CN105141637A - Transmission encryption method taking flows as granularity - Google Patents
Transmission encryption method taking flows as granularity Download PDFInfo
- Publication number
- CN105141637A CN105141637A CN201510619566.7A CN201510619566A CN105141637A CN 105141637 A CN105141637 A CN 105141637A CN 201510619566 A CN201510619566 A CN 201510619566A CN 105141637 A CN105141637 A CN 105141637A
- Authority
- CN
- China
- Prior art keywords
- encryption
- packet
- type
- granularity
- analysis
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a transmission encryption method taking flows as granularity. The method comprises steps that a user makes an encryption strategy as required; a business flow management module carries out type analysis on data packages, obtain the application type and business type of the data packages; the business flow management module puts different types of the data packages into different type queues; a data encryption module judges whether to encrypt the data packages according to the encryption strategies and carries out encryption operation on to-be-encrypted queues; and receiving and sending data packages. According to the invention, all modules are dynamically loaded on a terminal in an LKM manner, which will not cause problems on original functions of the operation system; based on current type identification method, application distinguishing is carried out on all data packages on the terminal, business analysis are then carried out on the data packages and encryption communication taking flows as granularity is carried out on each type of business flow of each application, so granularity is quite fine, way of encryption is quite flexible, data safety is taken into consideration and transmission efficiency is increased.
Description
Technical field
The present invention relates to the technical field of transfer of data encryption, being specifically related to a kind of take stream as the Transmission Encryption method of granularity.
Background technology
In recent years, universal along with network all standing and access terminals, a large amount of data transmit intercommunication between network.Often add in the middle of these data and carry many sensitive informations, just need to carry out fail safe protection to these data acquisition corresponding manners.At present, a lot of ripe cryptographic algorithm and cipher mode is had to be widely used, and the cryptographic means often taked is all be encrypted the total data of application, this will cause many non-sensitive category informations also to need encrypted, improve the fail safe of overall transfer but be reduction of efficiency of transmission.Different Business Streams is related in the middle of a usual business, such as perhaps audio frequency, video, text etc., only have voice data to comprise key message, just there is no need also to be encrypted video and text, for the user demand under this scene, existing scheme can not solve this problem.
Existing cipher mode is not supported to flow the Transmission Encryption for granularity, but is encrypted all business datums, although this mode improves fail safe be reduction of efficiency of transmission.Application number is the Chinese invention patent application " a kind of intelligent network services recognition methods based on positive transfer study " of 201310433157.9, disclose and utilize deep-packet detection method (DeepPacketInspection, DPI) detection method with based on stream feature (is also called the degree of depth/dynamic flow and detects Deep/DynamicFlowInspection, DFI) method of parallel detection detects Network, identifies, thus the recognition efficiency that improve Network, but do not relate to concrete cipher mode.
Summary of the invention
In order to solve the problems of the technologies described above, the invention provides a kind of take stream as the Transmission Encryption method of granularity, can carry out traffic differentiation, and be subdivided into different Business Streams to different application, is only encrypted specific stream.
In order to achieve the above object, technical scheme of the present invention is: a kind of take stream as the Transmission Encryption method of granularity, and its step is as follows:
Step one: user formulates encryption policy according to demand;
Step 2: service flow management module carries out type analysis to packet, obtains application type and the type of service of packet;
Step 3: dissimilar packet is put into different class queues by service flow management module;
Step 4: data encryption module, according to encryption policy, judges whether to need to be encrypted packet, is encrypted operation to needing the queue of encryption;
Step 5: sending and receiving packet.
Described service flow management module is used for carrying out type analysis to packet, and according to type, packet is put into corresponding transmit queue; Service flow management module loads in an operating system with LKM form, and it is kernel state, can adjoint system self-starting.
Described service flow management module comprises type identification unit and queue maintenance unit; Described type identification unit is used for catching analysis to packet, and type identification unit comprises applied business flow analysis unit and type of service analytic unit; Described applied business flow analysis unit carries out application type analysis by the Hook Function of mount point to packet; Described type of service analytic unit carries out type of service analysis by existing kind identification method to packet; Described queue maintenance unit is used for packet to deposit according to different queues.
Described data encryption module loads in an operating system with LKM form, and it is kernel state, can adjoint system self-starting; According to encryption policy, data encryption module for identifying encryption policy, and judges that different queues is the need of encryption, and adopt the cryptographic algorithm of existing maturation to be encrypted packet Business Stream.
Described data encryption module comprises DEU data encryption unit, and DEU data encryption unit adopts cryptographic algorithm to carry out data encryption to needing the queue of encryption
The invention has the beneficial effects as follows: all modules be with LKM form dynamic load in the terminals such as mobile phone, PC and various access terminals, the problem of any compatibility can not be caused to operating system original function; The present invention is based on existing kind identification method and application division is carried out to packets all in terminal, again business diagnosis is carried out to packet, then carry out flowing the coded communication for granularity to each type service stream of each application, granularity is more careful, cipher mode is more flexible, not only take into account data security, also improve efficiency of transmission simultaneously.
Accompanying drawing explanation
Fig. 1 is the flow chart of the whole transfer of data encryption of the present invention.
The concrete schematic diagram of Transmission Encryption of Fig. 2 to be the present invention with stream be granularity.
Embodiment
In order to make technical problem to be solved by this invention, technical scheme and beneficial effect clearly understand, below in conjunction with embodiment, the present invention will be described in detail.It should be noted that specific embodiment described herein only in order to explain the present invention, be not intended to limit the present invention.
Take stream as a Transmission Encryption method for granularity, its step is as follows:
Step one: user formulates encryption policy according to demand.
User formulates suitable encryption policy according to the actual demand of oneself, is namely that the video to which application, audio frequency, file or one or more in other are encrypted.The encryption policy formulated can be operated by the operation interface form of graphical interfaces, facilitates user to select the Business Stream of certain type certain applied to be encrypted communication.Encryption policy passes to kernel state by process communication machine from the User space of operating system after specifying.
Step 2: service flow management module carries out type analysis to packet, obtains application type and the type of service of packet.
Service flow management module is used for carrying out type analysis to packet, and according to type, packet is put into corresponding transmit queue.Service flow management module is with LKM(LoadableKernelModule) form loads in an operating system, and it is kernel state, can adjoint system self-starting.During specific works, add corresponding Hook Function in service flow management module based on the mount point under Netfilter framework, just can catch analysis to packet automatically.The five-tuple information of packet can unique identification Business Stream.All packets that service flow management module sends for the machine carry out analysis operation, can check its five-tuple information, i.e. source IP address, object IP address, source port number, destination slogan, protocol type, by Hash computing, the ID entrance of locator data bag, thus identify the type of packet.
Service flow management module comprises type identification unit and queue maintenance unit.Type identification unit is used for catching analysis to packet, comprises applied business flow analysis unit and type of service analytic unit.Applied business flow analysis unit is used for carrying out application type analysis to packet, is realized by the Hook Function of mount point, and namely identifying this packet is belong to which kind of application, and such as packet is QQ, a sudden peal of thunder, FTP etc.By the subsequent treatment that the Business Stream of a certain application can be encrypted by applied business flow analysis unit simultaneously.Type of service analytic unit carries out type of service analysis to packet, can based on existing kind identification method, and such as DPI, L7 method of identification etc. carry out type of service analysis to packet, identify packet be video, audio frequency, file or other.Queue maintenance unit is used for packet to deposit according to different queues.Dissimilar packet is divided into different Business Streams by type identification unit, and can be encrypted operation to video, audio frequency, file or other one or more in an application, make granularity more careful, follow-up cipher mode is more flexible.
Step 3: dissimilar packet is put into different class queues by service flow management module.
The queue maintenance unit of service flow management module is used for packet to deposit according to different queues.The application type of the packet that queue maintenance unit identifies according to type identification unit and type of service, the packet of different application is left in different list of applications, the packet of different service types puts into the type porch of business flow list, is gone by packet carry in the class queues of correspondence.Different types of service can be preset, such as video, audio frequency, file and other, be then the queue of every type setting data bag.The way of realization of data link table can be adopted, packet is put into the packet of corresponding types.
As shown in Figure 2, first judge whether packet belongs in the list of application APPTable existed, if existed, the type porch of business flow list FlowTable is then navigated to according to the type of service of packet, if there is no, then application belonging to this packet is added in list of application APPTable, finally packet carry is gone in the type chained list queue QueueList of correspondence.Particularly, first, judge the application type belonging to packet, after determining application type, judge type of service belonging to this packet, it should be noted that, a corresponding packet chained list after each type of service, list structure can adopt the conventional chained list type in data structure, such as single-track link table, and the packet that each type of service has judged will after the chained list that directly carry is corresponding.
Step 4: data encryption module, according to encryption policy, judges whether to need to be encrypted packet, is encrypted operation to needing the queue of encryption.
Encryption operates type of service, namely first determines which kind of type is encryption type, after having determined, is encrypted judgement to the packet that type identification completes, if namely it belongs to this encryption type, is then encrypted it, otherwise disregards.Such as, encryption policy is be that the packet of video is all encrypted by type, then after packet is identified as video by type identification unit, be then encrypted operation to this packet.
Data encryption module loads in an operating system with LKM form, and it is kernel state, can adjoint system self-starting.According to encryption policy, data encryption module for identifying encryption policy, and judges that different queues is the need of encryption, and adopt the cryptographic algorithm of existing maturation to be encrypted packet Business Stream.Data encryption module comprises DEU data encryption unit, DEU data encryption unit is used for needing the queue of encryption to carry out data encryption, adopt the cryptographic algorithm of existing comparative maturity, such as MD5(MessageDigestAlgorithm), DES(DataEncryptionStandard) etc. DEA data encryption is carried out to queue.
Above-mentioned is the flow process of transmitting terminal, after receiving terminal receives data, first can judge whether to encrypt, if so, then first be decrypted process to packet, otherwise disregard.Such as, can add field at data packet header and carry out encryption through DEU data encryption unit in order to indicate this packet, receiving terminal only needs the packet judging to receive whether to comprise this flag bit.
Queue scheduling can be dispatched the packet of each queue successively, and than if any three class queues, then each queue first sends out two successively, then sends out three successively, increases successively, guarantees that often taking turns all types of packet all can have transmitting-receiving to operate.
Step 5: sending and receiving packet.
For the packet that will send, judgement can be encrypted according to its type of service, for the packet needing encryption, be then encrypted to operate and be positioned in queue and wait for that scheduling sends, described class queues is then directly put into for the packet without the need to encryption and waits for that scheduling sends.Wherein, all packets all can add tag mark, and after receiving packet for receiving terminal, can judge whether to be decrypted operation according to this flag bit, when such as tag is 1, receiving terminal can be decrypted, and is that the words of 0 are then disregarded.For receiving terminal, after receiving packet, display judges that tag identifies, if be 1, be then decrypted process and then returned to operating system protocol stack and process, if be 0, then disregard, direct delivery operation system.Namely achieve the transmitting-receiving of packet at transmitting terminal and receiving terminal, realize being encrypted operation in transport process to corresponding packet simultaneously, protect its fail safe.
Instantiation:
Various equipment for surfing the net terminal such as mobile phone, computer etc. such as, carry out service communication, this application comprises the type of service of multiple video, audio frequency, text etc., the type identification unit of service flow management module carries out type identification to this application, different packet carries gets in different data type queues by queue maintenance unit, then according to the encryption policy that user is arranged, data encryption module judges that this traffic flow types is the need of encryption, if needed, then by DEU data encryption unit, this packet is encrypted, otherwise does not need; Finally carry out the transmitting-receiving of packet.
The above; be only the present invention's preferably embodiment, but protection scope of the present invention is not limited thereto, is anyly familiar with those skilled in the art in the technical scope that the present invention discloses; the change that can expect easily or replacement, all should be encompassed within protection scope of the present invention.
Claims (5)
1. be a Transmission Encryption method for granularity with stream, it is characterized in that, its step is as follows:
Step one: user formulates encryption policy according to demand;
Step 2: service flow management module carries out type analysis to packet, obtains application type and the type of service of packet;
Step 3: dissimilar packet is put into different class queues by service flow management module;
Step 4: data encryption module, according to encryption policy, judges whether to need to be encrypted packet, is encrypted operation to needing the queue of encryption;
Step 5: sending and receiving packet.
2. according to claim 1 take stream as the Transmission Encryption method of granularity, it is characterized in that, described service flow management module is used for carrying out type analysis to packet, and according to type, packet is put into corresponding transmit queue; Service flow management module loads in an operating system with LKM form, and it is kernel state, can adjoint system self-starting.
3. according to claim 2 take stream as the Transmission Encryption method of granularity, and it is characterized in that, described service flow management module comprises type identification unit and queue maintenance unit; Described type identification unit is used for catching analysis to packet, and type identification unit comprises applied business flow analysis unit and type of service analytic unit; Described applied business flow analysis unit carries out application type analysis by the Hook Function of mount point to packet; Described type of service analytic unit carries out type of service analysis by existing kind identification method to packet; Described queue maintenance unit is used for packet to deposit according to different queues.
4. according to claim 1 take stream as the Transmission Encryption method of granularity, it is characterized in that, described data encryption module loads in an operating system with LKM form, and it is kernel state, can adjoint system self-starting; According to encryption policy, data encryption module for identifying encryption policy, and judges that different queues is the need of encryption, and adopt the cryptographic algorithm of existing maturation to be encrypted packet Business Stream.
5. according to claim 1 take stream as the Transmission Encryption method of granularity, and it is characterized in that, described data encryption module comprises DEU data encryption unit, and DEU data encryption unit adopts cryptographic algorithm to carry out data encryption to needing the queue of encryption.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510619566.7A CN105141637A (en) | 2015-09-25 | 2015-09-25 | Transmission encryption method taking flows as granularity |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510619566.7A CN105141637A (en) | 2015-09-25 | 2015-09-25 | Transmission encryption method taking flows as granularity |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105141637A true CN105141637A (en) | 2015-12-09 |
Family
ID=54726844
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510619566.7A Pending CN105141637A (en) | 2015-09-25 | 2015-09-25 | Transmission encryption method taking flows as granularity |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105141637A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105871520A (en) * | 2015-12-31 | 2016-08-17 | 乐视网信息技术(北京)股份有限公司 | Data transmission method and device |
| CN106131148A (en) * | 2016-06-29 | 2016-11-16 | 宁波市由乐讯通讯科技有限公司 | A kind of Intelligent sliding moved end and service device end message carry out the method and system synchronized |
| CN106131147A (en) * | 2016-06-29 | 2016-11-16 | 宁波市由乐讯通讯科技有限公司 | A kind of mobile terminal and server end message carry out the method and system synchronized |
| CN106657009A (en) * | 2016-11-14 | 2017-05-10 | 平安科技(深圳)有限公司 | Resource packet encryption method, resource packet decryption method and devices |
| WO2018137202A1 (en) * | 2017-01-25 | 2018-08-02 | 华为技术有限公司 | Method, apparatus, and system for transmitting data |
| CN108848071A (en) * | 2018-05-30 | 2018-11-20 | 深圳市元征科技股份有限公司 | A kind of data transmission method, system and equipment and storage medium |
| CN111163058A (en) * | 2019-12-09 | 2020-05-15 | 京信通信系统(中国)有限公司 | DPDK data encryption processing method, device and network equipment |
| CN114401139A (en) * | 2022-01-14 | 2022-04-26 | 京东方科技集团股份有限公司 | Method and apparatus for processing data samples at an edge computing device |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7441267B1 (en) * | 2003-03-19 | 2008-10-21 | Bbn Technologies Corp. | Method and apparatus for controlling the flow of data across a network interface |
| CN101488847A (en) * | 2008-01-18 | 2009-07-22 | 华为技术有限公司 | Method, apparatus and system for data ciphering |
| CN101547196A (en) * | 2008-12-26 | 2009-09-30 | 华为技术有限公司 | Methods and devices for encrypting shooting and decrypting playing of network multimedia conference |
| CN102857341A (en) * | 2011-06-28 | 2013-01-02 | 联芯科技有限公司 | Communication method for encrypted call |
| CN104468252A (en) * | 2013-09-23 | 2015-03-25 | 重庆康拜因科技有限公司 | Intelligent network service identification method based on positive transfer learning |
-
2015
- 2015-09-25 CN CN201510619566.7A patent/CN105141637A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7441267B1 (en) * | 2003-03-19 | 2008-10-21 | Bbn Technologies Corp. | Method and apparatus for controlling the flow of data across a network interface |
| US20090013175A1 (en) * | 2003-03-19 | 2009-01-08 | Brig Barnum Elliott | Method and apparatus for controlling the flow of data across a network interface |
| CN101488847A (en) * | 2008-01-18 | 2009-07-22 | 华为技术有限公司 | Method, apparatus and system for data ciphering |
| CN101547196A (en) * | 2008-12-26 | 2009-09-30 | 华为技术有限公司 | Methods and devices for encrypting shooting and decrypting playing of network multimedia conference |
| CN102857341A (en) * | 2011-06-28 | 2013-01-02 | 联芯科技有限公司 | Communication method for encrypted call |
| CN104468252A (en) * | 2013-09-23 | 2015-03-25 | 重庆康拜因科技有限公司 | Intelligent network service identification method based on positive transfer learning |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105871520A (en) * | 2015-12-31 | 2016-08-17 | 乐视网信息技术(北京)股份有限公司 | Data transmission method and device |
| CN106131148A (en) * | 2016-06-29 | 2016-11-16 | 宁波市由乐讯通讯科技有限公司 | A kind of Intelligent sliding moved end and service device end message carry out the method and system synchronized |
| CN106131147A (en) * | 2016-06-29 | 2016-11-16 | 宁波市由乐讯通讯科技有限公司 | A kind of mobile terminal and server end message carry out the method and system synchronized |
| CN106657009A (en) * | 2016-11-14 | 2017-05-10 | 平安科技(深圳)有限公司 | Resource packet encryption method, resource packet decryption method and devices |
| WO2018137202A1 (en) * | 2017-01-25 | 2018-08-02 | 华为技术有限公司 | Method, apparatus, and system for transmitting data |
| CN108848071A (en) * | 2018-05-30 | 2018-11-20 | 深圳市元征科技股份有限公司 | A kind of data transmission method, system and equipment and storage medium |
| CN111163058A (en) * | 2019-12-09 | 2020-05-15 | 京信通信系统(中国)有限公司 | DPDK data encryption processing method, device and network equipment |
| CN111163058B (en) * | 2019-12-09 | 2021-11-02 | 京信网络系统股份有限公司 | DPDK data encryption processing method, device and network equipment |
| CN114401139A (en) * | 2022-01-14 | 2022-04-26 | 京东方科技集团股份有限公司 | Method and apparatus for processing data samples at an edge computing device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105141637A (en) | Transmission encryption method taking flows as granularity | |
| CN111556136B (en) | Data interaction method between internal containers of power edge Internet of things agent | |
| CN107342952B (en) | Service link selection control method and equipment | |
| CN101309273B (en) | Method and device for generating safety alliance | |
| CN101964749A (en) | Message retransmission method and system based on multi-core architecture | |
| CN103491648B (en) | Communication means and system based on WIFI | |
| CN108040019B (en) | Message forwarding method and device | |
| CN104038505A (en) | Method and device for preventing IPSec (internet protocol security) replaying | |
| CN104320782A (en) | WiFi signal blocking system and method | |
| CN107579925A (en) | Message forwarding method and device | |
| US20150117464A1 (en) | Communication apparatus, communication method, and computer readable medium | |
| CN106603550A (en) | Network isolation method and network isolation device | |
| US20110123064A1 (en) | Method for monitoring a picture or multimedia video pictures in a communication system | |
| CN109889521A (en) | Memory, communication channel multiplexing implementation method, device and equipment | |
| CN104283801A (en) | Method and system for processing service data | |
| CN101355585B (en) | System and method for protecting information of distributed architecture data communication equipment | |
| CN102647345A (en) | Load sharing method and system for IPSEC (Internet Protocol Security) data message | |
| CN106921534A (en) | Data traffic monitoring and managing method and device | |
| EP1704491A4 (en) | A method and systems for resource bunlding in a communications network | |
| CN100542094C (en) | A kind of statistical method of Internet protocol message | |
| CN103023765A (en) | Message processing method and message processing device based on scripting language | |
| CN108366002B (en) | Multifunctional computer network monitoring system | |
| CN106656656A (en) | Network device package capture method and device | |
| CN105100037B (en) | A kind of backward traffic management and control system | |
| CN109145620A (en) | Data flow diversion processing method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20151209 |