CN106357690B - data transmission method, data sending device and data receiving device - Google Patents
data transmission method, data sending device and data receiving device Download PDFInfo
- Publication number
- CN106357690B CN106357690B CN201610981690.2A CN201610981690A CN106357690B CN 106357690 B CN106357690 B CN 106357690B CN 201610981690 A CN201610981690 A CN 201610981690A CN 106357690 B CN106357690 B CN 106357690B
- Authority
- CN
- China
- Prior art keywords
- data
- message
- key
- data message
- original
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000005540 biological transmission Effects 0.000 title claims abstract description 51
- 238000000034 method Methods 0.000 title claims abstract description 42
- 238000004364 calculation method Methods 0.000 claims abstract description 67
- 238000004806 packaging method and process Methods 0.000 claims abstract description 3
- 238000012795 verification Methods 0.000 claims description 62
- 238000012545 processing Methods 0.000 claims description 14
- 238000005538 encapsulation Methods 0.000 claims description 3
- 230000003993 interaction Effects 0.000 claims description 2
- 238000013075 data extraction Methods 0.000 claims 1
- 238000010276 construction Methods 0.000 abstract description 4
- 238000004422 calculation algorithm Methods 0.000 description 21
- 238000004891 communication Methods 0.000 description 17
- 238000010586 diagram Methods 0.000 description 17
- 238000005516 engineering process Methods 0.000 description 4
- 230000004927 fusion Effects 0.000 description 2
- 125000004122 cyclic group Chemical group 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000002427 irreversible effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention provides a data transmission method, which is applied to a data sending device and comprises the following steps: receiving original data sent by an application program; generating a dynamic key; packaging the original data into a data message, and adding a security layer header consisting of specific data to the data message; wherein the specific data is used for the original data to pass through a network security layer; performing check calculation on data in the security layer header of the data message and original data to obtain check data, and adding the check data into the data message; encrypting the original data and the check data of the data message by using the dynamic key; and sending the encrypted data message to a data receiving device. By adopting the technical scheme of the invention, when data is sent, the data can be encrypted and verified without adding additional data encryption equipment, so that the construction cost of a data transmission system is saved, and the fault probability of the system is reduced.
Description
Technical Field
The present invention relates to the field of data transmission technologies, and in particular, to a data transmission method, a data transmitting apparatus, and a data receiving apparatus.
background
with the continuous cross fusion of industrialization and informatization processes, more and more information technologies are applied to the industrial field. But the industrial control system safety problem brought by the problem is more and more, and a series of industrial control system safety events are exposed in sequence and are in a growing trend. Therefore, it is important to improve the safety of the industrial control system.
the method for encrypting the industrial communication protocol data is a visual and effective scheme for improving the industrial control system. In the prior art, data encryption equipment or key management server hardware is added in an industrial control system, so that industrial communication data are encrypted, and the safety of the industrial control system is improved. However, the addition of additional data encryption equipment or key management server hardware increases the cost of the industrial control system and also increases the probability of failure of the industrial control system.
disclosure of Invention
Based on the defects and shortcomings in the prior art, the invention provides a data transmission method, a data sending device and a data receiving device, and data encryption processing based on a security layer in embedded equipment can be realized without additionally adding data encryption equipment when data is sent.
A first aspect of the present invention provides a data transmission method, including the steps of: the data sending device receives original data sent by an application program and generates a dynamic key; then packaging the original data into a data message, and adding a security layer header consisting of specific data to the data message; wherein the specific data is used for the original data to pass through a network security layer. The data sending device carries out check calculation on data in the safety layer header of the data message and original data to obtain check data, and the check data is added into the data message; and encrypting the original data and the check data of the data message by using the dynamic key, and finally sending the encrypted data message to a data receiving device. By adopting the data transmission method, the transmitted data can be encrypted in the data transmitting device, no additional data encryption equipment is needed, the cost is saved, and the system failure rate is low.
A second aspect of the present invention provides a data transmission apparatus, comprising: the data receiving unit is used for receiving original data sent by an application program; a key generation unit for generating a dynamic key; the data encapsulation unit is used for encapsulating the original data into a data message and adding a security layer header consisting of specific data to the data message; wherein the specific data is used for the original data to pass through a network security layer; the verification unit is used for performing verification calculation on data in the safety layer header of the data message and original data to obtain verification data and adding the verification data into the data message; the encryption unit is used for encrypting the original data and the check data of the data message by using the dynamic key; and the data sending unit is used for sending the encrypted data message to a data receiving device. The data sending device provided by the invention realizes the encryption processing of the data when receiving and sending the data from the application program, saves the addition of an additional data encryption device for encrypting the data, and saves the system construction cost.
in one implementation, the generating the dynamic key includes: negotiating an initial key with a data receiving device; generating a random number; and calculating to obtain a dynamic key by using the initial key and the random number. When the data transmitting device generates the key, the data transmitting device negotiates with the data receiving device to determine an initial key, and the data transmitting device and the data receiving device use the matched initial key to respectively realize the encryption and the decryption of the data.
In one implementation, after performing a check calculation on data in a security layer header of the data packet and original data to obtain check data, and adding the check data to the data packet, the method further includes: storing the key data which needs to be sent in clear text and identifies the data message and the random number into a security layer header of the data message. The invention stores the key data of the identification data message into the safety layer header for plaintext transmission, so that when the data receiving device receives the data message, the data receiving device can judge whether the received data message is a new data message or a repeated data message according to the key data in the safety layer header, thereby further determining whether to analyze the data and avoiding the data receiving device from analyzing the repeated data message.
A third aspect of the present invention provides another data transmission method, including the steps of: a data receiving device receives a data message sent by a data sending device and identifies a random number in the header of a data message security layer; and then, according to the random number and an initial key obtained by negotiation with the data sending device, decrypting the data message to obtain original data and check data in the data message. And the data receiving device carries out verification calculation on the data and the original data in the safety layer header of the data message, compares a calculation result with the verification data, and sends the original data to an application program when the calculation result is the same as the verification data. In the data transmission method, the data receiving device directly decrypts and verifies the received data without adding extra data encryption and decryption equipment, so that the construction cost of a data transmission system is saved, and the fault probability of the system is reduced.
A fourth aspect of the present invention provides a data receiving apparatus comprising: a receiving unit, configured to receive a data packet sent by a data sending apparatus; a random number identification unit for identifying a random number in the header of the data message security layer; a decryption unit, configured to decrypt the data packet according to the random number and an initial key obtained by negotiation with the data sending apparatus, so as to obtain original data and check data in the data packet; the verification calculation unit is used for performing verification calculation on data and original data in the safety layer header of the data message and comparing a calculation result with the verification data; and the sending unit is used for sending the original data to an application program when the calculation result is the same as the verification data. After the data message is received, the data receiving device automatically completes the identification, decryption and verification of the data message, can realize the restoration of the data required by the application program without adding additional data encryption and decryption equipment, and saves the construction cost of a data transmission system.
In one implementation, after receiving a data packet sent by a data sending device, before identifying a random number in a security layer header of the data packet, the method further includes: identifying key data used for identifying the data message in the header of the data message security layer; judging whether to analyze the data message or not according to the key data; and when the data message is judged to be analyzed, identifying the random number in the header of the data message security layer. Before decrypting the received data message, the data receiving device firstly identifies the key data in the header of the data message security layer, and judges whether the received data message is a new data message or a repeated data message. If the data message is a repeated data message, the data receiving device does not decrypt the data message any more, but directly discards the data message, so that the time for processing the data by the data receiving device is saved.
in one implementation, the decrypting the data packet according to the random number and an initial key obtained by negotiating with a data sending apparatus to obtain original data and check data in the data packet includes: calculating to obtain a dynamic key according to the random number and an initial key obtained by negotiation with the data sending device; and decrypting the data message by using the dynamic key to obtain the original data and the check data in the data message. The data sending device does not directly send the password to the data receiving device, but sends the random number used for obtaining the dynamic key through calculation to the data receiving device, and the data receiving device obtains the dynamic key through self calculation according to the random number and the initial key obtained through negotiation with the data sending device by adopting the same calculation method as the data sending device, so that the safety of data encryption is improved.
in one implementation, after performing check computation on a security layer header of the data packet and original data, comparing a computation result with the check data, and determining that the computation result is the same as the check data, before sending the original data to an application program, the method further includes: and extracting the original data from the data message. The original data is data which can be used by the application program, and after the data receiving device analyzes the data message, each layer of header and check data are deleted, the original data are extracted from the data message, and then the original data are sent to the application program.
drawings
in order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
FIG. 1 is a schematic diagram of a TCP/IP5 layer model structure with a security layer provided by the present invention;
FIG. 2 is a process diagram of a data transmission method provided by the present invention;
FIG. 3 is a schematic diagram of a data packet structure provided by the present invention;
FIG. 4 is a schematic diagram of the data encryption and verification range proposed by the present invention;
FIG. 5 is a diagram illustrating a data decryption and verification range in the prior art provided by the present invention;
Fig. 6 is a schematic structural diagram of a data transmission apparatus provided in the present invention;
FIG. 7 is a schematic structural diagram of another data transmission apparatus provided in the present invention;
FIG. 8 is a schematic structural diagram of a data receiving apparatus according to the present invention;
FIG. 9 is a schematic structural diagram of another data receiving device provided in the present invention;
FIG. 10 is a schematic structural diagram of another data receiving device provided in the present invention;
Fig. 11 is a schematic structural diagram of another data receiving device provided in the present invention.
Detailed Description
with the continuous cross fusion of industrialization and informatization processes, more and more information technologies are applied to the industrial field, so that the industrial development is intelligent and automatic. But the safety problems of the industrial control system are more and more, and a series of safety problems of the industrial control system are exposed and are in a growing trend. Therefore, it is important to improve the safety of the industrial control system while the industrial technology is rapidly developed. The safety of the industrial control system is improved in an all-around way, and the safety of the industrial control system needs to be improved from different levels and different angles. The encryption protection is performed on industrial communication protocol data used by an industrial control system, and the scheme is the most intuitive and effective scheme.
In a conventional data encryption method, an additional device is usually required to encrypt and decrypt original data, or an additional key management server hardware is required to cooperate with the original device to encrypt and decrypt transmitted data, so as to ensure the secure transmission of the data. However, adding additional devices or key management servers results in increased costs and increases the probability of failure of the data transmission system.
The embodiment of the invention provides a data transmission method, a data sending device and a data receiving device, which can encrypt and decrypt transmitted data on the premise of not adding extra equipment, and ensure the safe transmission of the data.
the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
in order to ensure that the application data can be transmitted safely and reliably, a security layer is added between the transmission layer and the application layer on the basis of the standard TCP/IP four-layer model structure as shown in fig. 1. And when the data passes through the security layer, the data is encrypted, decrypted and verified so as to ensure the safe transmission of the data.
specifically, referring to fig. 2, the data transmission method provided by the embodiment of the present invention includes the following steps:
S201, a data sending device receives data sent by an application program and takes the data as original data of an application layer;
the application program belongs to an application layer in a standard TCP/IP four-layer model structure, and data generated by the application program is data which needs to be transmitted in a network, and in the embodiment of the invention, the data is called as application layer original data.
S202, the data transmitting apparatus negotiates an initial key with the data receiving apparatus.
The data sending party and the data receiving party need to negotiate an initial key common to both the sending party and the receiving party once during each session. The technical scheme of the invention does not limit the algorithm of key negotiation of the transmitting and receiving parties, and the transmitting and receiving parties can select and support according to the operational capability. In order to enhance data security, the embodiment of the present invention uses an asymmetric way negotiation, that is, the transmitting and receiving parties use an asymmetric encryption algorithm to calculate the initial key.
the asymmetric encryption algorithm is a secret method of a secret key. Asymmetric encryption algorithms require two keys: public key (publickey) and private key (privatekey). The public key and the private key are a pair, and if the public key is used for encrypting data, only the corresponding private key can be used for decrypting the data; if the data is encrypted with a private key, it can only be decrypted with the corresponding public key. This algorithm is called asymmetric encryption algorithm because two different keys are used for encryption and decryption.
The basic process of realizing confidential information exchange by the asymmetric encryption algorithm is as follows: the first party generates a pair of keys and discloses one of the keys as a public key to the other party; the party B obtaining the public key encrypts the confidential information by using the key and then sends the encrypted confidential information to the party A; after receiving the confidential information, the first party decrypts the encrypted information by using another private key stored by the first party. On the other hand, the party A can use the public key of the party B to sign the confidential information and then send the signed confidential information to the party B; and after receiving the confidential information, the party B checks and signs the data by using the private key of the party B.
The asymmetric cryptosystem is characterized in that: the algorithm is complex, the security of the algorithm depends on the algorithm and the secret key, but the encryption and decryption speed is not as fast as the symmetric encryption and decryption speed due to the complex algorithm. The symmetric cryptosystem only has one secret key and is not public, and if the secret key is required to be decrypted, the opposite side is required to know the secret key, so that the safety of the information is ensured. The asymmetric key body is provided with two keys, one of which is public, which eliminates the need for the two parties to exchange keys and further improves the security of data and passwords.
specifically, in the embodiment of the present invention, the transceiver and the receiver select the RSA encryption algorithm or the SM2 elliptic curve public key cryptographic algorithm to negotiate the initial key.
S203, the data transmitting device generates a random number;
Each time the data sender sends data, a random number is generated, and the random number is used for calculating a dynamic key together with the initial key negotiated in step S202. At the same time, the random number is transmitted in the clear as part of the data message security layer header. When receiving the data message, the data receiver can calculate a dynamic key according to the random number in the header of the security layer and by combining the initial key, and decrypt the data message.
s204, the data sending device calculates the initial key and the random number to obtain a dynamic key;
the same mathematical formula designed according to preset rules is stored in the data sending party and the data receiving party, and the mathematical formula is used for obtaining the dynamic key by calculation with the initial key and the random number as input. Similarly, the data receiver can also calculate the dynamic key by using the mathematical expression according to the initial key negotiated in advance and the random number identified from the data message security layer header.
S205, adding a security layer header, a data link layer header, a network layer header and a transmission layer header in front of the original data of the application layer by the data sending device;
when the original data of the application layer passes through a standard TCP/IP four-layer protocol, data in a standard format corresponding to each layer needs to be added in front of the original data of the application layer, and then the original data of the application layer can be transmitted in a network. These data in the standard format corresponding to each layer are called headers. As shown in fig. 3, data corresponding to the data link layer, referred to as a data link layer header; data corresponding to the network layer, referred to as a network layer header; data corresponding to the transport layer is referred to as a transport layer header. Similarly, because the technical solution of the embodiment of the present invention adds the security layer in the standard TCP/IP four-layer model structure, the data packet needs to pass through the security layer, and data in the standard format corresponding to the security layer needs to be added, which is called as a security layer header.
s206, the data sending device carries out check calculation on the data in the safety layer header and the original data of the application layer, and the check data is added behind the original data of the application layer;
The check calculation means that a section of plaintext is calculated to obtain a section of short ciphertext in an irreversible manner. The short ciphertext can be used as an identifier of a plaintext, and the correctness and the integrity of data transmission can be ensured by checking the correctness of the identifier.
The data transmitting party carries out check calculation on the data and attaches the calculated check result to the back of the data. The receiver also executes the same check calculation, and the receiver compares whether the check result obtained by the receiver through calculation is the same as the check result attached to the data to judge whether the received data is correct and complete: if the check result obtained by self calculation is the same as the check result attached to the data, the data received by the receiver is correct and complete; if the check result obtained by self calculation is different from the check result attached to the data, the data received by the receiver is incorrect or incomplete.
The embodiment of the invention does not limit the algorithm of the verification calculation of the data sending device, and the data sending device can selectively support according to the calculation capability. For example, the data transmission device may select an SM3 cryptographic Hash Algorithm, version 5 of the message digest Algorithm, Secure Hash Algorithm (SHA 1), Cyclic Redundancy Check (CRC) Algorithm, or the like to perform the Check calculation. However, it is ensured that the check calculation algorithms of the data transmitting device and the data receiving device are the same, so that the data transmitting device and the data receiving device check and calculate the same check data for the same data.
S207, storing key data which needs to be sent in a plaintext and identifies the data message and the random number into a security layer header by a data sending device;
The industrial communication protocol generally uses a redundancy mode to increase the reliability of data transmission and prevent an attacker from maliciously and repeatedly attacking data, which means that a data receiver may receive more than two packets of the same data, and at this time, the data receiver discards repeated data according to a preset rule, i.e., when the data receiver receives the data packets with the same identification, the data receiver discards the repeated data packets.
Based on the industrial communication principle, a specific identifier is required in the data packet for marking the data packet. In the existing data encryption method, the identifier is encrypted into the original data of the application layer, and when a data receiving device receives a data packet, the identifier information of the data packet can be identified only after the data packet needs to be decrypted, so that longer processing time is consumed, and the real-time property of data transmission is reduced. Therefore, identification information for distinguishing different packets is set as key data and transmitted in the clear. In the embodiment of the invention, the key data needing plaintext transmission is stored in the security layer header, and the data transmission device carries out check calculation on the security layer header but does not encrypt the security layer header. When the data receiving device receives the data packet, the data receiving device can directly acquire the identification information of the data packet, confirm whether the received data packet is a repeated data packet or not, further determine whether to perform decryption processing or not, and ensure the real-time performance of data transmission.
Correspondingly, in the data transceiver, a key data processing unit is required to be arranged for storing and identifying key data, especially identification information of the identification data packet. In the critical data processing unit, a data discard module is further required for analyzing whether the received data packet should be discarded.
note that the random number generated in step S203 is also added to the security layer header. And when the data receiver receives the data message, identifying the data message from the safety layer header to obtain a random number, and further calculating according to the random number to obtain a dynamic key.
S208, the data sending device uses the dynamic key to carry out integral encryption on the original data and the check data of the application layer;
As shown in fig. 4, in the embodiment of the present invention, the original data of the application layer and the verification data are encrypted integrally, and the original data of the application layer is protected and the verification data is also encrypted at the same time, so that the verification data is prevented from being tampered, thereby affecting the normal reception of the original data of the application layer by the data receiving apparatus.
In the prior art, there is also a scheme of adding a security layer in a TCP/IP four-layer structure and further encrypting data in the security layer. However, the prior art scheme only encrypts the application layer data, as shown in fig. 5. Since the check data after the application layer original data is obtained by the check calculation of the application layer original data, the check data is used as a basis for the data receiver to check whether the correct data is received, and if the check data is tampered, the data receiver is influenced to correctly receive the data. Therefore, the technical scheme of the embodiment of the invention encrypts the verification data while encrypting the original data of the application layer, thereby further improving the transmission safety of the original data of the application layer.
S209, the data sending device sends the data message through a TCP/IP protocol stack;
The data sending device sends the data message after the operations of verification, encryption and the like to the data receiving device through a TCP/IP protocol stack.
s210, the data receiving device receives a data message through a TCP/IP protocol stack;
S211, the data receiving device identifies key data in the header of the data message security layer, and is used for identifying the data message, and determining whether to analyze the data message according to the key data; when the data message is determined to be a repeated data message according to the key data, discarding the data message; when the data message is confirmed to be a new data message, further analyzing the data message;
The data receiving device identifies key data for identifying the data message from a security layer header of the received data message. By comparing the key data with the key data of the received data message, the data receiving device can confirm whether the received data message is a new data message or a repeated data message. The embodiment of the invention does not limit the algorithm for analyzing whether the received data message is the channel data message or the repeated data message by the data receiving device. Any method that enables the data receiving apparatus to analyze whether the received data packet is a new data packet or a duplicate data packet may be adopted by the embodiments of the present invention. If the data message is a repeated data message, the data receiving device discards the data message without processing; and if the data message is a new data message, entering the next process and further analyzing.
the following describes a process of determining whether to discard a data packet by a data receiver, using a communication sequence number comparison as a preset rule for discarding duplicate data packets:
The data sending device transmits the communication serial number as a part of the safety layer header in a plaintext;
The data transmitting apparatus adds 1 to the communication serial number every time it transmits a packet of encrypted data. Similarly, when transmitting redundant data, the data transmitting apparatus adds 1 to the communication sequence number every time it transmits a packet of data.
When the data receiving device receives a packet of encrypted data, the communication serial number of the received data packet is compared with the communication serial number of the last received data packet. If the communication serial number of the received data packet is larger than the communication serial number of the data packet received last time, receiving the data of the packet; if the communication sequence number of the received data packet is not larger than the communication sequence number of the last received data packet, the data packet is discarded.
s212, the data receiving device identifies and obtains a random number from the safety layer header of the data message, and calculates and obtains a dynamic key according to the random number;
When the data transmitting device transmits data, the dynamic key is calculated by using the random number and the initial key. The initial key is a key that has been negotiated in advance by the data transmitting apparatus and the data receiving apparatus, and the same method of calculating a dynamic key by using a random number and the initial key is stored in the data transmitting apparatus and the data receiving apparatus. Therefore, when the data receiving device receives the data message, the data receiving device can calculate the dynamic key by combining the initial key known by itself after recognizing the random number from the security layer header of the data message.
S213, the data receiving device decrypts the data message by using the dynamic key to obtain the original data and the check data of the application layer;
In step S212, after the data receiving device calculates the dynamic key, the data receiving device decrypts the data packet by using the dynamic key to obtain the encrypted application layer original data and the encrypted verification data.
s214, the data receiving device carries out verification calculation on the data in the safety layer header and the original data of the application layer, compares a calculation result with the verification data obtained by decryption, and carries out next processing on the data message if the calculation result is the same as the verification data; if the calculation result is different from the check data, discarding the data message;
The data receiving device also performs verification calculation on the security layer header and the application layer original data, and compares the verification calculation result with the verification data obtained by the verification calculation of the data transmitting device, as with the data transmitting device. Since the algorithms for performing the verification calculation by the data transmitting apparatus and the data receiving apparatus are the same, the data transmitting apparatus and the data receiving apparatus should obtain the same verification result for the same data.
based on the principle, the data receiving device can judge whether the received data is the same as the data sent by the data sending device by comparing the check result obtained by the self-calculation with the check data sent by the data sending terminal. Specifically, if the result obtained by the verification calculation of the data receiving device is the same as the verification data obtained by decryption, that is, the verification data obtained by calculation of the data sending device, it is indicated that the data received by the data sending device is the same as the data sent by the data sending device, and the data message is processed in the next step; if the result obtained by the data receiving device through check calculation is different from the check data obtained by decryption, the data obtained by the data receiving device through check calculation is different from the data obtained by the data sending device through check calculation, namely the data received by the data receiving device is different from the data sent by the data sending device, the data transmission fails, and the received data message is discarded.
s215, deleting the security layer header, the data link layer header, the network layer header, the transmission layer header and the check data in the data message by the data receiving device to obtain the original data of the application layer;
the application layer raw data in the data packet is data required by the application program of the data receiving party. When receiving a data message, a data receiving device needs to extract application layer original data from the data message and remove data information unnecessary for an application program. Specifically, the data receiving device deletes the security layer header, the data link layer header, the network layer header, the transport layer header and the check data added before and after the application layer original data in order to facilitate data transmission in the network by the data sending device, so as to obtain the application layer original data.
S216, the data receiving device sends the application layer original data to the application program.
The data receiving device deletes the security layer header, the data link layer header, the network layer header, the transmission layer header and the check data in the data message to obtain the original application layer data, which is the data that the application program of the data sending end wants to send to the application program of the data receiving end, and the data receiving device sends the original application layer data to the application program of the local end to complete the data transmission.
It can be seen from the above process that in the technical solution of the embodiment of the present invention, the data encryption protection based on the security layer is realized by adding the security layer in the TCP/IP four-layer model structure. When data is sent, the data message is verified, the verification result is sent along with the original data of the application layer, and the original data of the application layer and the verification result are encrypted, so that the verification data are prevented from being tampered. The data is verified and encrypted, so that double protection of the transmitted data is realized, and the data transmission is safer.
According to the technical scheme of the embodiment of the invention, the original data is encrypted and decrypted without additionally adding a data encryption device or an additional key management server, so that the cost is not increased, and the failure probability of a data transmission system is not increased.
on the other hand, the embodiment of the invention sends the key data for identifying the data message in a plaintext manner, and when the data message is received by the data receiving device, the data receiving device can judge whether the received data message is a new data message or a repeated data message according to the key data, so that whether the data message is discarded or processed in the next step is determined. The communication reliability is improved by using a redundancy mode in an industrial communication protocol, and meanwhile, the real-time performance of data message transmission is guaranteed.
Fig. 6 is a schematic structural diagram of a data transmitting apparatus provided in the present invention, where the data receiving apparatus includes: a data receiving unit 601, configured to receive original data sent by an application; a key generation unit 602, configured to generate a dynamic key; a data encapsulating unit 603, configured to encapsulate the original data into a data packet, and add a security layer header composed of specific data to the data packet; wherein the specific data is used for the original data to pass through a network security layer; a checking unit 604, configured to perform checking calculation on data in a security layer header of the data packet and original data to obtain checking data, and add the checking data to the data packet; an encrypting unit 605, configured to encrypt the original data and the verification data of the data packet by using the dynamic key; a data sending unit 606, configured to send the encrypted data packet to a data receiving apparatus.
Fig. 7 is a schematic structural diagram of another data transmission apparatus provided in the present invention, in which a key generation unit 602 of the data transmission apparatus includes: an information interaction unit 6021, configured to negotiate an initial key with the data receiving apparatus; a random number generation unit 6022 for generating a random number; a calculating unit 6023, configured to calculate a dynamic key by using the initial key and the random number.
for details of the operation of each unit of the data sending apparatus shown in fig. 6 and fig. 7, please refer to the contents of the corresponding method embodiment, which is not described herein again.
fig. 8 is a schematic structural diagram of a data receiving apparatus provided in the present invention, where the data receiving apparatus includes: a receiving unit 801, configured to receive a data packet sent by a data sending apparatus; a random number identification unit 802 for identifying a random number in the data message security layer header; a decryption unit 803, configured to decrypt the data packet according to the random number and an initial key obtained by negotiation with the data sending apparatus, so as to obtain original data and check data in the data packet; a verification calculation unit 804, configured to perform verification calculation on data and original data in the security layer header of the data packet, and compare a calculation result with the verification data; a sending unit 805, configured to send the original data to an application program when the calculation result is the same as the verification data.
Fig. 9 is a schematic structural diagram of another data receiving apparatus provided in the present invention, where the data receiving apparatus further includes a key data identification processing unit 806, configured to identify key data in a header of a data packet after a receiving unit 801 receives the data packet sent by the data sending apparatus, before a random number identification unit 802 identifies a random number in the header of the data packet, for identifying the data packet; judging whether to analyze the data message or not according to the key data; and enabling the random number identification unit to identify the random number in the header of the data message security layer when the data message is judged to be analyzed.
Fig. 10 is a schematic structural diagram of another data receiving apparatus provided in the present invention, where the decryption unit 803 of the data receiving apparatus includes: a dynamic key calculation unit 8031, configured to calculate a dynamic key according to the random number and an initial key obtained by negotiating with the data sending apparatus; the decryption processing unit 8032 is configured to perform decryption processing on the data packet by using the dynamic key, so as to obtain original data and verification data in the data packet.
fig. 11 is a schematic structural diagram of another data receiving apparatus provided in the present invention, where the data receiving apparatus further includes a data extracting unit 807, configured to extract original data from the data packet before the sending unit 805 sends the original data to an application after the verification calculating unit 804 performs verification calculation on the security layer header of the data packet and the original data, compares a calculation result with the verification data, and confirms that the calculation result is the same as the verification data.
For details of operations of each unit of the data receiving apparatus described in fig. 8, fig. 9, fig. 10, and fig. 11, please refer to contents of corresponding method embodiments, which are not repeated herein.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (14)
1. A data transmission method applied to a data transmission apparatus, the method comprising:
Receiving original data sent by an application program;
Generating a dynamic key;
Packaging the original data into a data message, and adding a security layer header consisting of specific data to the data message; wherein the specific data is data in a standard format corresponding to a security layer, and is used for the original data to pass through a network security layer;
Performing check calculation on data in the security layer header of the data message and original data to obtain check data, and adding the check data into the data message;
encrypting the original data and the check data of the data message by using the dynamic key;
and sending the encrypted data message to a data receiving device.
2. The method of claim 1, wherein the generating a dynamic key comprises:
Negotiating an initial key with a data receiving device;
Generating a random number;
And calculating to obtain a dynamic key by using the initial key and the random number.
3. the method of claim 2, wherein after performing a check computation on the data in the security layer header of the data packet and the original data to obtain check data and adding the check data to the data packet, the method further comprises:
storing the key data which needs to be sent in clear text and identifies the data message and the random number into a security layer header of the data message.
4. a data transmission method applied to a data receiving apparatus, the method comprising:
receiving a data message sent by a data sending device;
identifying a random number in the data message security layer header;
decrypting the data message according to the random number and an initial key obtained by negotiation with the data sending device to obtain original data and check data in the data message;
Carrying out verification calculation on data and original data in the safety layer header of the data message, and comparing a calculation result with the verification data;
And when the calculation result is the same as the verification data, sending the original data to an application program.
5. the method of claim 4, wherein after receiving the data message from the data transmitting device, before identifying the random number in the data message security layer header, the method further comprises:
Identifying key data used for identifying the data message in the header of the data message security layer;
Judging whether to analyze the data message or not according to the key data;
And when the data message is judged to be analyzed, identifying the random number in the header of the data message security layer.
6. The method according to claim 4, wherein the decrypting the data packet according to the random number and an initial key negotiated with a data transmission device to obtain original data and verification data in the data packet comprises:
Calculating to obtain a dynamic key according to the random number and an initial key obtained by negotiation with the data sending device;
and decrypting the data message by using the dynamic key to obtain the original data and the check data in the data message.
7. The method of claim 4, wherein after performing a check calculation on the security layer header and the original data of the data packet, comparing the calculation result with the check data, and confirming that the calculation result is the same as the check data, before sending the original data to the application program, the method further comprises:
and extracting the original data from the data message.
8. a data transmission apparatus, comprising:
The data receiving unit is used for receiving original data sent by an application program;
A key generation unit for generating a dynamic key;
the data encapsulation unit is used for encapsulating the original data into a data message and adding a security layer header consisting of specific data to the data message; wherein the specific data is data in a standard format corresponding to a security layer, and is used for the original data to pass through a network security layer;
the verification unit is used for performing verification calculation on data in the safety layer header of the data message and original data to obtain verification data and adding the verification data into the data message;
the encryption unit is used for encrypting the original data and the check data of the data message by using the dynamic key;
and the data sending unit is used for sending the encrypted data message to a data receiving device.
9. the data transmission apparatus according to claim 8, wherein the key generation unit includes:
The information interaction unit is used for negotiating an initial key with the data receiving device;
a random number generation unit for generating a random number;
And the calculating unit is used for calculating to obtain a dynamic key by utilizing the initial key and the random number.
10. the data transmission apparatus according to claim 9, wherein the data encapsulation unit is further configured to:
Storing the key data which needs to be sent in clear text and identifies the data message and the random number into a security layer header of the data message.
11. A data receiving device, comprising:
a receiving unit, configured to receive a data packet sent by a data sending apparatus;
a random number identification unit for identifying a random number in the header of the data message security layer;
A decryption unit, configured to decrypt the data packet according to the random number and an initial key obtained by negotiation with the data sending apparatus, so as to obtain original data and check data in the data packet;
The verification calculation unit is used for performing verification calculation on data and original data in the safety layer header of the data message and comparing a calculation result with the verification data;
And the sending unit is used for sending the original data to an application program when the calculation result is the same as the verification data.
12. the data receiving apparatus according to claim 11, further comprising:
The key data identification processing unit is used for identifying key data in the data message security layer header before the random number identification unit identifies the random number in the data message security layer header after the receiving unit receives the data message sent by the data sending device;
judging whether to analyze the data message or not according to the key data;
and enabling the random number identification unit to identify the random number in the header of the data message security layer when the data message is judged to be analyzed.
13. The data receiving apparatus according to claim 11, wherein said decryption unit includes:
The dynamic key calculation unit is used for calculating a dynamic key according to the random number and an initial key obtained by negotiation with the data sending device;
And the decryption processing unit is used for decrypting the data message by using the dynamic key to obtain the original data and the check data in the data message.
14. The data receiving apparatus according to claim 11, further comprising:
And the data extraction unit is used for extracting the original data from the data message before the sending unit sends the original data to an application program after the verification calculation unit performs verification calculation on the security layer header and the original data of the data message, compares a calculation result with the verification data and confirms that the calculation result is the same as the verification data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610981690.2A CN106357690B (en) | 2016-11-08 | 2016-11-08 | data transmission method, data sending device and data receiving device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610981690.2A CN106357690B (en) | 2016-11-08 | 2016-11-08 | data transmission method, data sending device and data receiving device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106357690A CN106357690A (en) | 2017-01-25 |
| CN106357690B true CN106357690B (en) | 2019-12-10 |
Family
ID=57861470
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610981690.2A Active CN106357690B (en) | 2016-11-08 | 2016-11-08 | data transmission method, data sending device and data receiving device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106357690B (en) |
Families Citing this family (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107124435A (en) * | 2017-07-06 | 2017-09-01 | 济南浪潮高新科技投资发展有限公司 | A kind of TCP message encrypted circuit and method |
| CN108243181A (en) * | 2017-10-09 | 2018-07-03 | 北京车和家信息技术有限公司 | A kind of car networking terminal, data ciphering method and car networking server |
| CN112637161B (en) | 2018-09-12 | 2022-07-08 | 宁德时代新能源科技股份有限公司 | Data transmission method and storage medium |
| CN110087025B (en) * | 2019-03-18 | 2021-07-30 | 视联动力信息技术股份有限公司 | Directory verification method and device |
| CN110532129A (en) * | 2019-09-02 | 2019-12-03 | 腾讯科技(深圳)有限公司 | A kind of method, apparatus, equipment and the storage medium of file encryption storage |
| CN111106901A (en) * | 2019-12-31 | 2020-05-05 | 深圳Tcl新技术有限公司 | WiFi data transmission method, device, equipment and storage medium |
| CN111614692B (en) * | 2020-05-28 | 2021-06-08 | 广东纬德信息科技股份有限公司 | Inbound message processing method and device based on power gateway |
| CN113765851B (en) * | 2020-06-03 | 2022-11-08 | 华为技术有限公司 | Data processing method and equipment thereof |
| CN114444088A (en) * | 2020-11-05 | 2022-05-06 | 比亚迪股份有限公司 | A data transmission method, electronic device and system |
| CN114666049B (en) * | 2022-03-25 | 2024-02-20 | 中金金融认证中心有限公司 | Method for encrypting plaintext data and related products |
| CN115883228B (en) * | 2022-12-08 | 2025-08-01 | 南京邮电大学 | Safe data transmission method for preventing repeated encryption and decryption for Internet of things |
| CN116634047A (en) * | 2023-06-08 | 2023-08-22 | 湖北天融信网络安全技术有限公司 | Message transmission method, device, equipment and medium |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7254835B2 (en) * | 2002-01-04 | 2007-08-07 | Sun Microsystems, Inc. | Method and apparatus for conveying a security context in addressing information |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5757924A (en) * | 1995-09-18 | 1998-05-26 | Digital Secured Networks Techolognies, Inc. | Network security device which performs MAC address translation without affecting the IP address |
| US20120036567A1 (en) * | 2010-08-05 | 2012-02-09 | Motorola Solutions, Inc. | Methods for establishing a security session in a communications system |
| CN102065021B (en) * | 2011-01-28 | 2012-12-26 | 北京交通大学 | IPSecVPN (Internet Protocol Security Virtual Private Network) realizing system and method based on NetFPGA (Net Field Programmable Gate Array) |
| CN105471917A (en) * | 2016-01-14 | 2016-04-06 | 成都麦杰康科技有限公司 | Data transmission method and system |
-
2016
- 2016-11-08 CN CN201610981690.2A patent/CN106357690B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7254835B2 (en) * | 2002-01-04 | 2007-08-07 | Sun Microsystems, Inc. | Method and apparatus for conveying a security context in addressing information |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106357690A (en) | 2017-01-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106357690B (en) | data transmission method, data sending device and data receiving device | |
| CN110190955B (en) | Information processing method and device based on secure socket layer protocol authentication | |
| CN108347331A (en) | The method and apparatus that T_Box equipment is securely communicated with ECU equipment in car networking system | |
| CN110896401A (en) | Two-dimensional code-based unidirectional data stream transmission system and method between isolated networks | |
| CN113806772A (en) | Information encryption transmission method and device based on block chain | |
| CN114143117B (en) | Data processing method and device | |
| CN110753321A (en) | Safe communication method for vehicle-mounted TBOX and cloud server | |
| CN112637136A (en) | Encrypted communication method and system | |
| CN106254355B (en) | A kind of security processing and system of the Internet protocol data packet | |
| CN116633530A (en) | Quantum key transmission method, device and system | |
| CN111914291A (en) | Message processing method, device, equipment and storage medium | |
| CN111600829A (en) | Secure communication method and system for Internet of things equipment | |
| CN103441983A (en) | Information protection method and device based on link layer discovery protocol | |
| CN117201000A (en) | Mass data secure communication method, equipment and medium based on temporary key agreement | |
| CN107249002B (en) | Method, system and device for improving safety of intelligent electric energy meter | |
| CN119011115A (en) | Secure communication method and secure communication system based on Internet of things | |
| CN119089460B (en) | Data transmission protection method and computer device | |
| CN113242214B (en) | Device, system and method for encryption authentication between boards of power secondary equipment | |
| CN112738101B (en) | Message processing method and device | |
| CN112822015B (en) | Information transmission method and related device | |
| CN114928503B (en) | Method for realizing secure channel and data transmission method | |
| CN117749909A (en) | Data transmission method, data processing method and computer equipment | |
| CN107104888A (en) | A kind of safe instant communicating method | |
| CN110855628A (en) | Data transmission method and system | |
| CN210839642U (en) | Device for safely receiving and sending terminal data of Internet of things |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CB03 | Change of inventor or designer information |
Inventor after: Huang Wenjun Inventor after: Luo Bing Inventor after: Lu Weijun Inventor after: Zhang Wei Inventor after: Chen Yintao Inventor before: Luo Bing Inventor before: Lu Weijun Inventor before: Zhang Wei Inventor before: Chen Yintao |
|
| CB03 | Change of inventor or designer information | ||
| CP03 | Change of name, title or address |
Address after: No. 309 Liuhe Road, Binjiang District, Hangzhou City, Zhejiang Province (High tech Zone) Patentee after: Zhongkong Technology Co.,Ltd. Country or region after: China Address before: No. six, No. 309, Binjiang District Road, Hangzhou, Zhejiang Patentee before: ZHEJIANG SUPCON TECHNOLOGY Co.,Ltd. Country or region before: China |
|
| CP03 | Change of name, title or address |