aspect or any possible design of the first aspect. In one possible design, the chip system also includes a memory, the memory is used to store program instructions and/or data. The chip system can be composed of a chip, or it can include a chip and other discrete devices, without limitation.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

图1为本申请实施例提供的一种CCN路由器转发过程的示意图;FIG1 is a schematic diagram of a CCN router forwarding process provided by an embodiment of the present application;

图2为本申请实施例提供的一种数据传输系统的结构示意图;FIG2 is a schematic diagram of the structure of a data transmission system provided in an embodiment of the present application;

图3为本申请实施例提供的又一种数据传输系统的结构示意图;FIG3 is a schematic diagram of the structure of another data transmission system provided in an embodiment of the present application;

图4为本申请实施例提供的一种CCN路由器的结构示意图;FIG4 is a schematic diagram of the structure of a CCN router provided in an embodiment of the present application;

图5为本申请实施例提供的一种数据传输装置的结构示意图;FIG5 is a schematic diagram of the structure of a data transmission device provided in an embodiment of the present application;

图6为本申请实施例提供的一种数据传输方法的流程示意图;FIG6 is a schematic diagram of a flow chart of a data transmission method provided in an embodiment of the present application;

图7为本申请实施例提供的一种兴趣报文的组成示意图;FIG7 is a schematic diagram of the composition of an interest message provided in an embodiment of the present application;

图8为本申请实施例提供的又一种数据传输方法的流程示意图;FIG8 is a flow chart of another data transmission method provided in an embodiment of the present application;

图9为本申请实施例提供的一种应答报文的组成示意图;FIG9 is a schematic diagram of the composition of a response message provided in an embodiment of the present application;

图10为本申请实施例提供的又一种数据传输方法的流程示意图;FIG10 is a schematic diagram of a flow chart of another data transmission method provided in an embodiment of the present application;

图11为本申请实施例提供的又一种数据传输方法的流程示意图;FIG11 is a schematic diagram of a flow chart of another data transmission method provided in an embodiment of the present application;

图12为本申请实施例提供的又一种数据传输装置的结构示意图。FIG. 12 is a schematic diagram of the structure of another data transmission device provided in an embodiment of the present application.

具体实施方式Detailed ways

为了使本领域普通人员更好地理解本公开的技术方案,下面将结合附图,对本申请实施例中的技术方案进行清楚、完整地描述。In order to enable ordinary persons in the art to better understand the technical solutions of the present disclosure, the technical solutions in the embodiments of the present application will be clearly and completely described below in conjunction with the accompanying drawings.

需要说明的是,本申请的说明书和权利要求书及上述附图中的术语“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换,以便这里描述的本公开的实施例能够以除了在这里图示或描述的那些以外的顺序实施。以下示例性实施例中所描述的实施方式并不代表与本公开相一致的所有实施方式。相反,它们仅是与如所附权利要求书中所详述的、本申请实施例的一些方面相一致的装置和方法的例子。It should be noted that the terms "first", "second", etc. in the specification and claims of the present application and the above-mentioned drawings are used to distinguish similar objects, and are not necessarily used to describe a specific order or sequence. It should be understood that the data used in this way can be interchangeable where appropriate, so that the embodiments of the present disclosure described herein can be implemented in an order other than those illustrated or described herein. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present disclosure. Instead, they are merely examples of devices and methods consistent with some aspects of the embodiments of the present application as detailed in the attached claims.

还应当理解的是,术语“包括”指示所描述特征、整体、步骤、操作、元素和/或组件的存在,但并不排除一个或多个其他特征、整体、步骤、操作、元素和/或组件的存在或添加。It should also be understood that the term “comprising” indicates the presence of described features, integers, steps, operations, elements and/or components, but does not exclude the presence or addition of one or more other features, integers, steps, operations, elements and/or components.

下面对申请涉及的专业名词进行介绍:The following is an introduction to the professional terms involved in the application:

1、可信执行环境(Trustd Execution Environment,TEE):是通过硬件的方式在设备提供一个安全区域,即在芯片内构建独立于操作系统且可写的安全隔离区域,确保隐私和敏感数据在其隔离、可信的区域内存储和计算,仅能通过授权接口对安全区域内的信息进行访问,保证了程序代码或隐私数据不会被操作系统或其他应用程序非法获取或篡改。参与计算的各方可以使用远程认证的方式对该环境进行可信度验证,当计算结束后可以按照需求在TEE环境内销毁原始数据和过程数据,避免泄露风险。1. Trusted Execution Environment (TEE): It provides a secure area in the device through hardware, that is, to build a writable secure isolation area independent of the operating system in the chip, to ensure that privacy and sensitive data are stored and calculated in its isolated and trusted area, and the information in the secure area can only be accessed through the authorized interface, ensuring that the program code or private data will not be illegally obtained or tampered with by the operating system or other applications. All parties involved in the calculation can use remote authentication to verify the credibility of the environment. When the calculation is completed, the original data and process data can be destroyed in the TEE environment as required to avoid the risk of leakage.

随着网络业务量正在日益增长,TCP/IP体系结构下的数据传输效率越来越差。P2P(Peer-to-Peer)系统诸如Bit Torrent被广泛应用于多媒体数据的传输,但是其传输效率也不理想,因为Peer只能从很小一部分Peer中获取数据块,总的来说就是在Peer下载同样的内容和网络拓扑时只拥有很有限的信息。ICN网络在这一背景下应运而生,ICN通过改变当前互联网端到端的通信机制,把内容与终端位置剥离,通过发布/订阅方式来提供存储和多方通信等服务。ICN的提出,将用户的关注点由终端改为内容,即用户不用再关心从何地去获取自己想要的数据,而只需关心想要的内容是什么。As network traffic is growing, the data transmission efficiency under the TCP/IP architecture is getting worse and worse. P2P (Peer-to-Peer) systems such as Bit Torrent are widely used in the transmission of multimedia data, but their transmission efficiency is also not ideal, because peers can only obtain data blocks from a small part of peers. In general, peers only have very limited information when downloading the same content and network topology. ICN networks came into being in this context. ICN changes the current end-to-end communication mechanism of the Internet, separates content from terminal locations, and provides storage and multi-party communication services through publish/subscribe methods. The introduction of ICN changes the user's focus from the terminal to the content, that is, users no longer need to worry about where to get the data they want, but only need to care about what content they want.

CCN网络为ICN的一种具体实现。在CCN网络中主要有两种数据包:内容请求包(interest packet)和内容数据包(data packet)。在CCN网络中,通过对内容的标识来确定内容,类似于IP地址前缀。例如:"/aaa.cn/video/wigeta.mpg”,其中aaa.cn是全网可识别名称,video是内容类型,wigeta.mpg是内容名称。请求数据包用于发送对内容的请求,接收到该请求的节点如果能够满足该请求就通过内容数据包来发送响应数据。CCN网络的IO采用分层命名,其全局路由器系统至少需要在内容提供商层面处理IO名字前缀,此外,每个包的转发状态将沿着传输路径把数据包导引给用户。CCN的名字前缀数量也将到达二级域名的规模水平。The CCN network is a specific implementation of ICN. There are two main types of data packets in the CCN network: interest packets and data packets. In the CCN network, the content is determined by identifying the content, similar to the IP address prefix. For example: "/aaa.cn/video/wigeta.mpg", where aaa.cn is a name that can be recognized by the entire network, video is the content type, and wigeta.mpg is the content name. The request data packet is used to send a request for content. If the node that receives the request can satisfy the request, it will send the response data through the content data packet. The IO of the CCN network adopts hierarchical naming, and its global router system needs to process the IO name prefix at least at the content provider level. In addition, the forwarding state of each packet will guide the data packet to the user along the transmission path. The number of name prefixes in CCN will also reach the scale level of second-level domain names.

CCN网络节点用于承担数据包的存储,转发和路由器任务。CCN网络节点可以包括内容存储器(content store,CS)、待定请求表(pending interest table,PIT)、前向转发表(forwarding information base,FIB)。The CCN network node is used to store, forward and perform router tasks for data packets. The CCN network node may include a content store (CS), a pending interest table (PIT), and a forwarding information base (FIB).

其中,内容存储器,类似于IP路由器的缓存,但是每次通信后不会清空缓存的内容,可以将该内容用于下次通信,可以帮助减少内容下载时间和网络带宽占用。Among them, the content storage is similar to the cache of an IP router, but the cached content will not be cleared after each communication. The content can be used for the next communication, which can help reduce content download time and network bandwidth usage.

待定请求表,用于记录经过的请求信息,依次实现所请求的内容顺利地传回请求节点。内容数据包按照PIT提示,一步步转发回内容请求者,当内容传回,该条目从PIT删除。The pending request table is used to record the request information that has passed, so that the requested content can be smoothly transmitted back to the requesting node in sequence. The content data packet is forwarded back to the content requester step by step according to the PIT prompt. When the content is transmitted back, the entry is deleted from the PIT.

前向转发表,用于向目的端发送请求数据包。例如,可以同时向多个目的端发送请求数据包。The forwarding table is used to send a request data packet to a destination. For example, request data packets can be sent to multiple destinations at the same time.

一种示例中,图1示出了一种CCN路由器转发过程的示意图。结合图1,CCN路由器转发过程可以包括以下S1-S6。In an example, Fig. 1 shows a schematic diagram of a CCN router forwarding process. In conjunction with Fig. 1 , the CCN router forwarding process may include the following S1-S6.

S1、CCN路由器接收来自订阅终端的请求数据消息。S1. The CCN router receives a request data message from a subscription terminal.

其中,请求数据消息用于请求目标内容。The request data message is used to request target content.

实际应用中,请求数据消息具体形式可以为请求数据包。In practical applications, the specific form of the request data message may be a request data packet.

S2、CCN路由器根据请求数据消息匹配内容缓存。S2. The CCN router matches the content cache according to the request data message.

例如,在内容缓存包括目标内容的情况下,确定匹配成功。在内容缓存不包括目标内容的情况下,确定匹配失败。For example, if the content cache includes the target content, it is determined that the match is successful. If the content cache does not include the target content, it is determined that the match fails.

S3、在匹配成功的情况下,向订阅终端发送目标内容。S3. If the match is successful, the target content is sent to the subscription terminal.

S4、在匹配成功的情况下,在PIT中查询是否存在目标内容。S4. If the match is successful, check whether the target content exists in the PIT.

S5、在PIT中存在目标内容的条目的情况下,添加请求端口到列表中。S5. If there is an entry for the target content in the PIT, add the request port to the list.

一些实施例中,CCN路由器还可以请求数据包将请求数据包截留。In some embodiments, the CCN router may also request the data packet to intercept the request data packet.

需要说明的,将请求数据包截留是为了防止同样的数据的重复请求。当有内容数据包回应时,将此内容发送给所有请求数据的端口。It should be noted that the purpose of intercepting the request data packet is to prevent repeated requests for the same data. When a content data packet is responded, the content is sent to all ports requesting data.

S6、在PIT中不存在目标内容的条目的情况下,查询FIB,并按照FIB的指示将该请求数据包转发到下一CCN路由器。S6. If there is no entry for the target content in the PIT, query the FIB and forward the request data packet to the next CCN router according to the instruction of the FIB.

CCN网络中的路由器会对用户的请求内容进行沿路缓存,当其他用户具有同样的请求内容时,路由器可以先确定本地缓存去是否拥有该请求内容,如果有则直接反馈给相应用户。然而,在CCN网络中的多个路由器都缓存有该请求内容的情况下,请求内容的泄露风险会大大增加。The routers in the CCN network will cache the user's request content along the way. When other users have the same request content, the router can first determine whether the local cache has the request content. If so, it will directly feedback to the corresponding user. However, if multiple routers in the CCN network cache the request content, the risk of request content leakage will be greatly increased.

鉴于此,本申请实施例提供一种数据传输方法,应用于内容中心网络CCN;CCN网络配置有可信执行环境TEE模块以及多个CCN路由器;该方法包括:接收来自第一终端的请求消息;请求消息用于请求目标内容;利用TEE模块对目标内容进行加密,并将加密后的目标内容缓存至途径路径所包括的CCN路由器中;途径路径为内容中心网络向第一终端发送目标内容的路径;利用途径路径所包括的CCN路由器向第一终端发送目标内容。In view of this, an embodiment of the present application provides a data transmission method, which is applied to a content-centric network CCN; the CCN network is configured with a trusted execution environment TEE module and multiple CCN routers; the method includes: receiving a request message from a first terminal; the request message is used to request target content; using the TEE module to encrypt the target content, and caching the encrypted target content to the CCN router included in the path; the path is the path for the content-centric network to send the target content to the first terminal; using the CCN router included in the path to send the target content to the first terminal.

下面结合说明书附图对本申请实施例提供的方法进行详细说明。The method provided in the embodiment of the present application is described in detail below with reference to the accompanying drawings.

需要说明的是,本申请实施例描述的网络系统是为了更加清楚的说明本申请实施例的技术方案,并不构成对于本申请实施例提供的技术方案的限定,本领域普通技术人员可知,随着网络系统的演变和其他网络系统的出现,本申请实施例提供的技术方案对于类似的技术问题,同样适用。It should be noted that the network system described in the embodiment of the present application is to more clearly illustrate the technical solution of the embodiment of the present application, and does not constitute a limitation on the technical solution provided in the embodiment of the present application. Ordinary technicians in this field can know that with the evolution of network systems and the emergence of other network systems, the technical solution provided in the embodiment of the present application is also applicable to similar technical problems.

图2示出的是本申请实施例提供的一种数据传输系统10的结构示意图。如图2所示,该数据传输系统10可以包括第一终端11、CCN网络12以及第二终端13。Fig. 2 is a schematic diagram showing the structure of a data transmission system 10 provided in an embodiment of the present application. As shown in Fig. 2 , the data transmission system 10 may include a first terminal 11 , a CCN network 12 , and a second terminal 13 .

第一终端11、第二终端13分别与CCN网络12以及相连接。例如,可以通过无线的方式进行连接,也可以通过有线的方式进行连接,不予限制。The first terminal 11 and the second terminal 13 are respectively connected to the CCN network 12. For example, the connection can be made wirelessly or by wire, without limitation.

其中,本申请的实施例中涉及的第一终端11(也可以称为内容请求者),可以用于向CCN网络12请求目标内容。第一终端11也可以称为终端、移动台(mobile station,MS)、移动终端(mobile terminal,MT)等,是一种向用户提供语音和/或数据连通性的设备,例如,第一终端11可以是具有无线连接功能的手持式设备、车载设备等。具体可以为:智能手机(mobile phone)、口袋计算机(pocket personal computer,PPC)、掌上电脑、个人数字助理(personal digital assistant,PDA)、笔记本电脑、平板电脑、可穿戴设备、或者车载设备等。本申请的实施例对第一终端11所采用的具体技术、具体数量和具体设备形态不做限定。Among them, the first terminal 11 (also referred to as a content requester) involved in the embodiments of the present application can be used to request target content from the CCN network 12. The first terminal 11 can also be referred to as a terminal, a mobile station (MS), a mobile terminal (MT), etc., and is a device that provides voice and/or data connectivity to users. For example, the first terminal 11 can be a handheld device with a wireless connection function, a vehicle-mounted device, etc. Specifically, it can be: a smart phone (mobile phone), a pocket personal computer (PPC), a handheld computer, a personal digital assistant (PDA), a laptop, a tablet computer, a wearable device, or a vehicle-mounted device, etc. The embodiments of the present application do not limit the specific technology, specific number, and specific device form adopted by the first terminal 11.

CCN网络12,可以用于搜索目标内容,并向第一终端11发送目标内容,CCN网络。CCN网络12可以为计算机或服务器等具有处理功能的电子设备。例如,CCN网络12可以为计算机、服务器等。其中,服务器可以是单独的一个服务器,或者,也可以是由多个服务器构成的服务器集群。部分实施方式中,服务器集群还可以是分布式集群。本申请实施例对CCN网络12具体技术、具体数量和具体设备形态不做限定。The CCN network 12 can be used to search for target content and send the target content to the first terminal 11, CCN network. The CCN network 12 can be an electronic device with processing functions such as a computer or a server. For example, the CCN network 12 can be a computer, a server, etc. Among them, the server can be a single server, or it can be a server cluster composed of multiple servers. In some implementations, the server cluster can also be a distributed cluster. The embodiments of the present application do not limit the specific technology, specific quantity and specific device form of the CCN network 12.

第二终端13(也可以称为内容提供者),可以用于提供目标内容。例如,第二终端13可以是具有无线连接功能的手持式设备、车载设备等。具体可以为:智能手机(mobilephone)、口袋计算机(pocket personal computer,PPC)、掌上电脑、个人数字助理(personal digital assistant,PDA)、笔记本电脑、平板电脑、可穿戴设备、或者车载设备等。本申请的实施例对第二终端13所采用的具体技术、具体数量和具体设备形态不做限定。The second terminal 13 (also referred to as a content provider) can be used to provide target content. For example, the second terminal 13 can be a handheld device with a wireless connection function, a vehicle-mounted device, etc. Specifically, it can be: a smart phone (mobile phone), a pocket personal computer (PPC), a handheld computer, a personal digital assistant (PDA), a laptop computer, a tablet computer, a wearable device, or a vehicle-mounted device, etc. The embodiments of the present application do not limit the specific technology, specific number, and specific device form adopted by the second terminal 13.

图3示出的是本申请实施例提供的又一种数据传输系统20的结构示意图。如图3所示,该数据传输系统20中的可以包括CCN路由器、网络密钥管理中心、第一终端(可以称为客户端)、第二终端(可以称为内容发布者)。Fig. 3 is a schematic diagram of the structure of another data transmission system 20 provided in an embodiment of the present application. As shown in Fig. 3, the data transmission system 20 may include a CCN router, a network key management center, a first terminal (which may be called a client), and a second terminal (which may be called a content publisher).

其中,CCN路由器为CCN网络的路由器,用于转发CCN网络报文。CCN路由器中部署基于硬件的可信执行环境和执行TEE功能的TEE模块(TEE机密计算模块)。CCN路由器TEE模块自动生成内容签名密钥Kd,并存储在TEE模块中,每个CCN路由器中的Kd不一定相同,以下为简洁都将CCN本地签名密钥统称为Kd。Among them, the CCN router is a router of the CCN network, which is used to forward CCN network messages. The CCN router deploys a hardware-based trusted execution environment and a TEE module (TEE confidential computing module) that performs TEE functions. The CCN router TEE module automatically generates the content signing key Kd and stores it in the TEE module. The Kd in each CCN router is not necessarily the same. For simplicity, the CCN local signing key is collectively referred to as Kd.

网络密钥管理中心,用于生成、发布并管理CCN网络密钥Kc;网络路由器密钥Kc:由网络密钥管理中心生成后发布到网络中所有CCN服务器中TEE模块中进行存储,该密钥用于对网络内容进行加密。当内容加密密钥需要更新时,网络密钥管理中心生成密钥更新消息,携带新密钥Kc’和自身认证信息,通过本地TEE传输至网络中所有CCN路由器中TEE模块中进行替换。The network key management center is used to generate, publish and manage the CCN network key Kc; the network router key Kc: generated by the network key management center and published to the TEE module of all CCN servers in the network for storage. This key is used to encrypt network content. When the content encryption key needs to be updated, the network key management center generates a key update message, carrying the new key Kc' and its own authentication information, and transmits it through the local TEE to the TEE modules of all CCN routers in the network for replacement.

客户端为CCN网络用户应用端,用于发送兴趣报文,接受内容应答报文,并向用户展示相关内容。The client is the user application end of the CCN network, which is used to send interest messages, receive content response messages, and display relevant content to users.

内容发布者,为内容作者,用于发布相应内容文件到CCN网络中。Content publishers are content authors who publish corresponding content files to the CCN network.

图4示出了一种CCN路由器的结构示意图。如图4所示,CCN路由器包括内容加密判断模块、TTE模块、CS模块、待定请求表、前向转发表。Figure 4 shows a schematic diagram of the structure of a CCN router. As shown in Figure 4, the CCN router includes a content encryption judgment module, a TTE module, a CS module, a pending request table, and a forwarding table.

其中,内容加密判断模块用于确定是否对目标内容进行加密。例如,可以根据目标内容对应的可信值确定是否对目标内容进行加密。The content encryption determination module is used to determine whether to encrypt the target content. For example, it can determine whether to encrypt the target content based on the trust value corresponding to the target content.

CS模块用于存储普通内容的明文数据;存储高机密内容的加密后数据和数据摘要。The CS module is used to store plain text data of common content and to store encrypted data and data summaries of highly confidential content.

TTE模块、待定请求表、前向转发表可以参考上述说明,在此不予赘述。The TTE module, pending request table, and forward forwarding table can refer to the above description and will not be described in detail here.

图2和图3仅为示例性框架图,图2和图3中包括的各个设备的名称不受限制,且除图2和图3所示功能节点外,还可以包括其他节点,本申请实施例对此不进行限定。Figures 2 and 3 are merely exemplary framework diagrams. The names of the various devices included in Figures 2 and 3 are not restricted, and in addition to the functional nodes shown in Figures 2 and 3, other nodes may also be included, which is not limited in the embodiments of the present application.

具体实现时,图2和图3中的各个设备均可以采用图5所示的组成结构,或者包括图5所示的部件。图5为本申请实施例提供的一种数据传输装置200的结构示意图,该数据传输装置200可以为网络设备,或者,该数据传输装置200可以为网络设备中的芯片或者片上系统。如图5所示,该数据传输装置200包括处理器201,通信接口202以及通信线路203。In specific implementation, each device in FIG. 2 and FIG. 3 may adopt the composition structure shown in FIG. 5, or include the components shown in FIG. 5. FIG. 5 is a schematic diagram of the structure of a data transmission device 200 provided in an embodiment of the present application. The data transmission device 200 may be a network device, or the data transmission device 200 may be a chip or system on chip in the network device. As shown in FIG. 5, the data transmission device 200 includes a processor 201, a communication interface 202, and a communication line 203.

进一步的,该数据传输装置200还可以包括存储器204。其中,处理器201,存储器204以及通信接口202之间可以通过通信线路203连接。Furthermore, the data transmission device 200 may further include a memory 204 . The processor 201 , the memory 204 and the communication interface 202 may be connected via a communication line 203 .

其中,处理器201是CPU、通用处理器、网络处理器(network processor,NP)、数字信号处理器(digital signal processing,DSP)、微处理器、微控制器、可编程逻辑器件(programmable logic device,PLD)或它们的任意组合。处理器201还可以是其它具有处理功能的装置,例如电路、器件或软件模块,不予限制。The processor 201 is a CPU, a general processor, a network processor (NP), a digital signal processor (DSP), a microprocessor, a microcontroller, a programmable logic device (PLD), or any combination thereof. The processor 201 may also be other devices with processing functions, such as circuits, devices, or software modules, without limitation.

通信接口202,用于与其他设备或其它通信网络进行通信。通信接口202可以是模块、电路、通信接口或者任何能够实现通信的装置。The communication interface 202 is used to communicate with other devices or other communication networks. The communication interface 202 can be a module, a circuit, a communication interface or any device capable of implementing communication.

通信线路203,用于在数据传输装置200所包括的各部件之间传送信息。The communication line 203 is used to transmit information between the components included in the data transmission device 200.

存储器204,用于存储指令。其中,指令可以是计算机程序。The memory 204 is used to store instructions, where the instructions may be computer programs.

其中,存储器204可以是只读存储器(read-only memory,ROM)或可存储静态信息和/或指令的其他类型的静态存储设备,也可以是随机存取存储器(random accessmemory,RAM)或可存储信息和/或指令的其他类型的动态存储设备,还可以是电可擦可编程只读存储器(electrically erasable programmable read-only memory,EEPROM)、只读光盘(compact disc read-only memory,CD-ROM)或其他光盘存储、光碟存储(包括压缩光碟、激光碟、光碟、数字通用光碟、蓝光光碟等)、磁盘存储介质或其他磁存储设备等,不予限制。The memory 204 may be a read-only memory (ROM) or other types of static storage devices that can store static information and/or instructions, or a random access memory (RAM) or other types of dynamic storage devices that can store information and/or instructions, or an electrically erasable programmable read-only memory (EEPROM), a compact disc read-only memory (CD-ROM) or other optical disc storage, optical disc storage (including compressed optical disc, laser disc, optical disc, digital versatile disc, Blu-ray disc, etc.), magnetic disk storage media or other magnetic storage devices, etc., without limitation.

需要指出的是,存储器204可以独立于处理器201存在,也可以和处理器201集成在一起。存储器204可以用于存储指令或者程序代码或者一些数据等。存储器204可以位于数据传输装置200内,也可以位于数据传输装置200外,不予限制。处理器201,用于执行存储器204中存储的指令,以实现本申请下述实施例提供的数据传输方法。It should be noted that the memory 204 can exist independently of the processor 201, or can be integrated with the processor 201. The memory 204 can be used to store instructions or program codes or some data, etc. The memory 204 can be located inside the data transmission device 200, or outside the data transmission device 200, without limitation. The processor 201 is used to execute the instructions stored in the memory 204 to implement the data transmission method provided in the following embodiments of the present application.

在一种示例中,处理器201可以包括一个或多个CPU,例如,图5中的CPU0和CPU1。In one example, the processor 201 may include one or more CPUs, such as CPU0 and CPU1 in FIG. 5 .

作为一种可选的实现方式,数据传输装置200包括多个处理器,例如,除图5中的处理器201之外,还可以包括处理器205。As an optional implementation manner, the data transmission device 200 includes multiple processors. For example, in addition to the processor 201 in FIG. 5 , it may also include a processor 205 .

需要指出的是,图5中示出的组成结构并不构成对该图2和图3中的各个设备的限定,除图5所示部件之外,图2和图3中的各个设备可以包括比图5更多或更少的部件,或者组合某些部件,或者不同的部件布置。It should be pointed out that the component structure shown in Figure 5 does not constitute a limitation on the various devices in Figures 2 and 3. In addition to the components shown in Figure 5, the various devices in Figures 2 and 3 may include more or fewer components than those in Figure 5, or combine certain components, or arrange the components differently.

本申请实施例中,芯片系统可以由芯片构成,也可以包括芯片和其他分立器件。In the embodiment of the present application, the chip system may be composed of a chip, or may include a chip and other discrete devices.

此外,本申请的各实施例之间涉及的动作、术语等均可以相互参考,不予限制。本申请的实施例中各个设备之间交互的消息名称或消息中的参数名称等只是一个示例,具体实现中也可以采用其他的名称,不予限制。In addition, the actions, terms, etc. involved in the various embodiments of the present application can refer to each other without limitation. The message names or parameter names in the messages exchanged between the various devices in the embodiments of the present application are only examples, and other names can also be used in the specific implementation without limitation.

为了便于清楚描述本申请实施例的技术方案,在本申请的实施例中,采用了“第一”、“第二”等字样对功能和作用基本相同的相同项或相似项进行区分。本领域技术人员可以理解“第一”、“第二”等字样并不对数量和执行次序进行限定,并且“第一”、“第二”等字样也并不限定一定不同。In order to clearly describe the technical solutions of the embodiments of the present application, in the embodiments of the present application, words such as "first" and "second" are used to distinguish the same or similar items with substantially the same functions and effects. Those skilled in the art can understand that words such as "first" and "second" do not limit the quantity and execution order, and words such as "first" and "second" do not necessarily limit the difference.

需要说明的是,本申请中,“示例性的”或者“例如”等词用于表示作例子、例证或说明。本申请中被描述为“示例性的”或者“例如”的任何实施例或设计方案不应被解释为比其他实施例或设计方案更优选或更具优势。确切而言,使用“示例性的”或者“例如”等词旨在以具体方式呈现相关概念。It should be noted that, in this application, words such as "exemplary" or "for example" are used to indicate examples, illustrations or descriptions. Any embodiment or design described as "exemplary" or "for example" in this application should not be interpreted as being more preferred or more advantageous than other embodiments or designs. Specifically, the use of words such as "exemplary" or "for example" is intended to present related concepts in a specific way.

本申请中,“至少一个”是指一个或者多个,“多个”是指两个或两个以上。“和/或”,描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B的情况,其中A,B可以是单数或者复数。字符“/”一般表示前后关联对象是一种“或”的关系。“以下至少一项(个)”或其类似表达,是指的这些项中的任意组合,包括单项(个)或复数项(个)的任意组合。例如,a,b,或c中的至少一项(个),可以表示:a,b,c,a-b,a-c,b-c,或a-b-c,其中a,b,c可以是单个,也可以是多个。In this application, "at least one" means one or more, and "plurality" means two or more. "And/or" describes the association relationship of associated objects, indicating that three relationships may exist. For example, A and/or B can mean: A exists alone, A and B exist at the same time, and B exists alone, where A and B can be singular or plural. The character "/" generally indicates that the previous and next associated objects are in an "or" relationship. "At least one of the following" or similar expressions refers to any combination of these items, including any combination of single or plural items. For example, at least one of a, b, or c can mean: a, b, c, a-b, a-c, b-c, or a-b-c, where a, b, c can be single or multiple.

下面结合图2和图3所示数据传输系统,对本申请实施例提供的数据传输方法进行描述。The data transmission method provided in the embodiment of the present application is described below in conjunction with the data transmission systems shown in Figures 2 and 3.

图6为本申请实施例提供了一种数据传输方法,应用于内容中心网络CCN;CCN网络配置有多个CCN路由器、多个CCN路由器配置有可信执行环境TEE模块。如图6所示,该方法包括下述S301-S303:FIG6 is a data transmission method provided by an embodiment of the present application, which is applied to a content-centric network CCN; the CCN network is configured with multiple CCN routers, and multiple CCN routers are configured with a trusted execution environment TEE module. As shown in FIG6 , the method includes the following S301-S303:

S301、接收来自第一终端的请求消息。S301: Receive a request message from a first terminal.

其中,请求消息用于请求目标内容。目标内容的类型可以根据需要设置。例如,可以为文本内容、音频内容。视频内容等。The request message is used to request the target content. The type of the target content can be set as needed. For example, it can be text content, audio content, video content, etc.

请求消息可以包括兴趣报文。兴趣报文的内容可以根据需要设置。例如,如图7所示,兴趣报文可以包括:内容名称、选择器、随机数、可信值等。The request message may include an interest message. The content of the interest message may be set as required. For example, as shown in FIG. 7 , the interest message may include: content name, selector, random number, trusted value, etc.

作为一种可能的实现方式,第一终端可以通过响应于用户在CCN网络客户端的控制指令,向CCN网络发送请求消息。相应的,CCN网络通过CCN网络客户端数据接收来自第一终端的请求消息。As a possible implementation, the first terminal may send a request message to the CCN network in response to a control instruction of the user on the CCN network client. Correspondingly, the CCN network receives the request message from the first terminal through the CCN network client data.

需要说明的,兴趣报文中的可信值可以用于指示目标内容的重要程度。例如,可信值可以包括第一可信值(例如可以为1)和第二可信值(例如可以为0)。It should be noted that the trust value in the interest message can be used to indicate the importance of the target content. For example, the trust value can include a first trust value (for example, 1) and a second trust value (for example, 0).

在兴趣报文中的可信值为可信值为第一可信值的情况下,可以表示目标内容为重要内容(也可以成为机密内容)。在兴趣报文中的可信值为可信值为第二可信值的情况下,可以表示目标内容为普通内容。When the trust value in the interest message is the first trust value, it can indicate that the target content is important content (or confidential content). When the trust value in the interest message is the second trust value, it can indicate that the target content is ordinary content.

一些实施例中,请求消息还可以包括第一终端的端口信息。这样,可以使CCN网络根据第一终端的端口信息向第一终端发送目标内容。In some embodiments, the request message may further include port information of the first terminal, so that the CCN network can send the target content to the first terminal according to the port information of the first terminal.

S302、对于途径路径所包括的每个CCN路由器,利用CCN路由器的TEE模块对目标内容进行加密,并将加密后的目标内容缓存至途径路径所包括的CCN路由器中。S302: For each CCN router included in the route path, the target content is encrypted using the TEE module of the CCN router, and the encrypted target content is cached in the CCN router included in the route path.

其中,途径路径为CCN网络向第一终端发送目标内容的路径。结合图2,在CCN网络未缓存目标内容的情况下,目标内容的存储于内容发布者,途径路径所包括的CCN路由器可以包括CCN路由器1、CCN路由器3。在CCN网络缓存目标内容的情况下,如目标内容的存储于CCN路由器2,途径路径所包括的CCN路由器可以包括CCN路由器1、CCN路由器2。The path is the path for the CCN network to send the target content to the first terminal. In conjunction with Figure 2, when the CCN network does not cache the target content, the target content is stored in the content publisher, and the CCN routers included in the path may include CCN router 1 and CCN router 3. When the CCN network caches the target content, such as the target content is stored in CCN router 2, the CCN routers included in the path may include CCN router 1 and CCN router 2.

其中,目标内容是CCN网络根据内容标识,在CCN网络中获取的。The target content is obtained by the CCN network in the CCN network according to the content identifier.

作为又一种可能的实现方式,CCN网络途径路径中的每个CCN路由器可以将所有的目标内容利用CCN路由器的TEE模块对目标内容进行加密,并将加密后的目标内容缓存至途径路径所包括的CCN路由器中。As another possible implementation, each CCN router in the CCN network path may encrypt all target contents using the TEE module of the CCN router, and cache the encrypted target contents in the CCN router included in the path.

作为又一种可能的实现方式,CCN网络途径路径中的每个CCN路由器可以确定目标内容对应的可信值,并在可信标识为目标可信标识的情况下,利用CCN路由器的TEE模块对目标内容进行加密。As another possible implementation, each CCN router in the CCN network path may determine a trusted value corresponding to the target content, and encrypt the target content using a TEE module of the CCN router when the trusted identifier is the target trusted identifier.

例如,CCN网络途径路径中的每个CCN路由器将目标内容送入自身的TEE模块中的机密计算模块中使用密钥Kc进行加密,生成加密后的目标内容Ck,并将Ck通过密钥Kd生成内容摘要Cd,并将内容名称、Ck、Cd、时间戳等内容发送至CCN网络中的CS进行存储。For example, each CCN router in the CCN network path sends the target content to the confidential computing module in its own TEE module and encrypts it using the key Kc to generate the encrypted target content Ck, and generates the content summary Cd using the key Kd, and sends the content name, Ck, Cd, timestamp and other contents to the CS in the CCN network for storage.

在一些实施例中,在目标内容的重要程度较低时(如配置的可信值为0),CCN网络可以直接在CS中缓存该目标数据。In some embodiments, when the importance of the target content is low (eg, the configured trust value is 0), the CCN network may directly cache the target data in the CS.

S303、利用途径路径所包括的CCN路由器向第一终端发送目标内容。S303: Send the target content to the first terminal by using the CCN router included in the route.

作为一种可能的实现方式,在CCN网络的缓存数据中未缓存有目标内容的情况下,CCN网络中的CCN路由器可以通过第一终端的端口记录向第一终端发送目标内容。As a possible implementation manner, when the target content is not cached in the cache data of the CCN network, the CCN router in the CCN network may send the target content to the first terminal through the port record of the first terminal.

作为又一种可能的实现方式,在CCN网络的缓存数据中缓存有目标内容的情况下,CCN网络中的CCN路由器可以验证目标内容的完整性,并在完整性未发生变化的情况下,通过第一终端的端口记录向第一终端发送目标内容。As another possible implementation, when the target content is cached in the cache data of the CCN network, the CCN router in the CCN network can verify the integrity of the target content and send the target content to the first terminal through the port record of the first terminal when the integrity has not changed.

基于本申请提供的技术方案,在接收来自第一终端的请求消息之后;利用TEE模块对目标内容进行加密,并将加密后的目标内容缓存至途径路径所包括的CCN路由器中,利用途径路径所包括的CCN路由器向第一终端发送目标内容。也即,本申请通过加入TEE模块,构建了全新的CCN网络架构。由于TEE模块是通过硬件的方式在设备提供的一个安全区域,仅能通过授权接口对安全区域内的信息进行访问。这样,在加密后的目标内容缓存至途径路径所包括的CCN路由器后,第三方解密或篡改目标内容的难度较大,可以减少目标内容被第三方解密或篡改的概率,提高了CCN网络中的缓存数据的安全性。Based on the technical solution provided by the present application, after receiving the request message from the first terminal, the target content is encrypted using the TEE module, and the encrypted target content is cached in the CCN router included in the path, and the target content is sent to the first terminal using the CCN router included in the path. That is, the present application constructs a new CCN network architecture by adding the TEE module. Since the TEE module is a secure area provided by the device in a hardware manner, the information in the secure area can only be accessed through the authorized interface. In this way, after the encrypted target content is cached in the CCN router included in the path, it is more difficult for a third party to decrypt or tamper with the target content, which can reduce the probability of the target content being decrypted or tampered with by a third party, and improve the security of cached data in the CCN network.

一种可能的实施例,如图8所示,为了获取目标内容,本申请的数据传输方法还可以包括下述S401-S403。In a possible embodiment, as shown in FIG8 , in order to obtain target content, the data transmission method of the present application may further include the following S401 - S403 .

S401、确定前向转发表(forwarding information base,FIB)是否包括内容标识。S401: Determine whether a forwarding information base (FIB) includes a content identifier.

其中,前向转发表包括多个端口以及每个端口所包括的多个预设内容标识。The forward forwarding table includes a plurality of ports and a plurality of preset content identifiers included in each port.

作为一种可能的实现方式,CCN网络可以向CCN网络中所包括的多个CCN路由器发送该内容标识,以使得每个CCN路由器确定自身的前向转发表是否包括内容标识,并向CCN网络发送该内容标识的搜索结果。As a possible implementation, the CCN network may send the content identifier to multiple CCN routers included in the CCN network, so that each CCN router determines whether its forwarding table includes the content identifier and sends the search result of the content identifier to the CCN network.

需要说明的,上报数据可以包括目标无源物联网终端发送该上报数据的第一时间戳,网络设备可以确定第二时间戳与第一时间戳的差值,并将该差值确定为上报数据的时延。It should be noted that the reported data may include a first timestamp when the target passive IoT terminal sends the reported data, and the network device may determine the difference between the second timestamp and the first timestamp, and determine the difference as the delay of the reported data.

S402、在前向转发表包括内容标识的情况下,从前向转发表确定内容标识对应的目标端口。S402: When the forward forwarding table includes the content identifier, determine the target port corresponding to the content identifier from the forward forwarding table.

其中,目标端口为生成目标内容的第二终端对应的端口。The target port is the port corresponding to the second terminal that generates the target content.

作为一种可能的实现方式,在目标CCN路由器的前向转发表包括内容标识的情况下,CCN网络可以通过目标CCN路由器的前向转发表确定内容标识对应的目标端口。As a possible implementation manner, when the forward forwarding table of the target CCN router includes the content identifier, the CCN network may determine the target port corresponding to the content identifier through the forward forwarding table of the target CCN router.

在一些实施例中,在前向转发表不包括内容标识的情况下,CCN网络可以通过CCN路由器向CCN网络中所有的端口发送请求消息,以使得每个端口对应的终端根据内容标识确定是否存在目标内容,并将存在目标内容的端口确定为目标端口。In some embodiments, when the forward forwarding table does not include the content identifier, the CCN network can send a request message to all ports in the CCN network through a CCN router, so that the terminal corresponding to each port determines whether the target content exists according to the content identifier, and determines the port where the target content exists as the target port.

可以理解的,通过向所有端口全面转发该请求消息,可以减少目标内容的搜索时间,提高目标内容的搜索效率。It can be understood that by fully forwarding the request message to all ports, the search time for the target content can be reduced and the search efficiency for the target content can be improved.

S403、从目标端口获取目标内容。S403: Acquire target content from the target port.

作为一种可能的实现方式,目标端口对应的目标终端可以根据请求消息生成应答报文,并通过目标端口向CCN网络发送应答报文。相应的,CCN网络可以通过目标CCN路由器的从目标端口获取应答报文,并通过解析应答报文获取目标内容。As a possible implementation, the target terminal corresponding to the target port can generate a response message according to the request message, and send the response message to the CCN network through the target port. Correspondingly, the CCN network can obtain the response message from the target port of the target CCN router, and obtain the target content by parsing the response message.

需要说明的,在请求消息包括可信值的情况下,应答报文中的可信值与请求消息中的可信值相同。例如,在应答报文中的可信值为1时,应答报文中的可信值也为1。It should be noted that, when the request message includes a trust value, the trust value in the response message is the same as the trust value in the request message. For example, when the trust value in the response message is 1, the trust value in the response message is also 1.

一种示例中,图9示出了一种应答报文的组成示意图。如图9所示,应答报文可以包括内容名称、选择器、随机数、可信值以及目标内容。In an example, a schematic diagram of the composition of a response message is shown in Figure 9. As shown in Figure 9, the response message may include a content name, a selector, a random number, a trusted value, and a target content.

一些实施例中,CCN网络可以确定CCN网络的缓存数据中是否缓存有目标内容,并在在CCN网络的缓存数据中缓存有目标内容的情况下,基于内容标识从CCN网络的缓存数据获取目标内容。In some embodiments, the CCN network may determine whether the target content is cached in the cache data of the CCN network, and if the target content is cached in the cache data of the CCN network, obtain the target content from the cache data of the CCN network based on the content identifier.

一种可能的实施例,如图10所示,为了确定前向转发表是否包括内容标识,本申请的S401具体可以包括下述S501-S502。In a possible embodiment, as shown in FIG. 10 , in order to determine whether the forwarding table includes a content identifier, S401 of the present application may specifically include the following S501 - S502 .

S501、确定CCN网络的缓存数据中是否缓存有目标内容。S501: Determine whether target content is cached in the cache data of the CCN network.

其中,缓存数据具体可以为CCN路由器中的缓存数据。例如,可以为CS(内容存储器)中的缓存数据。The cache data may specifically be cache data in a CCN router, for example, cache data in a CS (content storage).

作为一种可能的实现方式,CCN网络中的CCN路由器可以根据内容标识查找本地CS(内容存储器)中的缓存数据是否缓存有目标内容。As a possible implementation manner, a CCN router in the CCN network may search cache data in a local CS (content storage) according to the content identifier to see whether the target content is cached.

S502、在CCN网络的缓存数据中未缓存有目标内容的情况下,确定前向转发表是否包括内容标识。S502: When the target content is not cached in the cache data of the CCN network, determine whether the forwarding table includes a content identifier.

一种可能的实施例,如图11所示,在CCN网络的缓存数据中缓存有目标内容的情况下,TEE模块存储有每个目标内容对应的原始数字签名,为了利用途径路径所包括的CCN路由器向第一终端发送目标内容,本申请的中的S303可以包括下述S601-S603。A possible embodiment, as shown in Figure 11, when the target content is cached in the cache data of the CCN network, the TEE module stores the original digital signature corresponding to each target content. In order to use the CCN router included in the path to send the target content to the first terminal, S303 in this application may include the following S601-S603.

S601、获取目标内容的内容摘要。S601: Obtain a content summary of the target content.

其中,内容摘要为预先存储在从缓存数据中的。The content summary is pre-stored in the slave cache data.

作为一种可能的实现方式,CCN网络可以通过CCN路由器从缓存数据中获取目标内容的内容摘要。As a possible implementation manner, the CCN network may obtain a content summary of the target content from cache data through a CCN router.

一些实施例中,在缓存数据中未存储有目标内容的内容摘要的情况下,CCN网络可以利用预设摘要生成算法获取目标内容的内容摘要。In some embodiments, when the content summary of the target content is not stored in the cache data, the CCN network may use a preset summary generation algorithm to obtain the content summary of the target content.

S602、利用TEE模块中的内容签名密钥对内容摘要进行处理,生成目标内容对应的当前时刻的数字签名。S602: Use the content signing key in the TEE module to process the content summary and generate a digital signature corresponding to the target content at the current moment.

一种示例中,在目标内容为加密内容的情况下,CCN网络可以将加密的目标内容(Ck)和内容摘要(Cd)传送至TEE模块中(也可以称为机密计算功能模块),生成目标内容对应的当前时刻的数字签名。In one example, when the target content is encrypted content, the CCN network can transmit the encrypted target content (Ck) and content summary (Cd) to the TEE module (also known as the confidential computing function module) to generate a digital signature corresponding to the target content at the current moment.

需要说明的,加密内容对应的密钥存储在CCN路由器的TEE模块中,未授权的应用和代码甚至管理员都无法窃取和篡改CCN路由器的TEE模块中的密钥。It should be noted that the key corresponding to the encrypted content is stored in the TEE module of the CCN router. Unauthorized applications, codes, and even administrators cannot steal and tamper with the keys in the TEE module of the CCN router.

S603、在当前时刻的数字签名与原始数字签名相同的情况下,CCN网络利用途径路径所包括的CCN路由器向第一终端发送目标内容。S603: When the digital signature at the current moment is the same as the original digital signature, the CCN network sends the target content to the first terminal by using the CCN router included in the route.

在一些实施例中,在当前时刻的数字签名与原始数字签名不同的情况下,CCN网络可以丢弃目标内容,并删除缓存数据中的目标内容。In some embodiments, when the digital signature at the current moment is different from the original digital signature, the CCN network may discard the target content and delete the target content in the cached data.

可以理解的,网络设备在接收到目标无源物联网终端发送的上报数据,上报数据满足预设条件情况下,中继设备断开与目标无源物联网终端的连接。也即,在目标无源物联网终端的传输上行信号的质量较好的情况下,中继设备停止为目标无源物联网终端传输上行数据,避免接收到中继设备、目标无源物联网重复发送相同的上行数据,提升了资源利用率。It is understandable that when the network device receives the reported data sent by the target passive IoT terminal and the reported data meets the preset conditions, the relay device disconnects from the target passive IoT terminal. That is, when the quality of the uplink signal transmitted by the target passive IoT terminal is good, the relay device stops transmitting uplink data to the target passive IoT terminal, avoiding the receiving of the same uplink data repeatedly sent by the relay device and the target passive IoT, thereby improving resource utilization.

本申请上述实施例中的各个方案在不矛盾的前提下,均可以进行结合。The various solutions in the above embodiments of the present application can be combined without contradiction.

本申请实施例可以根据上述方法示例对数据传输装置进行功能模块或者功能单元的划分,例如,可以对应各个功能划分各个功能模块或者功能单元,也可以将两个或两个以上的功能集成在一个处理模块中。上述集成的模块既可以采用硬件的形式实现,也可以采用软件功能模块或者功能单元的形式实现。其中,本申请实施例中对模块或者单元的划分是示意性的,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式。The embodiment of the present application can divide the data transmission device into functional modules or functional units according to the above method example. For example, each functional module or functional unit can be divided according to each function, or two or more functions can be integrated into one processing module. The above integrated module can be implemented in the form of hardware or in the form of software functional modules or functional units. Among them, the division of modules or units in the embodiment of the present application is schematic, which is only a logical function division. There may be other division methods in actual implementation.

在采用对应各个功能划分各个功能模块的情况下,图12示出了一种数据传输装置700的结构示意图,该数据传输装置可以为数据传输装置,也可以为应用于数据传输装置中的芯片,该数据传输装置700可以用于执行上述实施例中涉及的数据传输装置的功能。图12所示的数据传输装置700可以包括:接收单元701、处理单元702、发送单元703;接收单元701,用于接收来自第一终端的请求消息;请求消息用于请求目标内容;处理单元702,用于对于途径路径所包括的每个CCN路由器,利用CCN路由器的TEE模块对目标内容进行加密,并将加密后的目标内容缓存至途径路径所包括的CCN路由器中;途径路径为CCN网络向第一终端发送目标内容的路径;发送单元703,用于利用途径路径所包括的CCN路由器向第一终端发送目标内容。In the case of dividing each functional module according to each function, FIG12 shows a schematic diagram of the structure of a data transmission device 700, which can be a data transmission device or a chip used in a data transmission device. The data transmission device 700 can be used to perform the functions of the data transmission device involved in the above embodiment. The data transmission device 700 shown in FIG12 may include: a receiving unit 701, a processing unit 702, and a sending unit 703; the receiving unit 701 is used to receive a request message from the first terminal; the request message is used to request the target content; the processing unit 702 is used to encrypt the target content using the TEE module of the CCN router for each CCN router included in the path, and cache the encrypted target content to the CCN router included in the path; the path is the path for the CCN network to send the target content to the first terminal; the sending unit 703 is used to send the target content to the first terminal using the CCN router included in the path.

可选的,请求消息包括目标内容的内容标识;处理单元702还用于:根据内容标识,在CCN网络中获取目标内容。Optionally, the request message includes a content identifier of the target content; the processing unit 702 is further configured to: obtain the target content in the CCN network according to the content identifier.

可选的,处理单元702,具体用于:确定前向转发表是否包括内容标识;前向转发表包括多个端口以及每个端口所包括的多个预设内容标识;在前向转发表包括内容标识的情况下,从前向转发表确定内容标识对应的目标端口;从目标端口获取目标内容。Optionally, the processing unit 702 is specifically used to: determine whether the forward forwarding table includes a content identifier; the forward forwarding table includes multiple ports and multiple preset content identifiers included in each port; when the forward forwarding table includes the content identifier, determine the target port corresponding to the content identifier from the forward forwarding table; and obtain the target content from the target port.

可选的,处理单元702,具体还用于:确定CCN网络的缓存数据中是否缓存有目标内容;在CCN网络的缓存数据中未缓存有目标内容的情况下,确定前向转发表是否包括内容标识。Optionally, the processing unit 702 is further configured to: determine whether the target content is cached in the cache data of the CCN network; and if the target content is not cached in the cache data of the CCN network, determine whether the forward forwarding table includes the content identifier.

可选的,处理单元702,具体还用于:在CCN网络的缓存数据中缓存有目标内容的情况下,基于内容标识从CCN网络的缓存数据获取目标内容。Optionally, the processing unit 702 is further configured to: when the target content is cached in the cache data of the CCN network, obtain the target content from the cache data of the CCN network based on the content identifier.

可选的,请求消息还包括目标内容的可信标识;可信标识用于指示目标内容的重要程度;处理单元702,具体还用于:在可信标识为目标可信标识的情况下,利用CCN路由器的TEE模块对目标内容进行加密。Optionally, the request message also includes a trusted identifier of the target content; the trusted identifier is used to indicate the importance of the target content; the processing unit 702 is specifically used to: when the trusted identifier is a target trusted identifier, use the TEE module of the CCN router to encrypt the target content.

可选的,在CCN网络的缓存数据中缓存有目标内容的情况下,TEE模块存储有每个目标内容对应的原始数字签名,发送单元703,具体用于:获取目标内容的内容摘要;利用TEE模块中的内容签名密钥对内容摘要进行处理,生成目标内容对应的当前时刻的数字签名;在当前时刻的数字签名与原始数字签名相同的情况下,利用途径路径所包括的CCN路由器向第一终端发送目标内容。Optionally, when the target content is cached in the cache data of the CCN network, the TEE module stores the original digital signature corresponding to each target content, and the sending unit 703 is specifically used to: obtain a content summary of the target content; use the content signature key in the TEE module to process the content summary to generate a digital signature at the current moment corresponding to the target content; when the digital signature at the current moment is the same as the original digital signature, use the CCN router included in the path to send the target content to the first terminal.

本申请实施例还提供了一种计算机可读存储介质。上述方法实施例中的全部或者部分流程可以由计算机程序来指令相关的硬件完成,该程序可存储于上述计算机可读存储介质中,该程序在执行时,可包括如上述各方法实施例的流程。计算机可读存储介质可以是前述任一实施例的数据传输装置(包括数据发送端和/或数据接收端)的内部存储单元,例如数据传输装置的硬盘或内存。上述计算机可读存储介质也可以是上述终端装置的外部存储设备,例如上述终端装置上配备的插接式硬盘,智能存储卡(smart media card,SMC),安全数字(secure digital,SD)卡,闪存卡(flash card)等。进一步地,上述计算机可读存储介质还可以既包括上述数据传输装置的内部存储单元也包括外部存储设备。上述计算机可读存储介质用于存储上述计算机程序以及上述数据传输装置所需的其他程序和数据。上述计算机可读存储介质还可以用于暂时地存储已经输出或者将要输出的数据。The embodiment of the present application also provides a computer-readable storage medium. All or part of the processes in the above method embodiments can be completed by a computer program to instruct the relevant hardware, and the program can be stored in the above computer-readable storage medium. When the program is executed, it can include the processes of the above method embodiments. The computer-readable storage medium can be an internal storage unit of the data transmission device (including the data sending end and/or the data receiving end) of any of the above embodiments, such as a hard disk or memory of the data transmission device. The above computer-readable storage medium can also be an external storage device of the above terminal device, such as a plug-in hard disk equipped on the above terminal device, a smart memory card (smart media card, SMC), a secure digital (secure digital, SD) card, a flash card (flash card), etc. Further, the above computer-readable storage medium can also include both the internal storage unit of the above data transmission device and an external storage device. The above computer-readable storage medium is used to store the above computer program and other programs and data required by the above data transmission device. The above computer-readable storage medium can also be used to temporarily store data that has been output or is to be output.

需要说明的是,本申请的说明书、权利要求书及附图中的术语“第一”和“第二”等是用于区别不同对象,而不是用于描述特定顺序。此外,术语“包括”和“具有”以及它们任何变形,意图在于覆盖不排他的包含。例如包含了一系列步骤或单元的过程、方法、系统、产品或设备没有限定于已列出的步骤或单元,而是可选地还包括没有列出的步骤或单元,或可选地还包括对于这些过程、方法、产品或设备固有的其它步骤或单元。It should be noted that the terms "first" and "second" in the specification, claims and drawings of the present application are used to distinguish different objects rather than to describe a specific order. In addition, the terms "including" and "having" and any variations thereof are intended to cover non-exclusive inclusions. For example, a process, method, system, product or device that includes a series of steps or units is not limited to the listed steps or units, but may optionally include steps or units that are not listed, or may optionally include other steps or units that are inherent to these processes, methods, products or devices.

应当理解,在本申请中,“至少一个(项)”是指一个或者多个,“多个”是指两个或两个以上,“至少两个(项)”是指两个或三个及三个以上,“和/或”,用于描述关联对象的关联关系,表示可以存在三种关系,例如,“A和/或B”可以表示:只存在A,只存在B以及同时存在A和B三种情况,其中A,B可以是单数或者复数。字符“/”一般表示前后关联对象是一种“或”的关系。“以下至少一项(个)”或其类似表达,是指这些项中的任意组合,包括单项(个)或复数项(个)的任意组合。例如,a,b或c中的至少一项(个),可以表示:a,b,c,“a和b”,“a和c”,“b和c”,或“a和b和c”,其中a,b,c可以是单个,也可以是多个。It should be understood that in the present application, "at least one (item)" means one or more, "more than one" means two or more, "at least two (items)" means two or three and more than three, and "and/or" is used to describe the association relationship of associated objects, indicating that three relationships may exist. For example, "A and/or B" can mean: only A exists, only B exists, and A and B exist at the same time, where A and B can be singular or plural. The character "/" generally indicates that the objects associated before and after are in an "or" relationship. "At least one of the following items" or similar expressions refers to any combination of these items, including any combination of single items or plural items. For example, at least one of a, b or c can mean: a, b, c, "a and b", "a and c", "b and c", or "a and b and c", where a, b, c can be single or multiple.

通过以上的实施方式的描述,所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,仅以上述各功能模块的划分进行举例说明,实际应用中,可以根据需要而将上述功能分配由不同的功能模块完成,即将装置的内部结构划分成不同的功能模块,以完成以上描述的全部或者部分功能。Through the description of the above implementation methods, technical personnel in the relevant field can clearly understand that for the convenience and simplicity of description, only the division of the above-mentioned functional modules is used as an example. In actual applications, the above-mentioned functions can be assigned to different functional modules as needed, that is, the internal structure of the device can be divided into different functional modules to complete all or part of the functions described above.

在本申请所提供的几个实施例中,应该理解到,所揭露的装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,模块或单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个装置,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided in the present application, it should be understood that the disclosed devices and methods can be implemented in other ways. For example, the device embodiments described above are only schematic, for example, the division of modules or units is only a logical function division, and there may be other division methods in actual implementation, such as multiple units or components can be combined or integrated into another device, or some features can be ignored or not executed. Another point is that the mutual coupling or direct coupling or communication connection shown or discussed can be through some interfaces, indirect coupling or communication connection of devices or units, which can be electrical, mechanical or other forms.

作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是一个物理单元或多个物理单元,即可以位于一个地方,或者也可以分布到多个不同地方。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components shown as units may be one physical unit or multiple physical units, that is, they may be located in one place or distributed in multiple different places. Some or all of the units may be selected according to actual needs to achieve the purpose of the present embodiment.

另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit. The above-mentioned integrated unit may be implemented in the form of hardware or in the form of software functional units.

集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个可读取存储介质中。基于这样的理解,本申请实施例的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该软件产品存储在一个存储介质中,包括若干指令用以使得一个设备(可以是单片机,芯片等)或处理器(processor)执行本申请各个实施例方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、ROM、RAM、磁碟或者光盘等各种可以存储程序代码的介质。If the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a readable storage medium. Based on this understanding, the technical solution of the embodiment of the present application is essentially or the part that contributes to the prior art or all or part of the technical solution can be embodied in the form of a software product, which is stored in a storage medium and includes several instructions to enable a device (which can be a single-chip microcomputer, chip, etc.) or a processor (processor) to perform all or part of the steps of the various embodiments of the present application. The aforementioned storage medium includes: various media that can store program codes, such as USB flash drives, mobile hard drives, ROM, RAM, magnetic disks or optical disks.

以上,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何在本申请揭露的技术范围内的变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以权利要求的保护范围为准。The above are only specific implementations of the present application, but the protection scope of the present application is not limited thereto, and any changes or substitutions within the technical scope disclosed in the present application should be included in the protection scope of the present application. Therefore, the protection scope of the present application should be based on the protection scope of the claims.

Claims (10)

1. A data transmission method, characterized by being applied to a content centric network CCN; the CCN network is configured with a plurality of CCN routers, and the plurality of CCN routers are configured with a Trusted Execution Environment (TEE) module; the method comprises the following steps:
receiving a request message from a first terminal; the request message is used for requesting target content;
Encrypting the target content by using a TEE module of each CCN router included in the path, and caching the encrypted target content into the CCN router included in the path; the path is a path for the CCN to send the target content to the first terminal;
And transmitting the target content to the first terminal by using the CCN router included in the path.
2. The method of claim 1, wherein the request message includes a content identification of the target content; the method further comprises the steps of:
And acquiring the target content in the CCN according to the content identification.
3. The method of claim 2, wherein the target content is obtained in the CCN network according to the content identification; comprising the following steps:
Determining whether a forward forwarding table includes the content identification; the forward forwarding table comprises a plurality of ports and a plurality of preset content identifiers contained in each port;
determining a target port corresponding to the content identifier from the forward forwarding table under the condition that the forward forwarding table comprises the content identifier;
And acquiring the target content from the target port.
4. The method of claim 3, wherein the determining whether the forward forwarding table includes the content identification comprises:
determining whether the target content is cached in the cache data of the CCN;
and under the condition that the target content is not cached in the cache data of the CCN, determining whether the content identification exists in the forward forwarding table.
5. The method of claim 4, wherein the obtaining the target content in the CCN network based on the content identification comprises:
and under the condition that the target content is cached in the cache data of the CCN, acquiring the target content from the cache data of the CCN based on the content identification.
6. The method of claim 5, wherein the transmitting the target content to the first terminal using the CCN router included in the pathway path comprises:
Under the condition that the target content is cached in the cache data of the CCN, obtaining a content abstract of the target content; the TEE module stores an original digital signature corresponding to each target content;
processing the content abstract by using a content signing key in the TEE module to generate a digital signature of the current moment corresponding to the target content;
And under the condition that the digital signature at the current moment is the same as the original digital signature, the CCN router included in the path is utilized to send the target content to the first terminal.
7. The method according to any of claims 1-6, wherein the request message further comprises a trusted identification of the target content; the trusted identifier is used for indicating the importance degree of the target content; the encrypting the target content by using the TEE module of the CCN router includes:
And under the condition that the trusted identifier is a target trusted identifier, encrypting the target content by using a TEE module of the CCN router.
8. A data transmission device, characterized by being applied to a content-centric network CCN; the CCN network is configured with a plurality of CCN routers, and the plurality of CCN routers are configured with a Trusted Execution Environment (TEE) module; the device comprises: the device comprises a receiving unit, a processing unit and a sending unit;
The receiving unit is used for receiving a request message from the first terminal; the request message is used for requesting target content;
The processing unit is configured to encrypt, for each CCN router included in the path, the target content by using a TEE module of the CCN router, and cache the encrypted target content into the CCN router included in the path; the path is a path for the CCN to send the target content to the first terminal;
The sending unit is configured to send the target content to the first terminal by using a CCN router included in the path.
9. A computer readable storage medium having instructions stored therein which, when executed, implement the method of any of claims 1-7.
10. An electronic device, comprising: a processor, a memory, and a communication interface; wherein the communication interface is used for the electronic equipment to communicate with other equipment or network; the memory is configured to store one or more programs, the one or more programs comprising computer-executable instructions that, when executed by the electronic device, cause the processor to execute the computer-executable instructions stored by the memory to cause the electronic device to perform the method of any of claims 1-7.
CN202410362440.5A 2024-03-27 2024-03-27 Data transmission method, device and readable storage medium Pending CN118174942A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410362440.5A CN118174942A (en) 2024-03-27 2024-03-27 Data transmission method, device and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410362440.5A CN118174942A (en) 2024-03-27 2024-03-27 Data transmission method, device and readable storage medium

Publications (1)

Publication Number Publication Date
CN118174942A true CN118174942A (en) 2024-06-11

Family

ID=91358464

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410362440.5A Pending CN118174942A (en) 2024-03-27 2024-03-27 Data transmission method, device and readable storage medium

Country Status (1)

Country Link
CN (1) CN118174942A (en)

Similar Documents

Publication Publication Date Title
Yu et al. Enabling attribute revocation for fine-grained access control in blockchain-IoT systems
US11050724B2 (en) IaaS-aided access control for information centric networking with Internet-of-Things
JP5536362B2 (en) Method for facilitating communication in a content-centric network
EP3054648B1 (en) Access control framework for information centric networking
US9009465B2 (en) Augmenting name/prefix based routing protocols with trust anchor in information-centric networks
Ding et al. A survey on future Internet security architectures
Nour et al. Access control mechanisms in named data networks: A comprehensive survey
CN109983752A (en) Network address with NS grades of information of encoding D
US10104092B2 (en) System and method for parallel secure content bootstrapping in content-centric networks
US12058243B2 (en) Identity management system establishing two-way trusted relationships in a secure peer-to-peer data network
JP6326173B1 (en) Data transmission / reception system and data transmission / reception method
US11582241B1 (en) Community server for secure hosting of community forums via network operating system in secure data network
US12126602B2 (en) Crypto-signed switching between two-way trusted network devices in a secure peer-to-peer data network
US12069032B2 (en) Autonomic distribution of hyperlinked hypercontent in a secure peer-to-peer data network
CN108833339B (en) Encrypted access control method under content-centric network
US7398388B2 (en) Increasing peer privacy
Sicari et al. Internet of Things: Security in the keys
CN114785622B (en) Access control method, device and storage medium for multi-identification network
Loo et al. Challenges and solutions for secure information centric networks: A case study of the netinf architecture
Alzahrani et al. Key management in information centric networking
US12052266B2 (en) Secure streaming media based on updating hypercontent in a secure peer-to-peer data network
CN112968902B (en) Named data network-based hidden IP method
CN118174942A (en) Data transmission method, device and readable storage medium
KR102840745B1 (en) Resource curation system with enhanced security between p2p based on dht and trust zone
CN111224777A (en) SDN network multicast member information encryption method, system, terminal and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination