[go: up one dir, main page]

CN119052000A - Method for realizing high-speed data safety transmission based on counter mode - Google Patents

Method for realizing high-speed data safety transmission based on counter mode Download PDF

Info

Publication number
CN119052000A
CN119052000A CN202411545697.0A CN202411545697A CN119052000A CN 119052000 A CN119052000 A CN 119052000A CN 202411545697 A CN202411545697 A CN 202411545697A CN 119052000 A CN119052000 A CN 119052000A
Authority
CN
China
Prior art keywords
data
session
master key
key
security module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202411545697.0A
Other languages
Chinese (zh)
Other versions
CN119052000B (en
Inventor
石理智
胡超
李京泽
周炳佳
黄名超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hunan Cryptographic Engineering Research Center Co ltd
Original Assignee
Hunan Cryptographic Engineering Research Center Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hunan Cryptographic Engineering Research Center Co ltd filed Critical Hunan Cryptographic Engineering Research Center Co ltd
Priority to CN202411545697.0A priority Critical patent/CN119052000B/en
Publication of CN119052000A publication Critical patent/CN119052000A/en
Application granted granted Critical
Publication of CN119052000B publication Critical patent/CN119052000B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/067Network architectures or network communication protocols for network security for supporting key management in a packet data network using one-time keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a counter mode-based high-speed data security transmission realization method, which comprises the steps that a security module establishes two-way authentication connection with a security gateway, the security module initiates a master key request to the security gateway and simultaneously sends an IP address to the security gateway, the security gateway distributes a master key to the security module, the security module and the security gateway respectively calculate random numbers based on the master key and store the random numbers in an uplink session key queue and a downlink session key queue, when a terminal accesses a server, the security module extracts the session key from the uplink session key queue to encrypt and protect uplink data, the security gateway retrieves the corresponding master key according to the IP address, extracts the session key from the corresponding uplink session key queue according to the master key, decrypts the decrypted plaintext data to the server, and the method can ensure the high-speed transmission reliability and security of the data, improve throughput and reduce data delay and is simple to deploy.

Description

Method for realizing high-speed data safety transmission based on counter mode
Technical Field
The invention relates to the technical field of network security, in particular to a method for realizing high-speed data security transmission based on a counter mode.
Background
Along with popularization of information system construction, large-scale data leakage event frequently occurs, and a cryptographic technology is used as a core and a foundation of network security and becomes a focus of attention of all parties. At present, the terminal equipment of the Internet of things in key information infrastructure in the industry basically does not have any protection measures, especially data privacy protection. In a complex network environment where network attack events frequently occur, on the premise of not changing the original network topology structure, the method guarantees the credibility and safety of high-speed data transmission, improves the throughput, reduces the data delay, and is easy to deploy and easy to use, thus being an urgent problem in the industry to be solved.
The prior art generally adopts a scheme of dual-side deployment of VPN. In the scheme of deploying VPN, the cloud server and the terminal equipment are hidden, the cloud server and the terminal equipment are protected, meanwhile, the VPN on two sides establishes a tunnel, and data are protected through the VPN tunnel to transmit data. However, when a large number of devices are accessed, the VPN server has a bottleneck, the cost of clients is increased by stacking the devices, and meanwhile, the transmission path of the data is modified for many times, so that the network transmission efficiency is reduced, the data delay is increased, and the reverse control instruction may not reach the terminal device in time, thereby causing unexpected results.
Disclosure of Invention
The invention provides a method for realizing high-speed data safety transmission based on a counter mode, which ensures the reliability and safety of the high-speed data transmission, improves the throughput, reduces the data delay and is simple to deploy.
The invention provides a method for realizing high-speed data security transmission based on a counter mode, which comprises the following steps:
The method comprises the steps that a security module and a security gateway are connected in a mutual authentication mode, wherein the security module is deployed on a terminal side, and the security gateway is deployed on a server side;
the security module initiates a master key request to the security gateway and simultaneously sends the IP address to the security gateway;
after receiving the master key request, the security gateway distributes the master key to the security module;
The security module receives a master key distributed by a security gateway;
The security module and the security gateway respectively calculate random numbers based on the master key by adopting a counter mode and store the random numbers in an uplink session key queue and a downlink session key queue;
when a terminal accesses a server, a security module extracts a session key from an uplink session key queue and performs encryption privacy protection on uplink data;
The security gateway retrieves the corresponding master key according to the IP address, extracts the session key from the corresponding uplink session key queue according to the master key, decrypts the uplink data, and forwards the decrypted plaintext data to the server.
Further, after receiving the master key request, the security gateway distributes the master key to the security module, including:
The security gateway inquires a master key mapping table according to the IP address of the security module after receiving a master key request initiated by the security module, distributes a corresponding master key to the security module if the network address is matched with the master key mapping table, and acquires a 16-byte random number as the master key to be distributed to the security module if the network address is not matched with the master key mapping table.
Further, after the security module receives the master key distributed by the security gateway, the method further includes:
the security module encrypts the master key by adopting a fixed character string to obtain ciphertext data, and sends the ciphertext data to the security gateway;
The security gateway receives the ciphertext data sent by the security module, decrypts the ciphertext data by selecting a master key allocated to the security module, compares the decrypted data with the fixed character string, if the decrypted data is consistent with the fixed character string data, the distributed master key is effective, the security gateway updates the master key mapping table, meanwhile, the security module is informed of updating the protected network table, if the decrypted data is inconsistent with the fixed character string data, the distributed master key is ineffective, and the data packet is sent to request the security module to reapply the master key.
Further, the security module and the security gateway respectively calculate random numbers by adopting a counter mode based on the master key and store the random numbers in an uplink session key queue and a downlink session key queue, and the security module and the security gateway comprise:
After verifying that the master key is effective, the security module and the security gateway respectively calculate random numbers according to the master key in a counter mode and respectively store the random numbers in an uplink session key queue and a downlink session key queue, monitor that the uplink session key queue and the downlink session key queue keep the queues in a full-load state all the time, and map the uplink session key queue and the downlink session key queue of the user space to the kernel space in a memory mode.
Further, when the terminal accesses the server, the security module extracts the session key from the uplink session key queue, and encrypts and protects the privacy of the uplink data, including:
The security module registers a HOOK function on NF_IP_PRE_ROUTING, intercepts uplink data, and calculates whether the payload data length is more than 0;
If the payload data length is equal to 0, no data needs to be encrypted, and the payload data is directly submitted to a protocol stack for protocol processing;
If the payload data length is greater than 0, the payload data is required to be encrypted, the five-element ancestor comprises a source address, a destination address, a source port, a destination port and a protocol, a session table is searched through the HASH value according to the five-element ancestor, if the session table is matched, the data is subjected to segmented exclusive OR encryption by using a corresponding session key in the session table, and the IP checksum is recalculated and updated;
If the session table is not matched, the protected network table is searched according to the source address, the protocol stack is submitted to carry out protocol processing, the matched protected network table acquires a corresponding master key from the protected network table, the session key and the value of a 16-byte counter are extracted from a corresponding uplink session key queue according to the master key, the data is segmented or encrypted according to the session key, the value of the 16-byte counter is attached to the end of an encrypted data segment, the payload length is recalculated and updated, the IP message length is recalculated and updated, the IP checksum is recalculated and updated, the encrypted data is submitted to carry out protocol processing, the HASH value of the five-membered ancestor and the session key are stored in the session table, and the session timeout time is set.
Further, the security gateway retrieves the corresponding master key according to the IP address, extracts the session key from the corresponding uplink session key queue according to the master key, and decrypts the uplink data, including:
the security gateway registers a HOOK function on NF_IP_PRE_ROUTING, intercepts uplink data, and calculates whether the payload data length is more than 0;
If the payload data length is equal to 0, no data needs to be decrypted, and the payload data is directly submitted to a protocol stack for protocol processing;
If the payload data length is greater than 0, the payload data is required to be decrypted, a five-membered ancestor is obtained, a HASH value is calculated according to the five-membered ancestor, and a session table is searched through the HASH value;
if the session table is not matched, the main key mapping table is searched according to the source address, the protocol stack is submitted to carry out protocol processing if the main key mapping table is not matched, the corresponding main key is obtained from the main key mapping table if the main key mapping table is matched, the tail 16 bytes of the payload data section are taken as the value of the counter, the session key corresponding to the value of the counter is extracted from the corresponding uplink session key queue according to the main key, the data is segmented or decrypted according to the session key, the value of the tail 16 bytes of the counter is removed, the payload is updated, the payload length is recalculated and updated, the IP message length is recalculated and updated, the IP checksum is recalculated and updated, the protocol processing is carried out on the decrypted data submitting protocol stack, the five-membered ancestor HASH value and the session key are stored in the session table, and the session timeout time is set.
Further, the method further comprises:
If the session is overtime, deleting the session from the session table, acquiring a new round of session key by the retransmitted data, and performing exclusive-or encryption and decryption on the data.
The method for realizing the high-speed data safety transmission based on the counter mode has the advantages that the method for realizing the high-speed data safety transmission based on the counter mode performs pre-calculation based on the counter mode, and the data encryption and decryption efficiency is improved. By adopting a session-key mode, the session overtime in the session table destroys the session key, and the new session re-extracts the session key, thereby resisting replay attack and improving the security intensity of the key.
Drawings
In order to more clearly illustrate the technical solution of the present invention, the drawings that are needed in the embodiments will be briefly described below, and it will be obvious to those skilled in the art that other drawings can be obtained from these drawings without inventive effort.
Fig. 1 is a network deployment diagram of a method for implementing high-speed data security transmission based on a counter mode provided by the invention;
fig. 2 is a flowchart of a method for implementing high-speed data security transmission based on counter mode according to the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be clearly and completely described below with reference to specific embodiments of the present invention and corresponding drawings. It will be apparent that the described embodiments are only some, but not all, embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention. The following describes in detail the technical solutions provided by the embodiments of the present invention with reference to the accompanying drawings.
Referring to fig. 1 and 2, an embodiment of the present invention provides a method for implementing high-speed data security transmission based on a counter mode, including:
s101, establishing two-way authentication connection between a security module and a security gateway, wherein the security module is deployed on a terminal side, and the security gateway is deployed on a server side.
Fig. 1 is a network deployment diagram of a method for implementing high-speed data security transmission based on a counter mode, which can be accessed into an existing network in a transparent mode without changing the original network topology, and a security module is deployed at a terminal side and a security gateway is deployed at a server side. Through the bidirectional authentication connection between the security module and the security gateway, the identity authenticity of both communication parties is ensured, man-in-the-middle attacks and data tampering are effectively prevented, and confidentiality and integrity in the data transmission process are ensured. The transparent access nature of this scheme makes it easy to deploy and maintain. The method does not need to carry out large-scale adjustment on the existing network architecture, reduces implementation cost and risk, and reduces the complexity of subsequent operation and maintenance.
S102, the security module initiates a master key request to the security gateway and simultaneously sends the IP address to the security gateway.
S103, after receiving the master key request, the security gateway distributes the master key to the security module.
The security gateway queries a master key mapping table according to an IP address of the security module after receiving a master key request initiated by the security module, distributes a corresponding master key to the security module if the network address is matched with the master key mapping table, and acquires a 16-byte random number as the master key to be distributed to the security module if the network address is not matched with the master key mapping table.
S104, the security module receives the master key distributed by the security gateway.
The security module encrypts a master key by using a fixed character string to obtain ciphertext data, the ciphertext data is sent to the security gateway, the security gateway receives the ciphertext data sent by the security module, then decrypts the ciphertext data by selecting the master key allocated to the security module, compares the decrypted data with the fixed character string, if the decrypted data is consistent with the fixed character string data, the distributed master key is effective, the security gateway updates a master key mapping table, meanwhile, the security module is informed of updating a protected network table, if the decrypted data is inconsistent with the fixed character string data, the distributed master key is invalid, and a data packet is sent to require the security module to apply the master key again.
S105, the security module and the security gateway respectively calculate random numbers by adopting a counter mode based on the master key and store the random numbers in an uplink session key queue and a downlink session key queue.
The security module and the security gateway calculate random numbers according to the master key respectively by adopting a counter mode and store the random numbers into an uplink session key queue and a downlink session key queue respectively after verifying that the master key is effective, monitor that the uplink session key queue and the downlink session key queue keep the state that the queues are always fully loaded, map the uplink session key queue and the downlink session key queue of the user space to the kernel space at the same time, and calculate the random numbers according to the master key again by adopting the counter mode and store the random numbers into the uplink session key queue and the downlink session key queue respectively when the master key is updated.
And S106, when the terminal accesses the server, the security module extracts a session key from the uplink session key queue and encrypts and protects the privacy of the uplink data.
Specifically, the security module registers a HOOK function on nf_ip_pre_routing, intercepts uplink data, and calculates whether the payload data length is greater than 0;
If the payload data length is equal to 0, no data needs to be encrypted, and the payload data is directly submitted to a protocol stack for protocol processing;
If the payload data length is greater than 0, the payload data is required to be encrypted to obtain a five-element ancestor, the five-element ancestor comprises a source address, a destination address, a source port, a destination port and a protocol, a session table is searched through the HASH value according to the five-element ancestor, if the session table is matched, the data is subjected to segmented exclusive OR encryption by using a corresponding session key in the session table, the IP checksum is recalculated and updated, if the TCP protocol data is the TCP protocol data, the TCP checksum is required to be recalculated and updated, the encrypted data is submitted to a protocol stack to be subjected to protocol processing, and the session timeout time in the session table is updated;
If the session table is not matched, the protected network table is searched according to the source address, the protocol stack is submitted to carry out protocol processing, the matched protected network table acquires a corresponding master key from the protected network table, the session key and the value of a 16-byte counter are extracted from a corresponding uplink session key queue according to the master key, the data is segmented or encrypted according to the session key, the value of the 16-byte counter is attached to the end of an encrypted data segment, the payload length is recalculated and updated, the IP message length is recalculated and updated, the IP checksum is recalculated and updated, if the TCP protocol data still needs to be recalculated and updated, the encrypted data is submitted to the protocol stack to carry out protocol processing, the HASH value of the five-membered ancestor and the session key are stored in the session table, and the session timeout time is set.
And S107, the security gateway retrieves the corresponding master key according to the IP address, extracts the session key from the corresponding uplink session key queue according to the master key, decrypts the uplink data, and forwards the decrypted plaintext data to the server.
Specifically, the security gateway registers a HOOK function on nf_ip_pre_routing, intercepts uplink data, and calculates whether the payload data length is greater than 0;
If the payload data length is equal to 0, no data needs to be decrypted, and the payload data is directly submitted to a protocol stack for protocol processing;
If the payload data length is greater than 0, the data is required to be decrypted, a five-membered ancestor is obtained, a HASH value is calculated according to the five-membered ancestor, and a session table is searched through the HASH value; if the session table is matched, the data is subjected to segmentation exclusive OR decryption by using a corresponding session key in the session table, the IP checksum is recalculated and updated, if the TCP protocol data is the TCP protocol data, the TCP checksum is also required to be recalculated and updated, the decrypted data is submitted to a protocol stack for protocol processing, and the session timeout time in the session table is updated;
If the session table is not matched, the main key mapping table is searched according to the source address, the protocol stack is submitted to carry out protocol processing, if the main key mapping table is not matched, the corresponding main key is obtained from the main key mapping table, the tail 16 bytes of the payload data section are taken as the value of the counter, the session key corresponding to the value of the counter is extracted from the corresponding uplink session key queue according to the main key, the data is segmented or decrypted according to the session key, the value of the tail 16 bytes of the counter is removed, the payload is updated, the payload length is recalculated and updated, the IP message length is recalculated and updated, if the TCP protocol data is the TCP protocol data, the TCP checksum is required to be recalculated and updated, the decrypted data is submitted to carry out protocol processing, the HASH value and the session key of the five-member ancestor are stored in the session table, and the session timeout time is set.
The reverse data flow is the same as S106, S107. If the session is overtime, deleting the session from the session table, acquiring a new round of session key by the retransmitted data, and performing exclusive-or encryption and decryption on the data. A session-key resists replay attacks and improves the security strength of the key.
According to the embodiment, the invention can realize plug and play through transparent mode access without changing the existing network topology. The invention establishes the session table, completes the rapid data forwarding and improves the data forwarding efficiency. The invention performs pre-calculation based on the counter mode, improves the data encryption and decryption efficiency, and reduces the real-time data delay. The invention adopts a session-key mode to resist replay attack, and improves the security intensity of the key.
The embodiments of the present invention described above do not limit the scope of the present invention.

Claims (7)

1.一种基于计数器模式高速数据安全传输的实现方法,其特征在于,包括:1. A method for implementing high-speed data secure transmission based on counter mode, characterized by comprising: 安全模块与安全网关建立双向认证连接,其中,所述安全模块部署于终端侧,所述安全网关部署于服务器侧;The security module establishes a two-way authentication connection with the security gateway, wherein the security module is deployed on the terminal side and the security gateway is deployed on the server side; 安全模块向安全网关发起主密钥请求,同时将IP地址发送给安全网关;The security module initiates a master key request to the security gateway and sends the IP address to the security gateway; 安全网关接收到主密钥请求后,将主密钥分发到安全模块;After receiving the master key request, the security gateway distributes the master key to the security module; 安全模块接收安全网关分发的主密钥;The security module receives the master key distributed by the security gateway; 安全模块和安全网关基于所述主密钥,采用计数器模式分别计算出随机数后存储到上行会话密钥队列和下行会话密钥队列;The security module and the security gateway respectively calculate random numbers based on the master key in counter mode and store them in the uplink session key queue and the downlink session key queue; 终端访问服务器时,安全模块从上行会话密钥队列中提取会话密钥,对上行数据进行加密隐私保护;When the terminal accesses the server, the security module extracts the session key from the uplink session key queue and encrypts the uplink data for privacy protection; 安全网关依据所述IP地址检索到对应的主密钥,依据主密钥从对应的上行会话密钥队列中提取会话密钥,对上行数据进行解密,将解密的明文数据转发到服务器。The security gateway retrieves the corresponding master key according to the IP address, extracts the session key from the corresponding uplink session key queue according to the master key, decrypts the uplink data, and forwards the decrypted plaintext data to the server. 2.如权利要求1所述的基于计数器模式高速数据安全传输的实现方法,其特征在于,2. The method for implementing high-speed data secure transmission based on counter mode as claimed in claim 1, characterized in that: 安全网关接收到主密钥请求后,将主密钥分发到安全模块,包括:After receiving the master key request, the security gateway distributes the master key to the security module, including: 安全网关接收到安全模块发起的主密钥请求后,依据安全模块的IP地址,查询主密钥映射表;如果网络地址与主密钥映射表相匹配,将对应的主密钥分发到安全模块;如果网络地址与主密钥映射表不匹配,获取16字节随机数作为主密钥分发到安全模块。After the security gateway receives the master key request initiated by the security module, it queries the master key mapping table based on the IP address of the security module; if the network address matches the master key mapping table, the corresponding master key is distributed to the security module; if the network address does not match the master key mapping table, a 16-byte random number is obtained as the master key and distributed to the security module. 3.如权利要求2所述的基于计数器模式高速数据安全传输的实现方法,其特征在于,安全模块接收安全网关分发的主密钥之后,所述方法还包括:3. The method for implementing high-speed data secure transmission based on counter mode according to claim 2, characterized in that after the security module receives the master key distributed by the security gateway, the method further comprises: 安全模块对主密钥采用固定字符串加密得到密文数据,将密文数据发送到安全网关;The security module encrypts the master key with a fixed character string to obtain ciphertext data, and sends the ciphertext data to the security gateway; 安全网关接收到安全模块发送的密文数据后,选用分配给此安全模块的主密钥对密文数据进行解密;将解密后的数据与所述固定字符串进行比较;如果解密后的数据与所述固定字符串数据一致,则分发的主密钥有效,安全网关更新主密钥映射表;同时通知安全模块更新受保护网络表;如果解密后的数据与所述固定字符串数据不一致,则分发的主密钥无效,发送数据包要求安全模块重新申请主密钥。After receiving the ciphertext data sent by the security module, the security gateway uses the master key assigned to this security module to decrypt the ciphertext data; compares the decrypted data with the fixed string; if the decrypted data is consistent with the fixed string data, the distributed master key is valid, and the security gateway updates the master key mapping table; at the same time, notifies the security module to update the protected network table; if the decrypted data is inconsistent with the fixed string data, the distributed master key is invalid, and a data packet is sent to request the security module to reapply for the master key. 4.如权利要求3所述的基于计数器模式高速数据安全传输的实现方法,其特征在于,安全模块和安全网关基于所述主密钥,采用计数器模式分别计算出随机数后存储到上行会话密钥队列和下行会话密钥队列,包括:4. The method for implementing high-speed data secure transmission based on counter mode according to claim 3, characterized in that the security module and the security gateway respectively calculate random numbers based on the master key in counter mode and store them in an uplink session key queue and a downlink session key queue, comprising: 验证主密钥有效后,安全模块与安全网关分别依据主密钥,采用计数器的方式计算随机数分别存储到上行会话密钥队列和下行会话密钥队列中,并监测上行会话密钥队列和下行会话密钥队列保持队列始终满载状态,同时将用户空间的上行会话密钥队列和下行会话密钥队列内存映射到内核空间。After verifying that the master key is valid, the security module and the security gateway calculate random numbers based on the master key using a counter and store them in the uplink session key queue and the downlink session key queue respectively. They also monitor the uplink session key queue and the downlink session key queue to keep them full at all times, and map the uplink session key queue and the downlink session key queue memory of the user space to the kernel space. 5.如权利要求4所述的基于计数器模式高速数据安全传输的实现方法,其特征在于,终端访问服务器时,安全模块从上行会话密钥队列中提取会话密钥,对上行数据进行加密隐私保护,包括:5. The method for implementing high-speed data secure transmission based on counter mode according to claim 4, characterized in that when the terminal accesses the server, the security module extracts the session key from the uplink session key queue and encrypts the uplink data for privacy protection, comprising: 安全模块在NF_IP_PRE_ROUTING上注册HOOK函数,截取上行数据,计算payload数据长度是否大于0;The security module registers the HOOK function on NF_IP_PRE_ROUTING, intercepts the uplink data, and calculates whether the payload data length is greater than 0; 如果payload数据长度等于0,则表示没有数据需要进行加密,直接提交协议栈进行协议处理;If the payload data length is equal to 0, it means that there is no data to be encrypted and it is directly submitted to the protocol stack for protocol processing; 如果payload数据长度大于0,则表示有数据需要进行加密,获取五元祖,所述五元祖包括源地址、目的地址、源端口、目的端口、协议;根据五元祖计算HASH值,通过HASH值检索会话表;如果匹配会话表,则使用此会话表中对应的会话密钥,对数据进行分段异或加密,重新计算并更新IP校验和;将加密后的数据提交协议栈进行协议处理,并更新会话表中此会话超时时间;If the payload data length is greater than 0, it means that data needs to be encrypted, and a five-tuple is obtained, which includes the source address, destination address, source port, destination port, and protocol; the HASH value is calculated based on the five-tuple, and the session table is retrieved through the HASH value; if the session table is matched, the corresponding session key in this session table is used to perform segmented XOR encryption on the data, and the IP checksum is recalculated and updated; the encrypted data is submitted to the protocol stack for protocol processing, and the timeout time of this session in the session table is updated; 如果不匹配会话表,则依据源地址检索受保护网络表;不匹配受保护网络表则提交协议栈进行协议处理,匹配受保护网络表则从受保护网络表中获取相应的主密钥,依据主密钥从相对应的上行会话密钥队列中提取会话密钥与16字节计数器的值,依据会话密钥对数据进行分段异或加密,将16字节计数器的值附加在加密数据段末尾,重新计算并更新payload长度,重新计算并更新IP报文长度,重新计算并更新IP校验和;将加密后的数据提交协议栈进行协议处理,将五元祖的HASH值与会话密钥存储到会话表,并设定此会话超时时间。If it does not match the session table, the protected network table is retrieved based on the source address; if it does not match the protected network table, it is submitted to the protocol stack for protocol processing; if it matches the protected network table, the corresponding master key is obtained from the protected network table, and the session key and the value of the 16-byte counter are extracted from the corresponding uplink session key queue based on the master key. The data is segmented XOR encrypted based on the session key, the value of the 16-byte counter is appended to the end of the encrypted data segment, the payload length is recalculated and updated, the IP message length is recalculated and updated, and the IP checksum is recalculated and updated; the encrypted data is submitted to the protocol stack for protocol processing, the HASH value of the five-element ancestor and the session key are stored in the session table, and the timeout of this session is set. 6.如权利要求5所述的基于计数器模式高速数据安全传输的实现方法,其特征在于,安全网关依据所述IP地址检索到对应的主密钥,依据主密钥从对应的上行会话密钥队列中提取会话密钥,对上行数据进行解密,包括:6. The method for implementing high-speed data secure transmission based on counter mode according to claim 5, characterized in that the security gateway retrieves the corresponding master key according to the IP address, extracts the session key from the corresponding uplink session key queue according to the master key, and decrypts the uplink data, comprising: 安全网关在NF_IP_PRE_ROUTING上注册HOOK函数,截取上行数据,计算payload数据长度是否大于0;The security gateway registers the HOOK function on NF_IP_PRE_ROUTING, intercepts the uplink data, and calculates whether the payload data length is greater than 0; 如果payload数据长度等于0,则表示没有数据需要进行解密,直接提交协议栈进行协议处理;If the payload data length is equal to 0, it means that there is no data to be decrypted and it is directly submitted to the protocol stack for protocol processing; 如果payload数据长度大于0,则表示有数据需要进行解密,获取五元祖,根据五元祖计算HASH值,通过HASH值检索会话表;如果匹配会话表,则使用此会话表中对应的会话密钥,对数据进行分段异或解密,重新计算并更新IP校验和,将解密后的数据提交协议栈进行协议处理,并更新会话表中此会话超时时间;If the payload data length is greater than 0, it means that there is data that needs to be decrypted. The five-tuple is obtained, the HASH value is calculated based on the five-tuple, and the session table is retrieved through the HASH value. If the session table is matched, the corresponding session key in this session table is used to perform segmented XOR decryption on the data, recalculate and update the IP checksum, submit the decrypted data to the protocol stack for protocol processing, and update the session timeout time in the session table. 如果不匹配会话表,则依据源地址检索主密钥映射表,不匹配主密钥映射表则提交协议栈进行协议处理,匹配则从主密钥映射表中获取相应的主密钥,取payload数据段末尾16字节作为计数器的值,依据主密钥从相对应的上行会话密钥队列中提取计数器的值对应的会话密钥,依据会话密钥对数据进行分段异或解密,去除末尾16字节计数器的值,并更新payload,重新计算并更新payload长度,重新计算并更新IP报文长度,重新计算并更新IP校验和,将解密后的数据提交协议栈进行协议处理,将五元祖的HASH值与会话密钥存储到会话表,并设定此会话超时时间。If it does not match the session table, the master key mapping table is retrieved based on the source address. If it does not match the master key mapping table, it is submitted to the protocol stack for protocol processing. If it matches, the corresponding master key is obtained from the master key mapping table, and the last 16 bytes of the payload data segment are taken as the value of the counter. The session key corresponding to the counter value is extracted from the corresponding uplink session key queue based on the master key. The data is segmented and XOR-decrypted based on the session key, the value of the last 16 bytes of the counter is removed, and the payload is updated. The payload length is recalculated and updated, the IP message length is recalculated and updated, the IP checksum is recalculated and updated, and the decrypted data is submitted to the protocol stack for protocol processing. The HASH value of the five-element ancestor and the session key are stored in the session table, and the timeout of this session is set. 7.如权利要求6所述的基于计数器模式高速数据安全传输的实现方法,其特征在于,所述方法还包括:7. The method for implementing high-speed data secure transmission based on counter mode according to claim 6, characterized in that the method further comprises: 如果会话超时,从会话表中删除此会话,再次传输的数据获取新一轮的会话密钥对数据进行异或加密解密。If the session times out, the session is deleted from the session table, and the data transmitted again obtains a new round of session keys to perform XOR encryption and decryption on the data.
CN202411545697.0A 2024-11-01 2024-11-01 Method for realizing high-speed data safety transmission based on counter mode Active CN119052000B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202411545697.0A CN119052000B (en) 2024-11-01 2024-11-01 Method for realizing high-speed data safety transmission based on counter mode

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202411545697.0A CN119052000B (en) 2024-11-01 2024-11-01 Method for realizing high-speed data safety transmission based on counter mode

Publications (2)

Publication Number Publication Date
CN119052000A true CN119052000A (en) 2024-11-29
CN119052000B CN119052000B (en) 2024-12-27

Family

ID=93574726

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202411545697.0A Active CN119052000B (en) 2024-11-01 2024-11-01 Method for realizing high-speed data safety transmission based on counter mode

Country Status (1)

Country Link
CN (1) CN119052000B (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060053471A1 (en) * 2004-09-09 2006-03-09 Texas Instruments Incorporated System and method for transporting an ancillary data packet in the active area of a video stream
US20070297410A1 (en) * 2006-06-23 2007-12-27 Seung Yong Yoon Real-time stateful packet inspection method and apparatus
CN101572700A (en) * 2009-02-10 2009-11-04 中科正阳信息安全技术有限公司 Method for defending HTTP Flood distributed denial-of-service attack
CN108540287A (en) * 2018-07-16 2018-09-14 铂讯(北京)科技有限公司 Internet of Things safety management encryption method
CN115567205A (en) * 2022-09-29 2023-01-03 中电信量子科技有限公司 Method and system for implementing encryption and decryption of network session data streams by using quantum key distribution
CN115567208A (en) * 2022-09-29 2023-01-03 中电信量子科技有限公司 Fine-grained transparent encryption and decryption method and system for network session data stream
CN116055091A (en) * 2022-11-15 2023-05-02 中电信量子科技有限公司 Method and equipment for realizing IPSec VPN by adopting software definition and quantum key distribution
CN116055033A (en) * 2022-10-27 2023-05-02 北京数字认证股份有限公司 Method for generating session key, communication network system, storage medium and electronic device
CN117201200A (en) * 2023-11-07 2023-12-08 湖南密码工程研究中心有限公司 Data safety transmission method based on protocol stack

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060053471A1 (en) * 2004-09-09 2006-03-09 Texas Instruments Incorporated System and method for transporting an ancillary data packet in the active area of a video stream
US20070297410A1 (en) * 2006-06-23 2007-12-27 Seung Yong Yoon Real-time stateful packet inspection method and apparatus
CN101572700A (en) * 2009-02-10 2009-11-04 中科正阳信息安全技术有限公司 Method for defending HTTP Flood distributed denial-of-service attack
CN108540287A (en) * 2018-07-16 2018-09-14 铂讯(北京)科技有限公司 Internet of Things safety management encryption method
CN115567205A (en) * 2022-09-29 2023-01-03 中电信量子科技有限公司 Method and system for implementing encryption and decryption of network session data streams by using quantum key distribution
CN115567208A (en) * 2022-09-29 2023-01-03 中电信量子科技有限公司 Fine-grained transparent encryption and decryption method and system for network session data stream
CN116055033A (en) * 2022-10-27 2023-05-02 北京数字认证股份有限公司 Method for generating session key, communication network system, storage medium and electronic device
CN116055091A (en) * 2022-11-15 2023-05-02 中电信量子科技有限公司 Method and equipment for realizing IPSec VPN by adopting software definition and quantum key distribution
CN117201200A (en) * 2023-11-07 2023-12-08 湖南密码工程研究中心有限公司 Data safety transmission method based on protocol stack

Also Published As

Publication number Publication date
CN119052000B (en) 2024-12-27

Similar Documents

Publication Publication Date Title
US9467290B2 (en) Method and apparatus for providing secure streaming data transmission facilities using unreliable protocols
US8155130B2 (en) Enforcing the principle of least privilege for large tunnel-less VPNs
US8707043B2 (en) Split termination of secure communication sessions with mutual certificate-based authentication
JP4707992B2 (en) Encrypted communication system
US8543808B2 (en) Trusted intermediary for network data processing
US8104082B2 (en) Virtual security interface
US20080083011A1 (en) Protocol/API between a key server (KAP) and an enforcement point (PEP)
CN108075890A (en) Data sending terminal, data receiver, data transmission method and system
WO2012083653A1 (en) Switch equipment and data processing method for supporting link layer security transmission
WO2020007308A1 (en) Message processing method and receiving-end server
CN110752921A (en) A security reinforcement method for communication links
CN101197828B (en) Safety ARP implementing method and network appliance
Cho et al. Secure open fronthaul interface for 5G networks
CN115766172A (en) Message forwarding method, device, equipment and medium based on DPU and national password
CN117201200B (en) Data safety transmission method based on protocol stack
CN110832806A (en) ID-based data plane security for identity-oriented networks
CN119052000B (en) Method for realizing high-speed data safety transmission based on counter mode
US11343089B2 (en) Cryptography system and method
CN108737414A (en) A kind of internet data safe transmission method and its safe transmission device and its implementation
US20080059788A1 (en) Secure electronic communications pathway
CN114268499A (en) Data transmission method, device, system, equipment and storage medium
WO2020133603A1 (en) Dr mode protection method and device
CN113660195B (en) An AES-RSA anti-man-in-the-middle attack method based on 104 protocol
US12250304B2 (en) Caching encrypted content in an oblivious content distribution network, and system, computer-readable medium, and terminal for the same
CN113765933B (en) Traffic encryption and decryption method and computer readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant