CN119628916A - Data processing system, method, communication device and storage medium - Google Patents
Data processing system, method, communication device and storage medium Download PDFInfo
- Publication number
- CN119628916A CN119628916A CN202411769917.8A CN202411769917A CN119628916A CN 119628916 A CN119628916 A CN 119628916A CN 202411769917 A CN202411769917 A CN 202411769917A CN 119628916 A CN119628916 A CN 119628916A
- Authority
- CN
- China
- Prior art keywords
- data frame
- encrypted data
- verification code
- serial number
- data packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012545 processing Methods 0.000 title claims abstract description 34
- 238000000034 method Methods 0.000 title claims abstract description 23
- 238000004891 communication Methods 0.000 title claims abstract description 18
- 238000012795 verification Methods 0.000 claims abstract description 105
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 35
- 230000005540 biological transmission Effects 0.000 claims abstract description 10
- 238000004590 computer program Methods 0.000 claims description 13
- 238000003672 processing method Methods 0.000 claims description 12
- 238000005516 engineering process Methods 0.000 abstract description 5
- 238000009482 thermal adhesion granulation Methods 0.000 description 25
- 230000007246 mechanism Effects 0.000 description 12
- 238000010586 diagram Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 8
- 230000008569 process Effects 0.000 description 6
- MHABMANUFPZXEB-UHFFFAOYSA-N O-demethyl-aloesaponarin I Natural products O=C1C2=CC=CC(O)=C2C(=O)C2=C1C=C(O)C(C(O)=O)=C2C MHABMANUFPZXEB-UHFFFAOYSA-N 0.000 description 4
- 101150082208 DIABLO gene Proteins 0.000 description 2
- 102100033189 Diablo IAP-binding mitochondrial protein Human genes 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 2
- 238000004806 packaging method and process Methods 0.000 description 2
- 230000002265 prevention Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 230000008030 elimination Effects 0.000 description 1
- 238000003379 elimination reaction Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 238000005242 forging Methods 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 230000010076 replication Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本申请涉及通信技术领域,公开了一种数据处理系统、方法、通信设备和存储介质,系统包括发送设备、传输网络和接收设备;基于预设加密协议在传输网络中构建发送设备与接收设备之间的安全通道;发送设备按照FRER协议生成数据包对应的序列号,并先采用加密算法对序列号进行加密处理得到一级加密数据帧,再采用预设加密协议进行加密处理得到二级加密数据帧;接收设备用于对接收的二级加密数据帧进行解密,并对解密得到的完整性校验值进行验证,若校验成功,则对二级加密数据帧进行恢复处理得到一级加密数据帧;以及根据一级加密数据帧中的序列号和有效验证码确定数据包的有效性。本申请对数据包进行双重加密,保证了数据包的有效性。
The present application relates to the field of communication technology, and discloses a data processing system, method, communication device and storage medium. The system includes a sending device, a transmission network and a receiving device; a secure channel between the sending device and the receiving device is constructed in the transmission network based on a preset encryption protocol; the sending device generates a serial number corresponding to a data packet according to the FRER protocol, and first uses an encryption algorithm to encrypt the serial number to obtain a first-level encrypted data frame, and then uses a preset encryption protocol to encrypt the serial number to obtain a second-level encrypted data frame; the receiving device is used to decrypt the received second-level encrypted data frame, and verify the integrity check value obtained by decryption. If the check is successful, the second-level encrypted data frame is restored to obtain a first-level encrypted data frame; and the validity of the data packet is determined according to the serial number and the valid verification code in the first-level encrypted data frame. The present application performs double encryption on the data packet to ensure the validity of the data packet.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to a data processing system, a method, a communication device, and a storage medium.
Background
With the deep convergence of operation technology and information technology, time-sensitive networks (Time-SENSITIVE NETWORK, TSNs) have evolved as an innovative technology. The TSN can meet the strict requirements of industrial network on real-time performance and certainty, and different types of data flows, namely key control data, common IT flow and time sensitive data, can be harmoniously co-located under the same network architecture.
In TSN, the core of the IEEE 802.1CB defined frame duplication and cancellation (frame replication and elimination for reliability, FRER) mechanism creates multiple copies for each critical packet, transmits the same duplicated packet on different redundant paths, and cancels duplicate packets at the receiving end to improve reliability of communication. The existing FRER mechanism has obvious security holes, and the security holes can be utilized by malicious attackers, so that the reliability and the security of the sensitive time network are endangered.
Disclosure of Invention
In view of this, embodiments of the present application provide a data processing system, a method, a communication device, and a storage medium, which can effectively solve the problem that security vulnerabilities in the existing FRER mechanisms affect the security reliability of the sensitive time network.
In a first aspect, an embodiment of the present application provides a data processing system, including a sending device, a transmission network, and a receiving device;
A secure channel based on a preset encryption protocol between the sending equipment and the receiving equipment is constructed in the transmission network;
The sending equipment is used for carrying out encryption processing on the sequence numbers corresponding to the data packets generated according to FRER protocols by adopting an encryption algorithm to obtain primary encrypted data frames, and carrying out encryption processing on the primary encrypted data frames by adopting the preset encryption protocol to obtain secondary encrypted data frames;
The receiving equipment is used for decrypting the received secondary encrypted data frame, verifying the integrity verification value obtained by decryption, if the integrity verification value is successful, recovering the secondary encrypted data frame to obtain the primary encrypted data frame, and determining the validity of the data packet according to the serial number and the valid verification code in the primary encrypted data frame.
In some embodiments, the encrypting the sequence number by using an encryption algorithm to obtain a first-level encrypted data frame includes:
encrypting the serial number by adopting an encryption algorithm to generate a complete verification code;
Intercepting the complete verification code to obtain the effective verification code;
and determining the primary encryption data frame according to the valid verification code and the data packet.
In some embodiments, the determining a primary encrypted data frame from the valid passcode and the data packet includes:
Inserting the valid verification into a tag field of the FRER protocol, the tag field further including the sequence number;
And determining the primary encryption data frame according to the tag field and the data packet.
In some embodiments, the encrypting the primary encrypted data frame using the preset encryption protocol to obtain a secondary encrypted data frame includes:
Processing the primary encrypted data frame by adopting the preset encryption protocol to generate a corresponding tag control field;
encrypting the primary encrypted data by adopting the encryption algorithm to obtain an integrity check value;
and packaging the integrity check value, the tag control field and the primary encrypted data frame together into the secondary encrypted data frame.
In some embodiments, the determining the validity of the data packet based on the sequence number and the valid verification code in the primary encrypted data frame comprises:
Extracting the serial number and the valid verification code in the primary encrypted data frame;
encrypting the serial number by adopting the encryption algorithm to obtain a real-time verification code;
and determining whether the serial number of the data packet is valid or not according to the real-time verification code and the valid verification code.
In some embodiments, the encrypting the serial number by using the encryption algorithm to obtain a real-time verification code includes:
encrypting the serial number by adopting an encryption algorithm to generate a new verification code;
Intercepting the new verification code to obtain the real-time verification code;
The intercepting mode of the new verification code is the same as the intercepting mode of the complete verification code.
In a second aspect, an embodiment of the present application provides a data processing method, applied to a transmitting device, where the method includes:
processing the data packet according to FRER protocol to generate a serial number corresponding to the data packet, and adopting an encryption algorithm to encrypt the serial number to obtain a primary encrypted data frame, wherein the serial number and an effective verification code in the primary encrypted data frame are used for verifying whether the serial number of the data packet is tampered or not;
And encrypting the primary encrypted data frame by adopting a preset encryption protocol to obtain a secondary encrypted data frame, wherein an integrity check value in the secondary encrypted data frame is used for verifying whether the secondary encrypted data frame is complete or not.
In a third aspect, an embodiment of the present application provides a data processing method, applied to a receiving device, including:
receiving a secondary encrypted data frame, verifying an integrity check value obtained by decrypting the secondary encrypted data frame, and if the verification is successful, recovering the secondary encrypted data frame to obtain a primary encrypted data frame;
and determining whether the serial number of the data packet is tampered or not according to the serial number and the valid verification code in the primary encrypted data frame.
In a fourth aspect, an embodiment of the present application provides a communication device, including a processor and a memory, where the memory stores a computer program, and the processor is configured to execute the computer program to implement the above-mentioned data processing method.
In a fifth aspect, an embodiment of the present application provides a computer readable storage medium storing a computer program which, when executed on a processor, implements the data processing method described above.
The embodiment of the application has the following beneficial effects:
The data processing system of the application firstly constructs a complete channel between the sending equipment and the receiving equipment, and is used for data transmission between the sending equipment and the receiving equipment. And then the sending equipment performs double encryption processing on the data packet to be sent, the receiving equipment performs double verification after receiving the double-encrypted secondary data frame, and the verification is performed to obtain whether the serial number corresponding to the data packet is tampered or not, so as to further determine the validity of the corresponding data packet. The application can ensure the reliability of the data packet transmission in the network by means of double verification and double decryption.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments will be briefly described below, it being understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 illustrates an application scenario diagram of a FRER mechanism-based time-sensitive network in an embodiment of the present application;
FIG. 2 illustrates a system architecture diagram of a data processing system in an embodiment of the application;
FIG. 3 shows a flow chart of a data processing method in an embodiment of the application;
FIG. 4 is a flow chart of obtaining a primary encrypted data frame in an embodiment of the application;
fig. 5 shows a flow chart of obtaining a two-level encrypted data frame according to an embodiment of the application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments.
The components of the embodiments of the present application generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the application, as presented in the figures, is not intended to limit the scope of the application, as claimed, but is merely representative of selected embodiments of the application. All other embodiments, which can be made by a person skilled in the art without making any inventive effort, are intended to be within the scope of the present application.
The terms "comprises," "comprising," "including," or any other variation thereof, are intended to cover a specific feature, number, step, operation, element, component, or combination of the foregoing, which may be used in various embodiments of the present application, and are not intended to first exclude the presence of or increase the likelihood of one or more other features, numbers, steps, operations, elements, components, or combinations of the foregoing. Furthermore, the terms "first," "second," "third," and the like are used merely to distinguish between descriptions and should not be construed as indicating or implying relative importance.
Unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which various embodiments of the application belong. The terms (such as those defined in commonly used dictionaries) will be interpreted as having a meaning that is the same as the context of the relevant art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein in connection with the various embodiments of the application.
Some embodiments of the present application are described in detail below with reference to the accompanying drawings. The embodiments described below and features of the embodiments may be combined with each other without conflict.
As shown in fig. 1, the time-sensitive network, i.e. the transmission network, based on FRER mechanisms, the FRER mechanism lacks validity verification of sequence numbers, and directly regards the subsequent arriving data frames with the same sequence numbers as duplicates and deletes the frames, so that an attacker can easily deceive the system by forging malicious data packets with false sequence numbers, and the legal data packets are discarded by mistake, and the vulnerability seriously threatens the basic function of FRER, and can cause the loss of key data and the significant reduction of system performance. More seriously, an attacker may exploit this vulnerability to more complex attacks, such as manipulating network traffic through well-designed sequence numbers, or exhausting network resources by continually injecting dummy packets. Furthermore, since FRER mechanisms are widely used in sensitive time networks, such vulnerabilities may cause chain reactions to the TSN ecosystem, affecting critical applications and services that rely on high reliability communications. Thus, resolving security vulnerabilities in FRER mechanisms has implications not only for the security of a single time-sensitive network, but also for the stability and reliability of the entire industry and critical infrastructure area. Thus, there is a need to develop more powerful authentication and protection mechanisms against potential attacks.
The data processing system is described below in connection with certain specific embodiments.
FIG. 2 illustrates a system architecture diagram of a data processing system in accordance with an embodiment of the present application. The data processing system illustratively comprises a transmitting device, a time sensitive network, and a receiving device, wherein data packets sent by the transmitting device are transmitted to the receiving device via the time sensitive network.
The security channel is established between the sending device and the receiving device by adopting a preset encryption protocol, and the security channel between the sending device and the receiving device is established at a data link layer by adopting the preset encryption protocol so as to ensure confidentiality and integrity between the sending device and the receiving device.
In this embodiment, the preset encryption protocol is MACsec protocol, MACsec is called MEDIA ACCESS Control Security, and is mainly used for data encryption, and also has functions of authentication and verification, and the protected data is more than two layers of data in ethernet, namely, data including ARP, are encrypted and cannot be obtained through network monitoring. Meanwhile, compared with other encryption means, such as TLS, MACsec can be realized on the basis of hardware, so that lower time delay and higher performance can be realized; and MACsec is encrypted in two layers for upper layer applications and is therefore imperceptible to the upper layer, meaning that the upper layer does not need to make any changes to the encrypted deployment. This is a great advantage for current encryption-less systems to switch encryption systems.
The process of establishing a secure channel at the data link layer may also be understood as a handshake process between a transmitting device and a receiving device, the handshake phase comprising the phases:
In the connection establishment phase, the sending device and the receiving device in the time sensitive network need to establish a Secure connection through the MKA protocol and exchange respective Secure channel identifiers (Secure CHANNEL IDENTIFIER, SCI), which is the basis for establishing Secure communication.
In the key negotiation phase, the transmitting device pre-configures a security association key (Secure Association Key, SAK) based on the MACsec protocol, encrypts the security association key using a pre-shared connectivity association key (Connectivity Association Key, CAK) between the transmitting device and the receiving device, and securely distributes the encrypted security association key SAK to the receiving device.
In the security parameter exchange phase, the transmitting device and the receiving device exchange security association parameters (Secure Association, SA), determine an encryption algorithm used to encrypt the sequence number, such as AES-GCM (Galois/Counter Mode) algorithm, and other security attributes, such as ethernet type, and negotiate a short-term session key.
And in the verification and confirmation stage, the sending device and the receiving device can verify the received security association parameters and confirm the validity of the key material so as to finally finish the MKA protocol handshake.
And in the channel encryption stage, after the security channel is established, the sending device and the receiving device establish an encryption channel in the time-sensitive network by using the negotiated security association key SAK, encrypt FRER serial numbers, then perform data transmission, and maintain the security of communication by periodically updating the security association key.
In this embodiment, the sending device is configured to generate a sequence number corresponding to a data packet according to FRER protocols, encrypt the sequence number by using AES-GCM algorithm to generate a complete verification code, for example, the byte length of the complete verification code is 32 bits, intercept a preset length (for example, the first 16 bits) of the complete verification code to obtain an effective verification code, for example, the byte length of the effective verification code is 16 bits, which may be the first 16 bits or the last 16 bits of the complete verification code, insert the effective verification into a TAG field of FRER protocols, the TAG field of FRER protocols is actually an R-TAG label, and finally determine a primary encrypted data frame according to the TAG field and the data packet.
In this embodiment, the calculation method of the complete verification code is as follows:
Y=AES_GCM_Encrypt(SAK,SequenceNum)
Where Y represents a complete authentication code, aes_gcm_encrypt represents encryption, i.e., an encryption function, using the aes_gcm algorithm, SAK represents a security association key, sequenceNum represents a sequence number of a data packet.
In this example, the R-TAG TAGs are as follows:
| Ethernet type | Valid verification code | Sequence number |
| 2Byte | 2Byte | 2Byte |
In this embodiment, the frame structure of the primary encrypted data frame includes a destination address DMAC, a source address DMAC, a type/length, a TAG field R-TAG of FRER protocol, a packet Payload, and a frame check FCS, where:
| DMAC | SMAC | Type/length | R-TAG | Payload | FCS |
After the effective verification code is inserted into the R-TAG mark through the encryption processing of the AES_GCM algorithm, the R-TAG mark not only comprises the original serial number, but also carries the encryption information used for verification, namely the effective verification code, so that man-in-the-middle attack can be effectively prevented.
In order to further improve the safety reliability of the serial numbers, the primary encrypted data frames are encrypted based on a preset encryption protocol to obtain secondary encrypted data frames, and the secondary encrypted data frames are sent.
In this embodiment, the preset encryption protocol is a MACsec encryption mechanism, the MACsec protocol is adopted to encrypt the primary encrypted data frame, so as to generate a tag control field of the MACsec protocol, that is, a SecTAG tag, which includes control information such as a tag control information TCI, guan Lianhao AN, a packet sequence number PN, etc., the tag control information TCI (Tag Control Information) is used to indicate the version and the length of the SecTAG, the association number AN (Association Number) is used to identify the security association used, SL (Short Length) includes the field if the SecTAG is in a short format, the packet sequence number PN (Packet Number) includes a packet sequence number to prevent replay attack, and the security channel identifier SCI (Secure CHANNEL IDENTIFIER) is used to include the field when the SecTAG is in a long format. Based on the security association key SAK, the AES_GCM algorithm is adopted to encrypt the primary encrypted data frame to obtain an integrity check value ICV, and the integrity check value ICV and the SecTAG mark are packaged into a secondary encrypted data frame together with the primary encrypted data frame.
In this embodiment, the frame structure of the two-level encrypted data frame is as follows:
| DMAC | SMAC | SecTAG | R-TAG | Payload | ICV | FCS |
The negotiated security association key SAK is used, and an AES_GCM algorithm is adopted to encrypt a primary encrypted data frame (comprising a data packet and a part of MAC header fields), namely, a SecTAG mark is updated to a MACsec type, namely, the type/length, an integrity check value ICV is generated at the same time, the integrity check value ICV is inserted into the primary encrypted data frame to form a secondary encrypted data frame, and new frame check is calculated in the process to correspond to the secondary encrypted data frame of the MACsec protocol. The label field R-TAG of FRER protocol and the data packet are encrypted by AES_GCM algorithm, and the calculated integrity check value ICV covers the content of the whole two-level encrypted data frame, so that confidentiality, integrity protection and replay prevention protection of the corresponding serial number based on FRER protocol are realized.
In this embodiment, the receiving device first recognizes that the received second encrypted data frame is a MACsec frame through the ethernet type field, then parses the second encrypted data frame, extracts TCI, AN, PN information, and determines the security association to be used according to the security channel identifier SCI and the association number AN, and checks the packet sequence number PN to prevent replay attack. And verifying the integrity check value obtained by analysis, and if the verification is successful, recovering the secondary encrypted data frame, namely removing a tag control field SecTAG and the integrity check value ICV from the secondary encrypted data frame, and recovering to obtain the primary encrypted data frame. And finally, extracting a serial number and an effective verification code in the R-TAG from the primary encrypted data frame, carrying out AES-GCM encryption on the extracted serial number by using the same security association key SAK and an encryption algorithm to generate a new verification code, and intercepting 16 bits from the new verification code to obtain a real-time verification code, wherein the interception mode of the new verification code is the same as the interception mode of the complete verification code.
In this embodiment, the receiving device compares the real-time verification code with the valid verification code in the TAG field R-TAG, which indicates that the serial number of the data packet is not tampered if the real-time verification code is identical to the valid verification code, and the corresponding data packet is valid, and delivers the decrypted data packet to the FRER protocol for subsequent processing, and if the real-time verification code is not identical to the valid verification code, which indicates that the serial number is tampered, the corresponding data packet is invalid, and the system discards the data packet and records the security event. The process ensures the integrity of the serial number and prevents man-in-the-middle attacks and tampering with the serial number. When detecting that the continuous integrity check value ICV fails to verify, the security alarm mechanism is triggered, and a network manager is timely notified to take necessary protective measures.
The FRER serial number verification method of the receiving equipment effectively improves the safety of FRER protocol by adding cryptography protection on an end-to-end layer, and simultaneously maintains the compatibility with the existing TSN network. The method provides a powerful safety enhancement means for the time-sensitive network, is particularly suitable for being applied to the fields of industrial control, vehicle-mounted network, avionics and the like which require high reliability and safety, and provides a balanced, efficient and expandable safety enhancement scheme for the TSN network.
Fig. 3 shows a flow chart of a data processing method according to an embodiment of the application. The data processing method comprises the following steps:
s100, based on a preset encryption protocol, a secure channel between the sending device and the receiving device is constructed.
In this embodiment, the secure channel employs a preset encryption protocol, for example, MACsec. The use of MACsec protocols on the secure channel between the sending device and the receiving device ensures confidentiality and integrity of communications across the secure channel.
And S200, processing the data packet according to FRER protocol, generating a serial number corresponding to the data packet, and encrypting the serial number by adopting an encryption algorithm to obtain a primary encrypted data frame.
In this embodiment, as shown in fig. 4, the process of encrypting the sequence number by using an encryption algorithm to obtain a primary encrypted data frame includes:
s210, encrypting the serial number by adopting an encryption algorithm to generate a complete verification code.
In this embodiment, the sequence number is encrypted by using an AES-GCM algorithm to generate a complete verification code, for example, the complete verification code has a byte length of 32 bits.
S220, intercepting the complete verification code to obtain a valid verification code.
In this embodiment, a valid verification code is obtained by intercepting a preset length (for example, the first 16 bits) of the complete verification code, for example, the byte length of the valid verification code is 16 bits, which may be the first 16 bits or the last 16 bits of the complete verification code.
S230, determining the primary encrypted data frame according to the valid verification code and the data packet.
In this embodiment, the validation is inserted into a TAG field R-TAG TAG of FRER protocol, which also includes a sequence number, and the primary encrypted data frame is determined from the TAG field R-TAG TAG and the data packet.
A MACsec-based sequence number verification mechanism is introduced on the basis of FRER protocol, and security enhancement is achieved without changing the existing frame structure by embedding a 16-bit verification code into the TAG field R-TAG of FRER.
S300, encrypting the primary encrypted data frame by adopting a preset encryption protocol to obtain a secondary encrypted data frame.
In this embodiment, as shown in fig. 5, the process of encrypting the primary encrypted data frame by using an encryption algorithm to obtain the secondary encrypted data frame includes:
s310, processing the primary encrypted data frame by adopting a preset encryption protocol to generate a corresponding tag control field.
In this embodiment, the MACsec protocol is adopted to encrypt the primary encrypted data frame, so as to generate a tag control field of MACsec protocol, i.e. a SecTAG tag, where the SecTAG tag includes control information such as tag control information TCI, guan Lianhao AN, packet sequence number PN, etc., tag control information TCI (Tag Control Information) is used to indicate version and length of the SecTAG, association number AN (Association Number) is used to identify the security association used, SL (Short Length) is that the SecTAG in short format contains this field, packet sequence number PN (Packet Number) is that the packet sequence number is used to prevent replay attack, and security channel identifier SCI (Secure CHANNEL IDENTIFIER) is used to contain this field when the SecTAG in long format is used to identify the security channel.
S320, the primary encrypted data is encrypted by adopting an encryption algorithm, and an integrity check value is obtained.
In this embodiment, based on the security association key SAK, the aes_gcm algorithm is used to encrypt the primary encrypted data frame, so as to obtain the integrity check value ICV.
S330, packaging the integrity check value, the tag control field and the primary encrypted data frame together into a secondary encrypted data frame.
In this embodiment, the integrity check value ICV, secTAG flag, and the primary encrypted data frame are encapsulated into a secondary encrypted data frame. The frame structure of the secondary encrypted data frame updates the MACsec type, i.e. type/length, relative to the primary encrypted data frame and adds the integrity check value ICV.
The label field R-TAG of FRER protocol and the data packet are encrypted by AES_GCM algorithm, and the calculated integrity check value ICV covers the content of the whole two-level encrypted data frame, so that confidentiality, integrity protection and replay prevention protection of the corresponding serial number based on FRER protocol are realized.
S400, decrypting the received secondary encrypted data frame, verifying the integrity check value obtained by decryption, and if the verification is successful, recovering the secondary encrypted data frame to obtain the primary encrypted data frame.
In this embodiment, the received two-stage encrypted data frame is identified as MACsec frame through the ethernet type field, then the two-stage encrypted data frame is parsed, TCI, AN, PN information is extracted, the used security association is determined according to the security channel identifier SCI and the association number AN, and the packet sequence number PN is checked to prevent replay attack. And verifying the integrity check value obtained by analysis, removing a tag control field SecTAG and an integrity check value ICV from the secondary encrypted data frame if verification is successful, and recovering to obtain the primary encrypted data frame.
S500, determining the validity of the data packet according to the serial number and the valid verification code in the primary encrypted data frame.
In the embodiment, the serial number and the effective verification code in the primary encrypted data frame are extracted, and the serial number is encrypted by adopting an AES_GCM algorithm by using the same security association key SAK to generate a new verification code. And then intercepting the line 16 from the new verification to obtain a real-time verification code, wherein the interception mode of the new verification code is the same as the interception mode of the complete verification code. And finally, determining whether the serial number of the data packet is valid or not according to the real-time verification code and the valid verification code. If the real-time verification code is inconsistent with the effective verification code, the serial number of the data packet is not tampered, the corresponding data packet is effective, the decrypted data packet is delivered to FRER protocol for subsequent processing, and if the real-time verification code is inconsistent with the effective verification code, the serial number is tampered, the corresponding data packet is ineffective, and the system discards the data packet and records a security event.
The double verification method of FRER serial numbers effectively improves the security of FRER protocol by adding cryptographic protection on an end-to-end level, and simultaneously maintains the compatibility with the existing TSN network. The method provides a powerful safety enhancement means for the time-sensitive network, and is particularly suitable for being applied to the fields of industrial control, vehicle-mounted network, avionics and the like which require high reliability and safety.
The present application also provides a communication device, which exemplarily comprises a processor and a memory, wherein the memory stores a computer program, and the processor causes the communication device to execute the above-mentioned data processing method or the function of the transmitting device or the receiving device in the above-mentioned data processing system by running the computer program.
The processor may be an integrated circuit chip with signal processing capabilities. The processor may be a general purpose processor including at least one of a central processing unit (Central Processing Unit, CPU), a graphics processor (Graphics Processing Unit, GPU) and a network processor (Network Processor, NP), a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like that may implement or perform the methods, steps, and logic blocks disclosed in embodiments of the present application.
The Memory may be, but is not limited to, random access Memory (Random Access Memory, RAM), read Only Memory (ROM), programmable Read Only Memory (Programmable Read-Only Memory, PROM), erasable Read Only Memory (Erasable Programmable Read-Only Memory, EPROM), electrically erasable Read Only Memory (Electric Erasable Programmable Read-Only Memory, EEPROM), etc. The memory is used for storing a computer program, and the processor can correspondingly execute the computer program after receiving the execution instruction.
The present application also provides a computer readable storage medium storing the computer program for use in the above communication device. For example, the computer readable storage medium may include, but is not limited to, U disk, removable hard disk, read-Only Memory (ROM), random access Memory (RAM, random Access Memory), magnetic or optical disk, etc. various media that can store program code.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The apparatus embodiments described above are merely illustrative, for example, of the flow diagrams and block diagrams in the figures, which illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules or units in various embodiments of the application may be integrated together to form a single part, or the modules may exist alone, or two or more modules may be integrated to form a single part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a smart phone, a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present application.
The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present application.
Claims (10)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411769917.8A CN119628916A (en) | 2024-12-04 | 2024-12-04 | Data processing system, method, communication device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411769917.8A CN119628916A (en) | 2024-12-04 | 2024-12-04 | Data processing system, method, communication device and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN119628916A true CN119628916A (en) | 2025-03-14 |
Family
ID=94899729
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202411769917.8A Pending CN119628916A (en) | 2024-12-04 | 2024-12-04 | Data processing system, method, communication device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN119628916A (en) |
-
2024
- 2024-12-04 CN CN202411769917.8A patent/CN119628916A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8379638B2 (en) | Security encapsulation of ethernet frames | |
| CN109428867B (en) | Message encryption and decryption method, network equipment and system | |
| JP3688830B2 (en) | Packet transfer method and packet processing apparatus | |
| EP2840758B1 (en) | Compact and efficient communication security through combining anti-replay with encryption | |
| US8250356B2 (en) | Method to construct a high-assurance IPSec gateway using an unmodified commercial implementation | |
| CN106357690B (en) | data transmission method, data sending device and data receiving device | |
| KR100839941B1 (en) | Abnormal ISP traffic control system using IP setting information and session information and control method thereof | |
| CN107078898A (en) | A kind of method that the private interconnection of safety is set up on multi-path network | |
| US7139679B1 (en) | Method and apparatus for cryptographic protection from denial of service attacks | |
| CN110048986B (en) | A method and device for ensuring the safe operation of a ring network protocol | |
| US10586065B2 (en) | Method for secure data management in a computer network | |
| US10841840B2 (en) | Processing packets in a computer system | |
| Hu et al. | Gatekeeper: A gateway-based broadcast authentication protocol for the in-vehicle Ethernet | |
| CN113973000B (en) | A method and device for processing a pre-shared key PSK | |
| EP3771176B1 (en) | Cross-domain information transfer system and associated methods | |
| US10812506B2 (en) | Method of enciphered traffic inspection with trapdoors provided | |
| US7333612B2 (en) | Methods and apparatus for confidentiality protection for Fibre Channel Common Transport | |
| CN114039812B (en) | Data transmission channel establishment method, device, computer equipment and storage medium | |
| CN119628916A (en) | Data processing system, method, communication device and storage medium | |
| JPH0677954A (en) | Apparatus and method for processing of code provided with arbitrary selective status encoding | |
| Soltani et al. | Mid-defense: Mitigating protocol-level attacks in TOR using indistinguishability obfuscation | |
| KR20110087972A (en) | Blocking Abnormal Traffic Using Session Tables | |
| Hartl et al. | Subverting counter mode encryption for hidden communication in high-security infrastructures | |
| CN114500005B (en) | ModbusTcp instruction protection method, device, terminal and storage medium | |
| JP2005065004A (en) | ENCRYPTED COMMUNICATION DATA INSPECTION METHOD, ENCRYPTED COMMUNICATION DATA INSPECTION DEVICE, AND ENCRYPTED COMMUNICATION DATA INSPECTION PROGRAM |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination |