[go: up one dir, main page]

CN119155106B - Link layer communication encryption method and system - Google Patents

Link layer communication encryption method and system Download PDF

Info

Publication number
CN119155106B
CN119155106B CN202411612082.5A CN202411612082A CN119155106B CN 119155106 B CN119155106 B CN 119155106B CN 202411612082 A CN202411612082 A CN 202411612082A CN 119155106 B CN119155106 B CN 119155106B
Authority
CN
China
Prior art keywords
side link
service
encryption gateway
terminal
link encryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202411612082.5A
Other languages
Chinese (zh)
Other versions
CN119155106A (en
Inventor
程瑞
陈飞
杨籍
何霄
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Xinlian Digital Security Technology Co ltd
Xinlian Technology Nanjing Co ltd
Original Assignee
Beijing Xinlian Digital Security Technology Co ltd
Xinlian Technology Nanjing Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Xinlian Digital Security Technology Co ltd, Xinlian Technology Nanjing Co ltd filed Critical Beijing Xinlian Digital Security Technology Co ltd
Priority to CN202411612082.5A priority Critical patent/CN119155106B/en
Publication of CN119155106A publication Critical patent/CN119155106A/en
Application granted granted Critical
Publication of CN119155106B publication Critical patent/CN119155106B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/162Implementing security features at a particular protocol layer at the data link layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明涉及一种链路层通信加密方法及系统,针对业务终端与业务系统之间,以终端侧链路加密网关与业务侧链路加密网关进行设计,基于设备认证的基础上,将身份认证与会话密钥协商与一体进行设计应用,实现安全认证的同时,获得终端侧链路加密网关与业务侧链路加密网关之间应用下会话密钥,即实现轻量级安全认证机制,为接入的每个业务终端生成一个动态的会话密钥,增强了数据通信及传输的安全性,设计方案在链路层针对业务终端通信数据进行加密,确保内网网络信息隐藏,实现内网业务系统及设备不受攻击;并且网关本身不配置实际IP和MAC,保证恶意用户无法对其进行定向攻击。

The present invention relates to a link layer communication encryption method and system. The method is designed with a terminal side link encryption gateway and a service side link encryption gateway for a service terminal and a service system. Based on device authentication, identity authentication and session key negotiation are integrated for design and application. While realizing security authentication, a session key applied between the terminal side link encryption gateway and the service side link encryption gateway is obtained, that is, a lightweight security authentication mechanism is realized, a dynamic session key is generated for each service terminal connected, and the security of data communication and transmission is enhanced. The design scheme encrypts the communication data of the service terminal at the link layer, ensures that the intranet network information is hidden, and realizes that the intranet service system and equipment are not attacked; and the gateway itself is not configured with an actual IP and MAC, so that malicious users cannot carry out targeted attacks on it.

Description

Link layer communication encryption method and system
Technical Field
The invention relates to a link layer communication encryption method and system, and belongs to the technical field of data encryption.
Background
The network communication encryption method is a mechanism for encrypting data in the network transmission process, and mainly encrypts and decrypts the data between two communication nodes, so that the safety of the data in the transmission process is ensured. The TCP/IP network model describes a hierarchical structure of data transmission in a network, and when data is transmitted from a sender to a receiver, the data undergoes a plurality of hierarchical encapsulation and decapsulation processes, so for the TCP/IP network model, a few communication encryption methods are proposed, the main stream includes SSL protocol and IPSec protocol, and for an application layer, a transmission layer and a network layer, communication encryption and security protection between a terminal and a service system and between subnets are realized, which has been fully and widely applied in various industries. However, along with the extension of service scenes and the improvement of security requirements, a breakthrough is needed to be made on the traditional communication encryption mechanism in the market, a communication encryption method based on a link layer is realized, transparent encryption of an upper protocol is realized, multiple network environments are supported, existing network equipment and topology are compatible, and the security protection level of service data in the network transmission process is further improved.
The existing network communication encryption construction process relates to three types of entities of a terminal, a security gateway and a service system, the channel construction process is shown in figure 2,
The SSLVPN is taken as an example, the specific communication encryption process is that an SSLVPN module of a ① terminal performs identity authentication, a password suite and session key negotiation with an SSLVPN gateway, after authentication is successful, the SSLVPN gateway issues a virtual address and service system route configuration, the ② terminal SSLVPN module adds a virtual network card for the terminal and modifies a target IP to serve as a next hop gateway of a service system as a virtual address, the SSLVPN module is convenient for reading data from the virtual network card to realize encryption, ③ when the data are uploaded, a service APP sends the data with the target IP serving as the service system to an operating system, the operating system sends the data to the virtual network card according to the route, the ④ SSLVPN module polls the virtual network card to obtain service plaintext data, encrypts the original network layer data and adds a new IP header to the operating system, the operating system sends the new IP header to the physical network card according to the route, the new target IP is the SSLVPN gateway address, the data received by the ⑤ SSLVPN gateway is decrypted to obtain the original IP data, and the original IP data is sent to the designated service system according to the original target IP address.
The existing communication encryption technology and method improves the security of terminal and service communication in a certain program, but has the following defects:
(1) The network layer data security protection can only be realized, namely the IP message head in the service communication process is still visible, the network information of the intranet service system can not be completely hidden, and the risk of attack after sniffing exists;
(2) The IPSecVPN requires devices in the sub-network to modify the configuration of the routing gateway again to realize data forwarding, and has higher capability of configuring the user network.
Disclosure of Invention
The technical problem to be solved by the invention is to provide a link layer communication encryption method, which is designed by link layer encryption, so that the information hiding of an intranet network is ensured, and the intranet service system and equipment are not attacked.
The invention designs a link layer communication encryption method, which is based on a data link created by a service terminal through a terminal side link encryption gateway, a service side link encryption gateway and a service system in turn, and performs the following steps for a data frame uploaded to the terminal side link encryption gateway by the service terminal:
Step A, a terminal side link encryption gateway receives a data frame from a service terminal, performs equipment authentication on the service terminal corresponding to the data frame, contacts the service side link encryption gateway, performs identity authentication of the service terminal corresponding to the data frame, and enters the step B in a state that the equipment authentication and the identity authentication pass currently;
b, the terminal side link encryption gateway calls the session key corresponding to the last successful identity authentication state, encrypts and encapsulates the data frame, sends the data frame to the service side link encryption gateway, and the service side link encryption gateway calls the session key corresponding to the last successful identity authentication state to analyze and decrypt the data frame and forwards the data frame to the corresponding service system to inquire, so as to obtain a feedback result data frame and forwards the service side link encryption gateway, and then enters the step C;
and C, calling a session key corresponding to the last successful identity authentication state by the service side link encryption gateway, encrypting and packaging the received feedback result data frame, sending the data frame to the terminal side link encryption gateway, and calling the session key corresponding to the last successful identity authentication state by the terminal side link encryption gateway to analyze and decrypt, and forwarding the data frame to the service terminal.
In the step A, the terminal side link encryption gateway executes equipment authentication according to preset legal MAC to judge whether the source MAC corresponding to the received data frame is legal, if so, the equipment authentication is currently passed, contacts the terminal side link encryption gateway to execute the identity authentication of the service terminal corresponding to the data frame, otherwise, the equipment authentication is not currently passed, and the data frame is discarded.
In the step A, based on the current passing of equipment authentication, a terminal side link encryption gateway judges whether the identity authentication is successful or not if the service terminal corresponding to the data frame is successfully authenticated, if so, the terminal side encryption gateway further judges whether the current time is within a preset authentication validity period from the last successful time of the identity authentication of the service terminal, if so, the identity authentication is currently passed, the step B is entered, otherwise, the identity authentication is not currently passed, the terminal side link encryption gateway is contacted, the identity authentication of the service terminal corresponding to the data frame is executed, if the identity authentication is successful, namely, the identity authentication is currently passed, the step B is entered, if the identity authentication is failed, the data frame is discarded, the terminal side link encryption gateway judges that the identity authentication is not currently passed if the identity authentication is not successfully passed by the service terminal corresponding to the data frame, the service terminal corresponding to the data frame is executed, if the identity authentication is successful, namely, the identity authentication is currently passed, the step B is entered, and the data frame is discarded if the identity authentication is failed.
In the step A, the terminal side link encryption gateway contacts the service side link encryption gateway according to the following steps, and performs the identity authentication of the service terminal corresponding to the data frame;
step A1. Terminal side link encryption gateway is based on And its preparation methodCorresponding root keyIn combination with the current timestampService terminals in data framesECB key derivation function using standard national secret SM1The following formula is adopted:
obtaining basic session key of terminal side link encryption gateway corresponding to service terminal Then enter step A2;
Step A2, the terminal side link encryption gateway generates a preset byte random number And combined with basic session keysKey derivation functions of standard national secret SM1 are respectively appliedHMAC function of SM3 standard national densityThe following formula is adopted:
Obtaining authentication materials corresponding to a terminal side link encryption gateway Session key material authentication codeThen enter step A3;
Step A3. Terminal side link encryption gateway is based on Basic session keyRandom numberService terminals in data framesECB key derivation function using standard national secret SM1The following formula is adopted:
Obtaining session keys for a terminal-side link encryption gateway Then enter step A4;
Step A4. Terminal side Link encryption gateway with the same Authentication material corresponding to terminal side chain encryption gatewaySession key material authentication codeAnd service terminals in data framesConstructing identity authentication request data and adding service terminalsFor source IP, service terminalsUpdating a message header to construct an identity authentication request message for the source MAC and the service side link encryption gateway which provide virtual IP addresses as destination IP and the MAC of the service system, transmitting the identity authentication request message to the service side link encryption gateway along a data link between the terminal side link encryption gateway and the service side link encryption gateway, and then entering the step A5;
Step A5, the service side link encryption gateway receives the identity authentication request message and analyzes the identity authentication request message to obtain the terminal side link encryption gateway Service terminalIn combination with the current time stampECB key derivation function using standard national secret SM1The following formula is adopted:
obtaining basic session key of service side link encryption gateway corresponding to service terminal Wherein, the method comprises the steps of, wherein,Indicating that the service side link encryption gateway knows the terminal side link encryption gatewayCorresponding root key and applying base session keyFor authentication materialDecrypting to obtain random numberTerminal side link encryption gateway time stampTerminal side link encryption gatewayService terminalService terminalJudging the current time stampWhether or not to be located on the selfIf the preset authentication process is valid, the step A6 is entered; otherwise, the identity authentication is unsuccessful, and the data frame is discarded;
step A6. Service side Link encryption gateway targets basic Session Key Random numberCurrent timestampTerminal side link encryption gatewayService terminalService terminalHMAC function using standard national density SM3The following formula is adopted:
obtaining a session key material authentication code corresponding to a service side link encryption gateway And judgeAnd (3) withIf the key is consistent, the service side chain encryption gateway applies the ECB key derivation function of the standard national encryption SM1The following formula is adopted:
Obtaining session key of service side link encryption gateway Step A7 is then entered, otherwise, the identity authentication fails;
Step A7. Service side chain encryption gateway application session key Encrypting the identity authentication success message and the identity authentication success time to construct identity authentication success data, and adding the MAC of the service system and the service terminal by taking the virtual IP of the service side gateway as the source IP and the MAC of the service system as the source MACFor purpose IP, service terminalsUpdating a message header for the source MAC, constructing an identity authentication success message, transmitting a data link between the service side link encryption gateway and the terminal side link encryption gateway to the terminal side link encryption gateway, and then entering the step A8;
step A8. Terminal side Link encryption gateway application Session Key Decrypting the identity authentication success message to obtain an identity authentication success message and the identity authentication success time, namely the identity authentication success.
In the step B, the service side link encryption gateway analyzes the encrypted message from the terminal side link encryption gateway, executes equipment authentication according to preset legal MAC to judge whether the source MAC is legal or not, if the source MAC is legal, further judges whether the identity authentication of the corresponding service terminal is successful or not, if yes, the service side link encryption gateway further calls the session key in the successful state of the latest identity authentication to decrypt, otherwise, the encrypted message is discarded, and if the source MAC is illegal, the encrypted message is discarded.
In the step B, the terminal side link encryption gateway firstly calls the session key corresponding to the last successful identity authentication state, encrypts the IP header, the target network transmission protocol header and the application data in the data frame to form encrypted application data, and then adds the service terminal based on the Ethernet headerFor source IP, service terminalsThe virtual IP address provided by the source MAC and the service side link encryption gateway is the target IP, and the MAC of the service system is the target MAC, so that a message header is formed; finally generating a check code related to the message header and the encrypted application data, packaging the message header, the encrypted application data and the check code to form an encrypted message, and sending the encrypted message to a business side link encryption gateway; the service side link encryption gateway analyzes the received encrypted message to obtain encrypted application data, then calls a session key corresponding to the last successful identity authentication state to decrypt the encrypted application data to obtain a data frame, and encapsulates and forwards a corresponding service system to inquire;
in the step C, the service side link encryption gateway invokes the session key corresponding to the successful state of the latest identity authentication, encrypts the received feedback result data frame to form encrypted feedback data, and then adds the virtual IP of the service side gateway as the source IP, the MAC of the service system as the source MAC and the service terminal based on the Ethernet header For purpose IP, service terminalsAnd finally generating a check code related to the message header and the encrypted feedback data, packaging the message header, the encrypted feedback data and the check code to form an encrypted feedback message, sending the encrypted feedback message to a terminal side link encryption gateway, analyzing the received encrypted feedback message by the terminal side link encryption gateway to obtain the encrypted feedback data, then calling a session key corresponding to the last successful identity authentication state to decrypt the encrypted feedback data to obtain a feedback result data frame, and packaging a forwarding service terminal.
In view of the foregoing, the present invention further provides a system for encrypting link layer communications, which is configured to modularly design a gateway under link layer encryption, so as to efficiently implement the design method and ensure security and efficiency of data.
The invention designs a system of a link layer communication encryption method, which is based on a data link created by a service terminal sequentially passing through a terminal side link encryption gateway, a service side link encryption gateway and a service system, wherein the structure of the terminal side link encryption gateway is the same as that of the service side link encryption gateway, and the terminal side link encryption gateway and the service side link encryption gateway respectively comprise a data capturing module, a data analyzing module, a device authentication module, an identity authentication module, a data encryption and decryption module, a device authentication library, a hardware encryption module and a data sending module;
In the terminal side link encryption gateway, the data capture module is used for polling the network card to receive the data frame and the encryption feedback message on the buffer queue; the data analysis module is used for analyzing the data frames and the encrypted feedback messages received by the data capture module; the device authentication library consists of preset legal MAC, the device authentication module is used for carrying out source MAC authentication on a data frame from a service terminal according to the preset legal MAC in the device authentication library, the identity authentication module is used for realizing identity authentication on the service terminal by contacting the identity authentication module in the service side link encryption gateway through the data transmission module and the data acquisition module according to the hardware password module, the data encryption and decryption module is used for encrypting the data frame and decrypting the encrypted feedback message according to the hardware password module, and the data transmission module is used for transmitting the encrypted message and the feedback result data frame;
The system comprises a service side link encryption gateway, a data acquisition module, a data analysis module, a data transmission module and a data transmission module, wherein the service side link encryption gateway is used for polling a network card to receive feedback result data frames and encrypted messages on a buffer queue, the data analysis module is used for analyzing the feedback result data frames and the encrypted messages received by the data acquisition module, the device authentication library is composed of preset legal MAC (media access control) s, the device authentication module is used for authenticating source MAC (media access control) s of the encrypted messages from the terminal side link encryption gateway according to the preset legal MAC s in the device authentication library, the identity authentication module is used for judging whether the identity authentication of a service terminal is successful or not currently according to a hardware password module, the data encryption and decryption module is used for encrypting the feedback result data frames and decrypting the encrypted messages according to the hardware password module, and the data transmission module is used for transmitting the encrypted feedback messages and the data frames.
Compared with the prior art, the link layer communication encryption method and system have the following technical effects:
The invention designs a link layer communication encryption method and a link layer communication encryption system, which are designed according to the invention, aiming at the situation that a terminal side link encryption gateway and a service side link encryption gateway are used between a service terminal and a service system, on the basis of equipment authentication, identity authentication and session key negotiation are integrally designed and applied, so that a lightweight security authentication mechanism is realized when security authentication is realized, and a lower session key is applied between the terminal side link encryption gateway and the service side link encryption gateway, namely, a dynamic session key is generated for each accessed service terminal, thereby enhancing the security of data communication and transmission.
Drawings
FIG. 1 is a schematic diagram of a system application architecture of a link layer communication encryption method according to the present invention;
FIG. 2 is a schematic diagram of an application of the link layer communication encryption method of the present invention;
FIG. 3 is a schematic diagram of message construction in the link layer communication encryption method according to the present invention;
fig. 4 is a schematic diagram of an encryption gateway module in a system of the link layer communication encryption method according to the present invention.
Detailed Description
The following describes the embodiments of the present invention in further detail with reference to the drawings.
Aiming at the defects in the prior art, the invention has the following design ideas:
(1) Designing a link layer identity authentication and key negotiation mechanism, carrying out security authentication based on terminal communication information, completing key negotiation and generating a session key;
(2) Designing a link layer encryption communication mechanism, carrying out safe encryption on communication data at a link layer, shielding protocol differences between a network layer and a transmission layer, and simultaneously realizing hiding of network information of equipment in a local area network to prevent malicious sniffing;
(3) A link layer communication encryption system is provided, which comprises a terminal, a link encryption gateway and a service system, wherein the link encryption gateway is connected in series between the terminal and the service system to realize the security authentication and encryption of the communication data between the terminal and the service system, and simultaneously provide data filtering and access control to resist various forms of network attacks.
Regarding the design concept, the present invention designs a link layer communication encryption method, as shown in fig. 1, based on a data link created by a service terminal sequentially passing through a terminal side link encryption gateway, a service side link encryption gateway, and a service system, for a data frame uploaded by the service terminal to the terminal side link encryption gateway, in practical application, as shown in fig. 2, using TCP connection as an example, in a three-way handshake process under TCP connection, adding device authentication and identity authentication, specifically executing the following step a, and then further executing the steps B to C to perform data communication.
And step A, the terminal side link encryption gateway receives the data frames from the service terminals in the buffer queue by polling the network card, performs equipment authentication on the service terminals corresponding to the data frames, contacts the service side link encryption gateway, performs identity authentication on the service terminals corresponding to the data frames, and enters the step B in a state that the equipment authentication and the identity authentication pass currently.
In the step A, regarding whether the equipment authentication and the identity authentication pass or not, in practical application, regarding the equipment authentication, the terminal side link encryption gateway performs the equipment authentication to judge whether the source MAC corresponding to the received data frame is legal or not according to preset legal MAC, if so, the equipment authentication passes currently, contacts the terminal side link encryption gateway to perform the identity authentication of the service terminal corresponding to the data frame, otherwise, the equipment authentication does not pass currently, and discards the data frame.
Regarding identity authentication, based on the fact that equipment authentication is currently passed, a terminal side link encryption gateway judges whether the service terminal corresponding to a data frame is successfully authenticated, if the current time is within a preset authentication validity period from the last authentication success time of the service terminal, the identity authentication is currently passed, and then step B is entered, otherwise, the identity authentication is not currently passed, the service side link encryption gateway is contacted, the identity authentication of the service terminal corresponding to the data frame is executed, the identity authentication is successful, namely, the identity authentication is currently passed, then step B is entered, the identity authentication is failed, then the data frame is discarded, and the terminal side link encryption gateway judges that the identity authentication is not currently passed, and then the service side link encryption gateway is contacted, and then the identity authentication of the service terminal corresponding to the data frame is executed, and then the identity authentication is successful, namely, the identity authentication is currently passed, then step B is entered, and then the identity authentication is failed, and then the data frame is discarded.
In actual implementation, the terminal side link encryption gateway specifically contacts the service side link encryption gateway according to the following steps A1 to A8, and performs identity authentication of the service terminal corresponding to the data frame.
Step A1. Terminal side link encryption gateway is based onAnd its preparation methodCorresponding root keyIn combination with the current timestampService terminals in data framesECB key derivation function using standard national secret SM1The following formula is adopted:
obtaining basic session key of terminal side link encryption gateway corresponding to service terminal Step A2 is then entered.
Step A2, the terminal side link encryption gateway generates a preset byte random numberAnd combined with basic session keysKey derivation functions of standard national secret SM1 are respectively appliedHMAC function of SM3 standard national densityThe following formula is adopted:
Obtaining authentication materials corresponding to a terminal side link encryption gateway Session key material authentication codeThen step A3 is entered.
Step A3. Terminal side link encryption gateway is based onBasic session keyRandom numberService terminals in data framesECB key derivation function using standard national secret SM1The following formula is adopted:
Obtaining session keys for a terminal-side link encryption gateway Step A4 is then entered.
Step A4. Terminal side Link encryption gateway with the sameAuthentication material corresponding to terminal side chain encryption gatewaySession key material authentication codeAnd service terminals in data framesConstructing identity authentication request data and adding service terminalsFor source IP, service terminalsAnd (3) updating a message header to construct an identity authentication request message for the source MAC and the service side link encryption gateway, wherein the virtual IP address provided by the service side link encryption gateway is the destination IP, and the MAC of the service system is the destination MAC, transmitting the identity authentication request message to the service side link encryption gateway along a data link between the terminal side link encryption gateway and the service side link encryption gateway, and then entering the step A5.
Step A5, the service side link encryption gateway receives the identity authentication request message and analyzes the identity authentication request message to obtain the terminal side link encryption gatewayService terminalIn combination with the current time stampECB key derivation function using standard national secret SM1The following formula is adopted:
obtaining basic session key of service side link encryption gateway corresponding to service terminal Wherein, the method comprises the steps of, wherein,Indicating that the service side link encryption gateway knows the terminal side link encryption gatewayCorresponding root key and applying base session keyFor authentication materialDecrypting to obtain random numberTerminal side link encryption gateway time stampTerminal side link encryption gatewayService terminalService terminalJudging the current time stampWhether or not to be located on the selfAnd (3) if the authentication is within the valid period of the preset authentication process, the step A6 is started, otherwise, the identity authentication is unsuccessful, and the data frame is discarded.
Step A6. Service side Link encryption gateway targets basic Session KeyRandom numberCurrent timestampTerminal side link encryption gatewayService terminalService terminalHMAC function using standard national density SM3The following formula is adopted:
obtaining a session key material authentication code corresponding to a service side link encryption gateway And judgeAnd (3) withIf the key is consistent, the service side chain encryption gateway applies the ECB key derivation function of the standard national encryption SM1The following formula is adopted:
Obtaining session key of service side link encryption gateway And then, entering a step A7, otherwise, failing the identity authentication.
Step A7. Service side chain encryption gateway application session keyEncrypting the identity authentication success message and the identity authentication success time to construct identity authentication success data, and adding the MAC of the service system and the service terminal by taking the virtual IP of the service side gateway as the source IP and the MAC of the service system as the source MACFor purpose IP, service terminalsAnd (3) for the source MAC, updating a message header, constructing an identity authentication success message, transmitting a data link between the service side link encryption gateway and the terminal side link encryption gateway to the terminal side link encryption gateway, and then entering the step A8.
Step A8. Terminal side Link encryption gateway application Session KeyDecrypting the identity authentication success message to obtain an identity authentication success message and the identity authentication success time, namely the identity authentication success.
Step B, the terminal side link encryption gateway firstly calls the session key corresponding to the last successful identity authentication state, encrypts the IP header, the target network transmission protocol header and the application data in the data frame to form encrypted application data, and then adds the service terminal based on the Ethernet header as shown in figure 3For source IP, service terminalsAnd finally generating check codes related to the message header and the encrypted application data, packaging the message header, the encrypted application data and the check codes to form an encrypted message, and sending the encrypted message to the service side link encryption gateway.
The service side link encryption gateway analyzes the encrypted message from the terminal side link encryption gateway to obtain source MAC and encrypted application data, performs equipment authentication according to preset legal MAC to judge whether the source MAC is legal, if the source MAC is legal, further judges whether the identity authentication of the corresponding service terminal is successful or not, if yes, the service side link encryption gateway further calls a session key corresponding to the last successful identity authentication state to decrypt the encrypted application data to obtain a data frame, packages and transmits a corresponding service system to inquire, obtains a feedback result data frame, transmits the service side link encryption gateway, and then enters the step C, otherwise discards the encrypted message, and if the source MAC is not legal, discards the encrypted message.
Step C, the service side link encryption gateway calls the session key corresponding to the last successful identity authentication state, encrypts the received feedback result data frame to form encrypted feedback data, and adds the virtual IP of the service side gateway as the source IP, the MAC of the service system as the source MAC and the service terminal based on the Ethernet headerFor purpose IP, service terminalsAnd finally generating a check code related to the message header and the encrypted feedback data, packaging the message header, the encrypted feedback data and the check code to form an encrypted feedback message, sending the encrypted feedback message to a terminal side link encryption gateway, analyzing the received encrypted feedback message by the terminal side link encryption gateway to obtain the encrypted feedback data, then calling a session key corresponding to the last successful identity authentication state to decrypt the encrypted feedback data to obtain a feedback result data frame, and packaging a forwarding service terminal.
In practical application, the method further designs a corresponding system, based on a data link created by the service terminal through the terminal side link encryption gateway, the service side link encryption gateway and the service system in sequence, wherein the structure of the terminal side link encryption gateway is the same as that of the service side link encryption gateway, and as shown in fig. 4, the terminal side link encryption gateway and the service side link encryption gateway respectively comprise a data capturing module, a data analyzing module, a device authentication module, an identity authentication module, a data encryption and decryption module, a device authentication library, a hardware password module and a data sending module.
The system comprises a terminal side link encryption gateway, a data acquisition module, a data analysis module, a data transmission module, a data encryption and decryption module, a data transmission module and a data transmission module, wherein the terminal side link encryption gateway is used for polling a network card to receive data frames and encrypted feedback messages on a buffer queue, the data analysis module is used for analyzing the data frames and the encrypted feedback messages received by the data acquisition module, the device authentication library is composed of preset legal MAC, the device authentication module is used for authenticating source MAC of the data frames from a service terminal according to the preset legal MAC in the device authentication library, the identity authentication module is used for realizing identity authentication of the service terminal by contacting the identity authentication module in the service side link encryption gateway through the data transmission module and the data acquisition module according to a hardware password module, the data encryption and decryption module is used for encrypting the data frames and decrypting the encrypted feedback messages, and the data transmission module is used for transmitting the encrypted messages and the feedback result data frames.
The system comprises a service side link encryption gateway, a data acquisition module, a data analysis module, a data transmission module and a data transmission module, wherein the service side link encryption gateway is used for polling a network card to receive feedback result data frames and encrypted messages on a buffer queue, the data analysis module is used for analyzing the feedback result data frames and the encrypted messages received by the data acquisition module, the device authentication library is composed of preset legal MAC (media access control) s, the device authentication module is used for authenticating source MAC (media access control) s of the encrypted messages from the terminal side link encryption gateway according to the preset legal MAC s in the device authentication library, the identity authentication module is used for judging whether the identity authentication of a service terminal is successful or not currently according to a hardware password module, the data encryption and decryption module is used for encrypting the feedback result data frames and decrypting the encrypted messages according to the hardware password module, and the data transmission module is used for transmitting the encrypted feedback messages and the data frames.
In the design application, the encryption gateway adopts an active data packet capturing mode, so that network topologies of a terminal side and a service side are not changed, the encryption gateway realizes safety authentication and binding of a terminal and a service system server based on an MAC address, safety and reliability of access equipment are ensured, and meanwhile, the terminal side encryption gateway and the service side encryption gateway perform identity authentication to generate a dynamic session key to realize link data safety encryption, conceal communication information such as IP and the like, and prevent malicious users from sniffing and tampering the network.
The invention designs a terminal side link encryption gateway and a service side link encryption gateway between a service terminal and a service system, designs and applies identity authentication and session key negotiation to the whole based on equipment authentication, obtains a lower session key between the terminal side link encryption gateway and the service side link encryption gateway while realizing security authentication, namely, realizes a lightweight security authentication mechanism, generates a dynamic session key for each accessed service terminal, enhances the security of data communication and transmission, encrypts service terminal communication data at a link layer, ensures that intranet network information is hidden, realizes that intranet service systems and equipment are not attacked, and ensures that malicious users cannot carry out directional attack on the gateway without configuring actual IP and MAC.
The embodiments of the present invention have been described in detail with reference to the drawings, but the present invention is not limited to the above embodiments, and various changes can be made within the knowledge of those skilled in the art without departing from the spirit of the present invention.

Claims (6)

1.一种链路层通信加密方法,其特征在于,基于业务终端依次经终端侧链路加密网关、业务侧链路加密网关、至业务系统所创建的数据链路,针对业务终端上传至终端侧链路加密网关的数据帧,执行如下步骤:1. A link layer communication encryption method, characterized in that, based on the data link created by the service terminal in sequence through the terminal side link encryption gateway, the service side link encryption gateway, and the service system, for the data frame uploaded by the service terminal to the terminal side link encryption gateway, the following steps are performed: 步骤A.终端侧链路加密网关接收来自业务终端的数据帧,执行关于数据帧所对应业务终端的设备认证,以及联系业务侧链路加密网关,执行数据帧所对应业务终端的身份认证,并在设备认证与身份认证当前均通过的状态下,进入步骤B;Step A. The terminal side link encryption gateway receives the data frame from the service terminal, performs device authentication on the service terminal corresponding to the data frame, and contacts the service side link encryption gateway to perform identity authentication on the service terminal corresponding to the data frame, and enters step B when both the device authentication and identity authentication are currently passed; 步骤B.终端侧链路加密网关调用其对应最近一次身份认证成功状态下的会话密钥,针对数据帧进行加密、封装,发送至业务侧链路加密网关,由业务侧链路加密网关调用其对应最近一次身份认证成功状态下的会话密钥进行解析、解密,并转发相应业务系统进行查询,获得反馈结果数据帧,并转发业务侧链路加密网关,然后进入步骤C;Step B. The terminal side link encryption gateway calls its session key corresponding to the most recent successful identity authentication state, encrypts and encapsulates the data frame, and sends it to the service side link encryption gateway. The service side link encryption gateway calls its session key corresponding to the most recent successful identity authentication state to parse and decrypt, and forwards it to the corresponding service system for query, obtains the feedback result data frame, and forwards it to the service side link encryption gateway, and then enters step C; 步骤C.由业务侧链路加密网关调用其对应最近一次身份认证成功状态下的会话密钥,针对所接收反馈结果数据帧进行加密、封装,发送至终端侧链路加密网关,由终端侧链路加密网关调用其对应最近一次身份认证成功状态下的会话密钥进行解析、解密,并转发业务终端;Step C. The service-side link encryption gateway calls the session key corresponding to the most recent successful identity authentication state, encrypts and encapsulates the received feedback result data frame, and sends it to the terminal-side link encryption gateway. The terminal-side link encryption gateway calls the session key corresponding to the most recent successful identity authentication state to parse and decrypt it, and forwards it to the service terminal; 上述步骤A中,终端侧链路加密网关按如下步骤,联系业务侧链路加密网关,执行数据帧所对应业务终端的身份认证;In the above step A, the terminal side link encryption gateway contacts the service side link encryption gateway according to the following steps to perform identity authentication of the service terminal corresponding to the data frame; 步骤A1.终端侧链路加密网关根据其IDA、以及其IDA对应的根密钥KAm,结合当前时间戳TA、以及数据帧中业务终端的MACi、IPi,应用标准国密SM1的ECB密钥派生函数SM1_ECB[],按如下公式:Step A1. The terminal side link encryption gateway applies the ECB key derivation function SM1_ECB[] of the standard national encryption SM1 according to its ID A and the root key K Am corresponding to its ID A , combined with the current timestamp TA and the MAC i and IP i of the service terminal in the data frame, according to the following formula: Ki=SM1_ECB(KAm,TA||IDA||MACi||IPi)K i =SM1_ECB(K Am , TA ||ID A ||MAC i ||IP i ) 获得业务终端对应终端侧链路加密网关的基础会话密钥Ki,然后进入步骤A2;Obtain the basic session key K i of the link encryption gateway on the terminal side corresponding to the service terminal, and then proceed to step A2; 步骤A2.终端侧链路加密网关生成预设字节随机数RA,并结合基础会话密钥Ki,分别应用标准国密SM1的密钥派生函数SM1_ECB[ ]、以及标准国密SM3的HMAC函数SM3_HMAC[ ],按如下公式:Step A2. The terminal side link encryption gateway generates a preset byte random number R A , and combines it with the basic session key K i , and applies the key derivation function SM1_ECB[ ] of the standard national encryption SM1 and the HMAC function SM3_HMAC[ ] of the standard national encryption SM3, respectively, according to the following formula: MA=SM1_ECB(Ki,RA||TA||IDA||MACi||IPi)M A =SM1_ECB(K i , RA || TA ||ID A ||MAC i ||IP i ) K_HASH=SM3_HMAC(Ki,RA||TA||IDA||MACi||IPi)K_HASH=SM3_HMAC(K i , RA ||T A ||ID A ||MAC i ||IP i ) 获得终端侧链路加密网关对应的认证素材MA、以及会话密钥素材认证码K_HASH,然后进入步骤A3;Obtain the authentication material MA corresponding to the terminal side link encryption gateway and the session key material authentication code K_HASH, and then proceed to step A3; 步骤A3.终端侧链路加密网关根据其IDA、基础会话密钥Ki、随机数RA、以及数据帧中业务终端的MACi,应用标准国密SM1的ECB密钥派生函数SM1_ECB[ ],按如下公式:Step A3. The terminal side link encryption gateway applies the ECB key derivation function SM1_ECB[ ] of the standard national encryption SM1 according to its ID A , basic session key K i , random number RA , and MAC i of the service terminal in the data frame, according to the following formula: KA=SM1_ECB(Ki,RA||IDA||MACi)K A =SM1_ECB(K i , RA ||ID A ||MAC i ) 获得终端侧链路加密网关的会话密钥KA,然后进入步骤A4;Obtain the session key K A of the link encryption gateway on the terminal side, and then proceed to step A4; 步骤A4.终端侧链路加密网关以其IDA、终端侧链路加密网关对应的认证素材MA、会话密钥素材认证码K_HASH,以及数据帧中业务终端的MACi,构建身份认证请求数据,并添加以业务终端的IPi为源IP、业务终端的MACi为源MAC、业务侧链路加密网关所提供虚拟IP地址为目的IP、业务系统的MAC为目的MAC,更新报文头,构建身份认证请求报文,沿终端侧链路加密网关与业务侧链路加密网关之间的数据链路,发送至业务侧链路加密网关,然后进入步骤A5;Step A4. The terminal side link encryption gateway uses its ID A , the authentication material MA corresponding to the terminal side link encryption gateway, the session key material authentication code K_HASH, and the MAC i of the service terminal in the data frame to construct the identity authentication request data, and adds the IP i of the service terminal as the source IP, the MAC i of the service terminal as the source MAC, the virtual IP address provided by the service side link encryption gateway as the destination IP, and the MAC of the service system as the destination MAC, updates the message header, constructs the identity authentication request message, and sends it to the service side link encryption gateway along the data link between the terminal side link encryption gateway and the service side link encryption gateway, and then enters step A5; 步骤A5.业务侧链路加密网关接收身份认证请求报文进行解析,获得终端侧链路加密网关的IDA、业务终端的MACi、IPi,并结合当前时间戳TB,应用标准国密SM1的ECB密钥派生函数SM1_ECB[ ],按如下公式:Step A5. The service side link encryption gateway receives the identity authentication request message and parses it to obtain the ID A of the terminal side link encryption gateway, the MAC i and IP i of the service terminal, and combines it with the current timestamp TB , and applies the ECB key derivation function SM1_ECB[ ] of the standard national encryption SM1, according to the following formula: 获得业务终端对应业务侧链路加密网关的基础会话密钥其中,K'Am表示业务侧链路加密网关所获知终端侧链路加密网关IDA对应的根密钥,并应用基础会话密钥对认证素材MA进行解密,获得随机数RA、终端侧链路加密网关时间戳TA、终端侧链路加密网关IDA、业务终端MACi、业务终端IPi,判断当前时间戳TB是否位于自TA起的预设认证过程有效期内,是则进入步骤A6;否则身份认证不成功,丢弃数据帧;Obtain the basic session key of the service side link encryption gateway corresponding to the service terminal Among them, K'Am represents the root key corresponding to the terminal side link encryption gateway ID A known by the service side link encryption gateway, and applies the basic session key Decrypt the authentication material MA to obtain the random number RA , the terminal side link encryption gateway timestamp TA , the terminal side link encryption gateway ID A , the service terminal MAC i , and the service terminal IP i , and determine whether the current timestamp TB is within the preset authentication process validity period starting from TA . If yes, proceed to step A6; otherwise, the identity authentication fails and the data frame is discarded; 步骤A6.业务侧链路加密网关针对基础会话密钥随机数RA、当前时间戳TB、终端侧链路加密网关IDA、业务终端MACi、业务终端IPi,应用标准国密SM3的HMAC函数SM3_HMAC[,按如下公式:Step A6. The service side link encryption gateway uses the basic session key Random number R A , current timestamp T B , terminal side link encryption gateway ID A , service terminal MAC i , service terminal IP i , apply the HMAC function SM3_HMAC[ of the standard national encryption SM3, according to the following formula: 获得业务侧链路加密网关对应的会话密钥素材认证码K_HASH*,并判断K_HASH*与K_HASH是否一致,是则业务侧链路加密网关应用标准国密SM1的ECB密钥派生函数SM1_ECB[ ],按如下公式:Obtain the session key material authentication code K_HASH * corresponding to the service side link encryption gateway, and determine whether K_HASH * is consistent with K_HASH. If so, the service side link encryption gateway applies the ECB key derivation function SM1_ECB[ ] of the standard national encryption SM1, according to the following formula: 获得业务侧链路加密网关的会话密钥KB,然后进入步骤A7;否则即身份认证失败;Obtain the session key K B of the service side link encryption gateway, and then proceed to step A7; otherwise, the identity authentication fails; 步骤A7.业务侧链路加密网关应用会话密钥KB,针对身份认证成功消息、以及身份认证成功时刻进行加密,构建身份认证成功数据,并添加以业务侧网关虚拟IP为源IP、业务系统的MAC为源MAC、业务终端的IPi为目的IP、业务终端的MACi为源为目的MAC,更新报文头,构建身份认证成功报文,沿业务侧链路加密网关与终端侧链路加密网关之间的数据链路,发送至终端侧链路加密网关,然后进入步骤A8;Step A7. The service side link encryption gateway applies the session key K B to encrypt the identity authentication success message and the identity authentication success time, construct the identity authentication success data, and add the service side gateway virtual IP as the source IP, the service system MAC as the source MAC, the service terminal IP i as the destination IP, the service terminal MAC i as the source and the destination MAC, update the message header, construct the identity authentication success message, and send it to the terminal side link encryption gateway along the data link between the service side link encryption gateway and the terminal side link encryption gateway, and then enter step A8; 步骤A8.终端侧链路加密网关应用会话密钥KA,针对身份认证成功报文进行解密,获得身份认证成功消息、以及身份认证成功时刻,即身份认证成功。Step A8. The terminal side link encryption gateway applies the session key K A to decrypt the identity authentication success message to obtain the identity authentication success message and the identity authentication success time, that is, the identity authentication is successful. 2.根据权利要求1所述一种链路层通信加密方法,其特征在于:所述步骤A中,终端侧链路加密网关依据预设各合法MAC,执行设备认证判断其所接收数据帧对应的源MAC是否合法,是则设备认证当前通过,联系终端侧链路加密网关,执行数据帧所对应业务终端的身份认证;否则设备认证当前不通过,丢弃数据帧。2. According to the link layer communication encryption method described in claim 1, it is characterized in that: in the step A, the terminal side link encryption gateway performs device authentication based on the preset legal MACs to determine whether the source MAC corresponding to the received data frame is legal. If so, the device authentication is currently passed, and the terminal side link encryption gateway is contacted to perform identity authentication of the service terminal corresponding to the data frame; otherwise, the device authentication is currently not passed and the data frame is discarded. 3.根据权利要求1或2所述一种链路层通信加密方法,其特征在于:所述步骤A中,基于设备认证当前通过,终端侧链路加密网关判断若数据帧所对应业务终端成功过身份认证,则进一步判断当前时间是否位于业务终端最近一次身份认证成功时刻起的预设认证有效期内,是则身份认证当前通过,并进入步骤B;否则身份认证当前不通过,联系业务侧链路加密网关,执行数据帧所对应业务终端的身份认证,身份认证成功,即身份认证当前通过,则进入步骤B,身份认证失败,则丢弃数据帧;终端侧链路加密网关判断若数据帧所对应业务终端未成功过身份认证,则身份认证当前不通过,联系业务侧链路加密网关,执行数据帧所对应业务终端的身份认证,身份认证成功,即身份认证当前通过,则进入步骤B,身份认证失败,则丢弃数据帧。3. According to a link layer communication encryption method described in claim 1 or 2, it is characterized in that: in the step A, based on the device authentication currently passed, the terminal side link encryption gateway determines if the service terminal corresponding to the data frame has successfully passed the identity authentication, and then further determines whether the current time is within the preset authentication validity period from the time when the service terminal's most recent identity authentication was successful. If so, the identity authentication is currently passed, and enters step B; otherwise, the identity authentication is currently not passed, and the service side link encryption gateway is contacted to perform the identity authentication of the service terminal corresponding to the data frame. If the identity authentication is successful, that is, the identity authentication is currently passed, then enter step B, and if the identity authentication fails, the data frame is discarded; the terminal side link encryption gateway determines that if the service terminal corresponding to the data frame has not successfully passed the identity authentication, the identity authentication is currently not passed, and the service side link encryption gateway is contacted to perform the identity authentication of the service terminal corresponding to the data frame. If the identity authentication is successful, that is, the identity authentication is currently passed, then enter step B, and if the identity authentication fails, the data frame is discarded. 4.根据权利要求1所述一种链路层通信加密方法,其特征在于:所述步骤B中,业务侧链路加密网关针对来自终端侧链路加密网关的加密报文解析,依据预设各合法MAC,执行设备认证判断其中源MAC是否合法,若源MAC合法,则进一步判断其所对应业务终端的身份认证当前是否成功过身份认证,是则业务侧链路加密网关进一步调用其对应最近一次身份认证成功状态下的会话密钥进行解密;否则丢弃加密报文;若源MAC不合法,则丢弃加密报文。4. According to claim 1, a link layer communication encryption method is characterized in that: in the step B, the service side link encryption gateway parses the encrypted message from the terminal side link encryption gateway, and performs device authentication based on the preset legal MACs to determine whether the source MAC is legal. If the source MAC is legal, it further determines whether the identity authentication of the corresponding service terminal has been successfully authenticated. If so, the service side link encryption gateway further calls the session key corresponding to the most recent successful authentication state for decryption; otherwise, the encrypted message is discarded; if the source MAC is illegal, the encrypted message is discarded. 5.根据权利要求1所述一种链路层通信加密方法,其特征在于:所述步骤B中,终端侧链路加密网关首先调用其对应最近一次身份认证成功状态下的会话密钥,针对数据帧中的IP头部、目标网络传输协议头部、以及应用数据进行加密,构成加密应用数据;然后基于以太网首部,添加以业务终端的IPi为源IP、业务终端的MACi为源MAC、业务侧链路加密网关所提供虚拟IP地址为目的IP、业务系统的MAC为目的MAC,构成报文头;最后生成关于报文头与加密应用数据的校验码,封装报文头、加密应用数据、以及校验码,构成加密报文,发送至业务侧链路加密网关;业务侧链路加密网关针对所接收加密报文进行解析,获得其中加密应用数据,再调用其对应最近一次身份认证成功状态下的会话密钥针对加密应用数据进行解密,获得其中数据帧,并封装转发相应业务系统进行查询;5. According to claim 1, a link layer communication encryption method is characterized in that: in the step B, the terminal side link encryption gateway first calls its session key corresponding to the most recent successful identity authentication state, encrypts the IP header, the target network transmission protocol header, and the application data in the data frame to form encrypted application data; then based on the Ethernet header, adds the IP i of the service terminal as the source IP, the MAC i of the service terminal as the source MAC, the virtual IP address provided by the service side link encryption gateway as the destination IP, and the MAC of the service system as the destination MAC to form a message header; finally, generates a check code for the message header and the encrypted application data, encapsulates the message header, the encrypted application data, and the check code to form an encrypted message, and sends it to the service side link encryption gateway; the service side link encryption gateway parses the received encrypted message to obtain the encrypted application data therein, and then calls its session key corresponding to the most recent successful identity authentication state to decrypt the encrypted application data to obtain the data frame therein, and encapsulates and forwards it to the corresponding service system for query; 所述步骤C中,由业务侧链路加密网关调用其对应最近一次身份认证成功状态下的会话密钥,针对所接收反馈结果数据帧进行加密,构成加密反馈数据;然后基于以太网首部,添加以业务侧网关虚拟IP为源IP、业务系统的MAC为源MAC、业务终端的IPi为目的IP、业务终端的MACi为源为目的MAC,构成报文头;最后生成关于报文头与加密反馈数据的校验码,封装报文头、加密反馈数据、以及校验码,构成加密反馈报文,发送至终端侧链路加密网关,由终端侧链路加密网关针对所接收加密反馈报文进行解析,获得其中加密反馈数据,再调用其对应最近一次身份认证成功状态下的会话密钥针对加密反馈数据进行解密,获得其中反馈结果数据帧,并封装转发业务终端。In the step C, the service side link encryption gateway calls its session key corresponding to the most recent successful identity authentication state to encrypt the received feedback result data frame to form encrypted feedback data; then based on the Ethernet header, add the service side gateway virtual IP as the source IP, the service system MAC as the source MAC, the service terminal IP i as the destination IP, and the service terminal MAC i as the source and destination MAC to form a message header; finally, generate a check code for the message header and the encrypted feedback data, encapsulate the message header, the encrypted feedback data, and the check code to form an encrypted feedback message, which is sent to the terminal side link encryption gateway, and the terminal side link encryption gateway parses the received encrypted feedback message to obtain the encrypted feedback data therein, and then calls its session key corresponding to the most recent successful identity authentication state to decrypt the encrypted feedback data to obtain the feedback result data frame therein, and encapsulates and forwards it to the service terminal. 6.实现权利要求5所述一种链路层通信加密方法的系统,其特征在于:基于业务终端依次经终端侧链路加密网关、业务侧链路加密网关、至业务系统所创建的数据链路,终端侧链路加密网关的结构与业务侧链路加密网关的结构相同,终端侧链路加密网关与业务侧链路加密网关分别均包括数据捕获模块、数据解析模块、设备认证模块、身份认证模块、数据加解密模块、设备认证库、硬件密码模块、数据发送模块;6. A system for implementing a link layer communication encryption method as described in claim 5, characterized in that: based on the data link created by the service terminal in sequence through the terminal side link encryption gateway, the service side link encryption gateway, and the service system, the structure of the terminal side link encryption gateway is the same as that of the service side link encryption gateway, and the terminal side link encryption gateway and the service side link encryption gateway respectively include a data capture module, a data parsing module, a device authentication module, an identity authentication module, a data encryption and decryption module, a device authentication library, a hardware password module, and a data sending module; 终端侧链路加密网关中,数据捕获模块用于轮询网卡接收缓冲队列上的数据帧、加密反馈报文;数据解析模块用于针对数据捕获模块所接收数据帧、加密反馈报文进行解析;设备认证库由预设各合法MAC所构成,设备认证模块用于依据设备认证库中的预设各合法MAC,针对来自业务终端的数据帧进行源MAC进行认证;身份认证模块用于依据硬件密码模块,通过数据发送模块与数据捕获模块,联系业务侧链路加密网关中身份认证模块,对业务终端实现身份认证;数据加解密模块用于依据硬件密码模块,针对数据帧进行加密、以及针对加密反馈报文进行解密;数据发送模块用于对加密报文、反馈结果数据帧进行发送;In the terminal side link encryption gateway, the data capture module is used to poll the data frames and encrypted feedback messages on the network card receiving buffer queue; the data parsing module is used to parse the data frames and encrypted feedback messages received by the data capture module; the device authentication library is composed of preset legal MACs, and the device authentication module is used to authenticate the source MAC of the data frames from the service terminal according to the preset legal MACs in the device authentication library; the identity authentication module is used to contact the identity authentication module in the service side link encryption gateway through the data sending module and the data capture module according to the hardware password module to realize identity authentication for the service terminal; the data encryption and decryption module is used to encrypt the data frames and decrypt the encrypted feedback messages according to the hardware password module; the data sending module is used to send the encrypted messages and feedback result data frames; 业务侧链路加密网关中,数据捕获模块用于轮询网卡接收缓冲队列上的反馈结果数据帧、加密报文;数据解析模块用于针对数据捕获模块所接收反馈结果数据帧、加密报文进行解析;设备认证库由预设各合法MAC所构成,设备认证模块用于依据设备认证库中的预设各合法MAC,针对来自终端侧链路加密网关的加密报文进行源MAC进行认证;身份认证模块用于依据硬件密码模块,判断业务终端的身份认证当前是否成功过身份认证;数据加解密模块用于依据硬件密码模块,针对反馈结果数据帧进行加密、以及针对加密报文进行解密;数据发送模块用于对加密反馈报文、数据帧进行发送。In the service side link encryption gateway, the data capture module is used to poll the feedback result data frames and encrypted messages on the network card receiving buffer queue; the data parsing module is used to parse the feedback result data frames and encrypted messages received by the data capture module; the device authentication library is composed of preset legal MACs, and the device authentication module is used to authenticate the source MAC of the encrypted message from the terminal side link encryption gateway according to the preset legal MACs in the device authentication library; the identity authentication module is used to determine whether the identity authentication of the service terminal has been successfully authenticated according to the hardware password module; the data encryption and decryption module is used to encrypt the feedback result data frames and decrypt the encrypted messages according to the hardware password module; the data sending module is used to send encrypted feedback messages and data frames.
CN202411612082.5A 2024-11-13 2024-11-13 Link layer communication encryption method and system Active CN119155106B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202411612082.5A CN119155106B (en) 2024-11-13 2024-11-13 Link layer communication encryption method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202411612082.5A CN119155106B (en) 2024-11-13 2024-11-13 Link layer communication encryption method and system

Publications (2)

Publication Number Publication Date
CN119155106A CN119155106A (en) 2024-12-17
CN119155106B true CN119155106B (en) 2025-02-18

Family

ID=93813838

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202411612082.5A Active CN119155106B (en) 2024-11-13 2024-11-13 Link layer communication encryption method and system

Country Status (1)

Country Link
CN (1) CN119155106B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN120639525A (en) * 2025-08-14 2025-09-12 信联科技(南京)有限公司 Industrial control terminal access authentication method and system based on network transparency

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101072096A (en) * 2007-05-31 2007-11-14 北京威讯紫晶科技有限公司 Data safety transmission method for wireless sensor network
CN115277200A (en) * 2022-07-27 2022-11-01 北京国领科技有限公司 Multi-node key automatic negotiation management method for link layer transparent encryption system

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101631113B (en) * 2009-08-19 2011-04-06 西安西电捷通无线网络通信股份有限公司 Security access control method of wired LAN and system thereof
CN118802130A (en) * 2024-03-04 2024-10-18 中国移动通信有限公司研究院 A computing method, device, system, equipment, medium and product
CN118842648B (en) * 2024-08-30 2025-07-11 易迅通科技有限公司 Quantum Fusion 5G Encryption Method for IoT Terminals

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101072096A (en) * 2007-05-31 2007-11-14 北京威讯紫晶科技有限公司 Data safety transmission method for wireless sensor network
CN115277200A (en) * 2022-07-27 2022-11-01 北京国领科技有限公司 Multi-node key automatic negotiation management method for link layer transparent encryption system

Also Published As

Publication number Publication date
CN119155106A (en) 2024-12-17

Similar Documents

Publication Publication Date Title
Tschofenig et al. Transport layer security (tls)/datagram transport layer security (dtls) profiles for the internet of things
CN102036230B (en) Method for implementing local route service, base station and system
CN103188351B (en) IPSec VPN traffic method for processing business and system under IPv6 environment
EP3213488A1 (en) End-to-end service layer authentication
CN104837150B (en) IPv6 wireless sense network safety test systems
CN102082796A (en) Method for encrypting channels and simplified method and system for encrypting channels based on HTTP (hyper text transport protocol)
US7055170B1 (en) Security mechanism and architecture for collaborative software systems using tuple space
CN113904809B (en) Communication method, device, electronic equipment and storage medium
US8788821B2 (en) Method and apparatus for securing communication between a mobile node and a network
CN111970699B (en) Terminal WIFI login authentication method and system based on IPK
CN119155106B (en) Link layer communication encryption method and system
US20250133068A1 (en) Encrypted communication method and apparatus, device, and storage medium
CN114614984B (en) Time-sensitive network secure communication method based on cryptographic algorithm
KR20180130203A (en) APPARATUS FOR AUTHENTICATING IoT DEVICE AND METHOD FOR USING THE SAME
CN114599033B (en) A kind of communication authentication processing method and device
Fossati RFC 7925: Transport Layer Security (TLS)/Datagram Transport Layer Security (DTLS) Profiles for the Internet of Things
CN114844730A (en) Network system constructed based on trusted tunnel technology
CN101471767A (en) Method, equipment and system for distributing cipher key
CN118249994A (en) Multi-channel authenticated encryption communication method and system based on IPv6 and QKD
US20090122770A1 (en) Sender and/or helper node modifications to enable security features in cooperative wireless communications
CN100428748C (en) A Multi-Party Communication Method Based on Double Identity
CN107104888A (en) A kind of safe instant communicating method
CN115835193A (en) A method and system for secure data transmission
CN210839642U (en) Device for safely receiving and sending terminal data of Internet of things
CN116405264A (en) A method and system for single package authorization

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant