CN110752921A - A security reinforcement method for communication links - Google Patents

Abstract

A communication link security reinforcement method, the link reinforcement system includes secure server and transparent encryption equipment, the secure server is responsible for providing key management and encryption rule management for transparent encryption equipment, the transparent encryption equipment connects in series before the application equipment, encrypt or decrypt the data flowing through according to the appointed rule, after the transparent encryption equipment inserts the network, register with the secure server at first, obtain public key and flow encryption rule, the reinforcement method includes the following steps: a) registering equipment; b) finding the opposite end; c) managing a secret key; d) managing rules; e) and encrypting network data. Compared with the prior art, the invention provides a plug-and-play communication link security reinforcement system which works in a data link layer, does not affect the topology of the existing network, can automatically discover data encryption equipment of a communication opposite end and establish a security tunnel with the data encryption equipment, adopts a symmetric password mechanism, can cope with the potential threat of quantum computation, and ensures that the system is quantum security.

Description

Translated fromChinese

一种通信链路安全加固方法A security reinforcement method for communication links

技术领域technical field

本发明涉及安全通信技术领域，特别涉及一种通信链路安全加固方法。The present invention relates to the technical field of secure communication, in particular to a method for strengthening the security of a communication link.

背景技术Background technique

随着物联网时代的到来，通信需求更是无处不在无时不有。智能抄表，无人售卖，工业互联网，各行各业，万事万物都提出了连接上网的需求，数据传输的安全就变得非常重要。但是目前在已经部署的物联网/互联网系统中，还有相当一部分数据直接以明文的形式在网络上传输，这些系统必须对数据通信链路进行安全加固，才能保证应用终端之间端到端数据传输的安全。With the advent of the Internet of Things era, communication needs are everywhere and everywhere. Smart meter reading, unmanned sales, industrial Internet, all walks of life, everything has put forward the need to connect to the Internet, and the security of data transmission has become very important. However, in the currently deployed IoT/Internet systems, a considerable part of the data is directly transmitted on the network in the form of plaintext. These systems must strengthen the security of the data communication link to ensure the end-to-end data between application terminals. Transmission security.

在目前的网络安全设备中，能保证端到端数据通信链路的设备是VPN(VirtualPrivate Network)设备。即在公用网络上建立专用网络，进行加密通讯。如图1所示，网络通信的发起方接收方通过VPN设备建立起安全传输隧道，对通信双方交互的明文信息进行加密传输，保证数据在网络上传输的安全。In the current network security equipment, the equipment that can guarantee the end-to-end data communication link is a VPN (Virtual Private Network) equipment. That is, a private network is established on the public network for encrypted communication. As shown in Figure 1, the initiator and receiver of network communication establish a secure transmission tunnel through the VPN device to encrypt and transmit the plaintext information exchanged by the two parties to ensure the security of data transmission on the network.

但是直接将VPN设备的应用到物联网系统中存在一些困难。首先在两端的应用终端发起数据通信之前，两端的VPN设备需要先建立安全传输隧道，这要求其中一台VPN设备需要预先了解且能够直接访问到另一台VPN设备，这就给部署和运维带来了很大的不变，比如若网络环境发生了变化，作为VPN设备的IP地址发生了改变，则两台VPN设备之间的安全传输隧道就会中断，且无法自动恢复。第二，虽然建立VPN的协议有很多，如IPSec、SSL等，但是VPN设备本身通常是网络层的设备，直接将其挂载到应用终端之前，势必导致网络拓扑的变化，甚至使得应用终端无法被访问。第三，VPN设备使用基于非对称密码机制的密钥协商算法，无法应付潜在的量子计算的威胁，不是量子安全的。But there are some difficulties in directly applying the VPN device to the IoT system. First, before the application terminals at both ends initiate data communication, the VPN devices at both ends need to establish a secure transmission tunnel. This requires that one VPN device needs to know in advance and can directly access the other VPN device, which makes deployment and operation and maintenance difficult. This brings great changes. For example, if the network environment changes and the IP address of the VPN device changes, the secure transmission tunnel between the two VPN devices will be interrupted and cannot be automatically restored. Second, although there are many protocols for establishing VPN, such as IPSec, SSL, etc., the VPN device itself is usually a device at the network layer. Before directly attaching it to the application terminal, it will inevitably lead to changes in the network topology, and even make the application terminal unable to was visited. Third, VPN devices use key agreement algorithms based on asymmetric cryptographic mechanisms, which cannot cope with the potential threat of quantum computing and are not quantum secure.

发明内容SUMMARY OF THE INVENTION

本发明目的在于提供一种通信链路安全加固方法，以解决现有技术中在链路通信中，VPN设备之间的安全传输隧道易中断，且无法自动恢复；网络拓扑的变化，使得应用终端无法被访问。第三，VPN设备使用基于非对称密码机制的密钥协商算法，无法应付潜在的量子计算的威胁的技术性缺陷。The purpose of the present invention is to provide a communication link security strengthening method, so as to solve the problem that in the link communication in the prior art, the security transmission tunnel between VPN devices is easily interrupted and cannot be automatically restored; the change of the network topology makes the application terminal cannot be accessed. Third, VPN devices use a key agreement algorithm based on asymmetric cryptographic mechanisms, which cannot cope with the technical defects of the potential threat of quantum computing.

本发明的技术方案是这样实现的：The technical scheme of the present invention is realized as follows:

一种通信链路安全加固方法，包括链路加固系统，所述链路加固系统包括安全服务器以及透明加密设备，安全服务器负责为透明加密设备提供密钥管理和加密规则管理，透明加密设备串接在应用设备之前，按照指定的规则对流经的数据进行加密或者解密，透明加密设备接入网络后，首先向安全服务器注册，获取公共密钥和流量加密规则，所述加固方法包括以下步骤：A communication link security reinforcement method includes a link reinforcement system, the link reinforcement system includes a security server and a transparent encryption device, the security server is responsible for providing key management and encryption rule management for the transparent encryption device, and the transparent encryption devices are connected in series Before the device is applied, the data flowing through is encrypted or decrypted according to the specified rules. After the transparent encryption device is connected to the network, it first registers with the security server to obtain the public key and traffic encryption rules. The reinforcement method includes the following steps:

a)设备注册：在透明加密设备接入网络后，利用预先配置的信息向安全服务器发起连接，预先配置的信息包括安全服务器的IP地址或者域名、端口号、设备标识号、认证密钥、通信密钥及设备当前的IP地址，认证密钥和通信密钥由安全服务器生成，并注入到透明加密设备中，认证密钥用于透明加密设备与安全服务器之间的相互认证，通信密钥用于透明加密设备与安全服务器之间的数据通信。a) Device registration: After the transparent encryption device is connected to the network, use the pre-configured information to initiate a connection to the security server. The pre-configured information includes the security server's IP address or domain name, port number, device identification number, authentication key, communication The key and the current IP address of the device, the authentication key and the communication key are generated by the security server and injected into the transparent encryption device. The authentication key is used for mutual authentication between the transparent encryption device and the security server, and the communication key is used for For data communication between transparent encryption devices and secure servers.

透明加密设备完成注册后，会继续保持与安全服务器的连接，通过该连接，安全服务器可周期探查该透明加密设备的状态，向其更新公共密钥，下发加密规则；After the transparent encryption device is registered, it will continue to maintain the connection with the security server. Through this connection, the security server can periodically probe the status of the transparent encryption device, update the public key to it, and issue encryption rules;

b)对端发现：确定网络会话中对端的透明加密设备；b) Peer discovery: determine the transparent encryption device of the peer in the network session;

c)密钥管理：在对端发现完成之后，接收方的透明加密设备就知道发送方透明加密设备的设备标识号和会话标识号，接收方的透明加密设备将这两个信息和本身的设备标识号、会话标识号告知安全服务器，请求安全服务器分发会话密钥，安全服务器生成会话密钥连同会话标识号一起分发给对应的透明加密终端，透明加密终端收到这些会话密钥之后，即可使用这些会话密钥加密对应的网络会话；c) Key management: After the peer discovery is completed, the receiver's transparent encryption device knows the device identification number and session identification number of the sender's transparent encryption device, and the receiver's transparent encryption device combines these two information with its own device. The identification number and session identification number are notified to the security server, and the security server is requested to distribute the session key. The security server generates the session key together with the session identification number and distributes it to the corresponding transparent encryption terminal. After the transparent encryption terminal receives these session keys, it can be Use these session keys to encrypt the corresponding network session;

d)规则管理：安全服务器提供规则管理功能，运维人员添加/删除/更改相关加密规则之后，安全服务器将这些规则通过安全连接下发给所有或者指定的透明加密终端，透明加密终端收到这些规则管理的指令之后，根据指令内容更新自己的规则库；d) Rule management: The security server provides rule management functions. After the operation and maintenance personnel add/delete/change the relevant encryption rules, the security server sends these rules to all or specified transparent encryption terminals through a secure connection, and the transparent encryption terminal receives these rules. After the instruction of rule management, update its own rule base according to the content of the instruction;

e)网络数据加密：透明加密终端根据加密规则对流经的网络数据包进行加密，但只对传输层以上的数据进行加密和认证，加密和认证的算法由加密规则指定，加密密钥优先使用会话密钥，在没有会话密钥的情况下，使用公共密钥进行加密。e) Network data encryption: The transparent encryption terminal encrypts the network data packets flowing through according to the encryption rules, but only encrypts and authenticates the data above the transport layer. The encryption and authentication algorithms are specified by the encryption rules, and the encryption key is given priority to use the session The key, in the absence of a session key, is encrypted with the public key.

优选地，所述加密规则采用六元组表示，传输层协议采用TCP或者UDP其中一种，源/目的IP地址段采用IP地址和子网掩码的形式来表示，源/目的端口号范围采用起始端口号、结束端口号来表示，透明加密设备根据安全服务器下发的加密规则，对流经的网络数据包进行检查，将符合规则的网络数据包按照规则指定的算法进行加密。在与对端的透明加密设备协商出会话密钥之前，本地的透明加密设备采用系统的公共密钥对数据包进行加密，之后再使用会话密钥进行加密，保证会话周期内所有数据的传输安全。Preferably, the encryption rule is represented by a six-tuple, the transport layer protocol is one of TCP or UDP, the source/destination IP address segment is represented by an IP address and a subnet mask, and the source/destination port number range is represented by starting from The transparent encryption device checks the network data packets that flow through according to the encryption rules issued by the security server, and encrypts the network data packets that meet the rules according to the algorithm specified by the rules. Before negotiating the session key with the peer transparent encryption device, the local transparent encryption device encrypts the data packet with the public key of the system, and then uses the session key to encrypt the data packet to ensure the security of all data transmission during the session period.

优选地，所述b)对端发现步骤中，将网络会话的相关信息也一并告知对端采用会话IP包头部的某些标识字段来携带设备标识号进行。Preferably, in the step of b) peer discovery, the related information of the network session is also informed to the peer by using some identification fields in the session IP packet header to carry the device identification number.

优选地，所述e)网络数据加密步骤中，向加密后的网络数据包中插入了一个加密头部，以指示对应的加密信息。Preferably, in the step of e) encrypting network data, an encryption header is inserted into the encrypted network data packet to indicate corresponding encryption information.

与现有技术相比，本发明有以下有益效果：Compared with the prior art, the present invention has the following beneficial effects:

本发明的通信链路安全加固方法，提出了一种即插即用的通信链路安全加固系统，工作在数据链路层，不会影响已有网络的拓扑，能够自动发现通信对端的数据加密设备，并与之建立安全隧道，系统采用对称密码机制，可应付潜在的量子计算的威胁，保证系统是量子安全的。The communication link security reinforcement method of the present invention proposes a plug-and-play communication link security reinforcement system, which works at the data link layer, does not affect the topology of the existing network, and can automatically discover the data encryption of the communication peer equipment, and establish a secure tunnel with it. The system adopts a symmetric cryptographic mechanism, which can cope with the potential threat of quantum computing and ensure that the system is quantum safe.

附图说明Description of drawings

图1为现有技术中基于VPN的安全传输示意图；1 is a schematic diagram of a VPN-based secure transmission in the prior art;

图2为本发明中通信链路安全加固系统组成与拓扑图；Fig. 2 is the composition and topology diagram of the communication link security reinforcement system in the present invention;

图3为本发明透明加密设备的实际部署结构图；Fig. 3 is the actual deployment structure diagram of the transparent encryption device of the present invention;

图4为本发明IP头部图示；Fig. 4 is the IP header diagram of the present invention;

图5为本发明网络数据包的加密内容图示；Fig. 5 is the encrypted content diagram of the network data packet of the present invention;

图6为本发明加密头部格式图示；6 is a schematic diagram of the encrypted header format of the present invention;

图7为本发明数据包的检查和解密流程图。FIG. 7 is a flow chart of checking and decrypting data packets of the present invention.

具体实施方式Detailed ways

下面将结合本发明实施例中的附图，对本发明进行清楚、完整地描述。The present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention.

本发明的一种通信链路安全加固方法，包括链路加固系统，所述链路加固系统包括安全服务器以及透明加密设备，安全服务器负责为透明加密设备提供密钥管理和加密规则管理，透明加密设备串接在应用设备之前，按照指定的规则对流经的数据进行加密或者解密，透明加密设备接入网络后，首先向安全服务器注册，获取公共密钥和流量加密规则，所述加固方法包括以下步骤：A communication link security reinforcement method of the present invention includes a link reinforcement system. The link reinforcement system includes a security server and a transparent encryption device. The security server is responsible for providing key management and encryption rule management for the transparent encryption device. Transparent encryption Before the device is connected in series to the application device, it encrypts or decrypts the data flowing through according to the specified rules. After the transparent encryption device is connected to the network, it first registers with the security server to obtain the public key and traffic encryption rules. The reinforcement method includes the following step:

a)设备注册：在透明加密设备接入网络后，利用预先配置的信息向安全服务器发起连接，预先配置的信息包括安全服务器的IP地址或者域名、端口号、设备标识号、认证密钥、通信密钥及设备当前的IP地址，认证密钥和通信密钥由安全服务器生成，并注入到透明加密设备中，认证密钥用于透明加密设备与安全服务器之间的相互认证，通信密钥用于透明加密设备与安全服务器之间的数据通信。a) Device registration: After the transparent encryption device is connected to the network, use the pre-configured information to initiate a connection to the security server. The pre-configured information includes the security server's IP address or domain name, port number, device identification number, authentication key, communication The key and the current IP address of the device, the authentication key and the communication key are generated by the security server and injected into the transparent encryption device. The authentication key is used for mutual authentication between the transparent encryption device and the security server, and the communication key is used for For data communication between transparent encryption devices and secure servers.

透明加密设备完成注册后，会继续保持与安全服务器的连接，通过该连接，安全服务器可周期探查该透明加密设备的状态，向其更新公共密钥，下发加密规则；After the transparent encryption device is registered, it will continue to maintain the connection with the security server. Through this connection, the security server can periodically probe the status of the transparent encryption device, update the public key to it, and issue encryption rules;

b)对端发现：确定网络会话中对端的透明加密设备；b) Peer discovery: determine the transparent encryption device of the peer in the network session;

c)密钥管理：在对端发现完成之后，接收方的透明加密设备就知道发送方透明加密设备的设备标识号和会话标识号，接收方的透明加密设备将这两个信息和本身的设备标识号、会话标识号告知安全服务器，请求安全服务器分发会话密钥，安全服务器生成会话密钥连同会话标识号一起分发给对应的透明加密终端，透明加密终端收到这些会话密钥之后，即可使用这些会话密钥加密对应的网络会话；c) Key management: After the peer discovery is completed, the receiver's transparent encryption device knows the device identification number and session identification number of the sender's transparent encryption device, and the receiver's transparent encryption device combines these two information with its own device. The identification number and session identification number are notified to the security server, and the security server is requested to distribute the session key. The security server generates the session key together with the session identification number and distributes it to the corresponding transparent encryption terminal. After the transparent encryption terminal receives these session keys, it can be Use these session keys to encrypt the corresponding network session;

d)规则管理：安全服务器提供规则管理功能，运维人员添加/删除/更改相关加密规则之后，安全服务器将这些规则通过安全连接下发给所有或者指定的透明加密终端，透明加密终端收到这些规则管理的指令之后，根据指令内容更新自己的规则库；d) Rule management: The security server provides rule management functions. After the operation and maintenance personnel add/delete/change the relevant encryption rules, the security server sends these rules to all or specified transparent encryption terminals through a secure connection, and the transparent encryption terminal receives these rules. After the instruction of rule management, update its own rule base according to the content of the instruction;

e)网络数据加密：透明加密终端根据加密规则对流经的网络数据包进行加密，但只对传输层以上的数据进行加密和认证，加密和认证的算法由加密规则指定，加密密钥优先使用会话密钥，在没有会话密钥的情况下，使用公共密钥进行加密。e) Network data encryption: The transparent encryption terminal encrypts the network data packets flowing through according to the encryption rules, but only encrypts and authenticates the data above the transport layer. The encryption and authentication algorithms are specified by the encryption rules, and the encryption key is given priority to use the session The key, in the absence of a session key, is encrypted with the public key.

所述加密规则采用六元组表示，传输层协议采用TCP或者UDP其中一种，源/目的IP地址段采用IP地址和子网掩码的形式来表示，源/目的端口号范围采用起始端口号、结束端口号来表示，透明加密设备根据安全服务器下发的加密规则，对流经的网络数据包进行检查，将符合规则的网络数据包按照规则指定的算法进行加密。在与对端的透明加密设备协商出会话密钥之前，本地的透明加密设备采用系统的公共密钥对数据包进行加密，之后再使用会话密钥进行加密，保证会话周期内所有数据的传输安全。The encryption rule is represented by a six-tuple, the transport layer protocol is one of TCP or UDP, the source/destination IP address segment is represented in the form of an IP address and a subnet mask, and the source/destination port number range is the starting port number. , the end port number, the transparent encryption device checks the network data packets that flow through according to the encryption rules issued by the security server, and encrypts the network data packets that meet the rules according to the algorithm specified by the rules. Before negotiating the session key with the peer transparent encryption device, the local transparent encryption device encrypts the data packet with the public key of the system, and then uses the session key to encrypt the data packet to ensure the security of all data transmission during the session period.

所述b)对端发现步骤中，将网络会话的相关信息也一并告知对端采用会话IP包头部的某些标识字段来携带设备标识号进行。In the step of b) peer discovery, the related information of the network session is also informed to the peer by using some identification fields in the session IP packet header to carry the device identification number.

所述e)网络数据加密步骤中，向加密后的网络数据包中插入了一个加密头部，以指示对应的加密信息。In the step of e) network data encryption, an encryption header is inserted into the encrypted network data packet to indicate the corresponding encryption information.

具体实施例：Specific examples:

如图2所示，本系统由安全服务器和透明加密设备组成。安全服务器独立部署在系统中，需要有固定的IP地址，且要保证其能够别透明加密设备访问，安全服务器负责为透明加密设备提供密钥管理和加密规则管理等功能。透明加密设备串接在应用终端、应用服务器等应用设备之前，按照指定的规则对流经的数据进行加密或者解密，保证数据在公共网络上传输的安全。作为网络设备，透明加密设备工作在数据链路层，不会影响应用网络的拓扑结构。As shown in Figure 2, the system consists of a security server and a transparent encryption device. The security server is independently deployed in the system. It needs a fixed IP address and can be accessed by transparent encryption devices. The security server is responsible for providing key management and encryption rule management functions for transparent encryption devices. The transparent encryption device is connected in series before the application devices such as the application terminal and the application server, and encrypts or decrypts the data flowing through according to the specified rules to ensure the security of the data transmission on the public network. As a network device, the transparent encryption device works at the data link layer and will not affect the topology of the application network.

透明加密设备接入网络后，首先向安全服务器注册，获取公共密钥和流量加密规则。公共密钥是一串固定长度的数字，由安全服务器随机生成且周期更换，用于加密流经应用终端的网络数据包。透明加密设备对流经的IP包的加密是基于网络会话而进行的，不同的会话采用不同的加密密钥，网络会话根据IP包中的(传输层协议、源IP地址，源端口号、目的IP地址、目的端口号)五元组来识别，不同五元组表示不同的网络会话。流量加密规则指定了哪些网络会话应该被加密，采用何种算法加密。在本实施例中，加密规则采用六元组(传输层协议、源IP地址段，源端口号范围、目的IP地址段、目的端口号范围、加密和认证算法)表示。传输层协议有两种：TCP或者UDP。源/目的IP地址段采用IP地址和子网掩码的形式来表示，比如192.168.1.1/32表示主机地址192.168.1.1，192.168.1.1/24表示从192.168.1.1到192.168.1.255范围内的所有IP地址，特别的，子网掩码0表示所有的IP地址。源/目的端口号范围采用(起始端口号，结束端口号)来表示。透明加密设备根据安全服务器下发的规则，对流经的网络数据包进行检查，将符合规则的网络数据包按照规则指定的算法进行加密。在与对端的透明加密设备协商出会话密钥之前，本地的透明加密设备采用系统的公共密钥对数据包进行加密，之后再使用会话密钥进行加密，保证会话周期内所有数据的传输安全。After the transparent encryption device is connected to the network, it first registers with the security server to obtain the public key and traffic encryption rules. The public key is a string of fixed-length numbers, randomly generated by the security server and replaced periodically, used to encrypt network data packets flowing through the application terminal. The encryption of the IP packets flowing through the transparent encryption device is carried out based on the network session. Different sessions use different encryption keys. Address, destination port number) quintuple to identify, different quintuple represent different network sessions. Traffic encryption rules specify which network sessions should be encrypted and which algorithm to encrypt. In this embodiment, the encryption rule is represented by a six-tuple (transport layer protocol, source IP address segment, source port number range, destination IP address segment, destination port number range, encryption and authentication algorithm). There are two transport layer protocols: TCP or UDP. The source/destination IP address segment is represented in the form of IP address and subnet mask. For example, 192.168.1.1/32 represents the host address 192.168.1.1, and 192.168.1.1/24 represents all IPs in the range from 192.168.1.1 to 192.168.1.255. Addresses, in particular,subnet mask 0 for all IP addresses. The source/destination port number range is represented by (starting port number, ending port number). The transparent encryption device checks the network data packets that flow through according to the rules issued by the security server, and encrypts the network data packets that meet the rules according to the algorithm specified by the rules. Before negotiating a session key with the peer transparent encryption device, the local transparent encryption device encrypts the data packet with the public key of the system, and then uses the session key for encryption to ensure the security of all data transmission during the session period.

以下详细解释设备注册、对端透明加密设备发现、密钥管理、规则管理和网络数据包加密的过程，表1为本系统中使用的密钥种类和说明。The process of device registration, peer-to-peer transparent encryption device discovery, key management, rule management and network data packet encryption is explained in detail below. Table 1 is the key types and descriptions used in the system.

表1Table 1

1.1设备注册1.1 Device registration

在透明加密设备接入网络后，它会利用预先配置的信息向安全服务器发起连接，预先配置的信息包括安全服务器的IP地址或者域名、端口号、设备标识号、认证密钥、通信密钥及设备当前的IP地址等数据。认证密钥和通信密钥是一串固定长度的随机数字，由安全服务器生成，并通过某种安全的方式(如优盘拷贝，串口写入等)注入到透明加密设备中。认证密钥用于透明加密设备与安全服务器之间的相互认证，认证算法可采用冲激响应算法、SCRAM(Salted Challenge Response Authentication Mechanism)等基于预置密码的认证算法。通信密钥用于透明加密设备与安全服务器之间的数据通信。After the transparent encryption device is connected to the network, it will use the preconfigured information to initiate a connection to the security server. The preconfigured information includes the security server's IP address or domain name, port number, device identification number, authentication key, communication key and Data such as the current IP address of the device. The authentication key and the communication key are a series of random numbers with a fixed length, which are generated by the security server and injected into the transparent encryption device through a certain secure method (such as USB copying, serial port writing, etc.). The authentication key is used for mutual authentication between the transparent encryption device and the security server. The authentication algorithm can be an authentication algorithm based on a preset password, such as an impulse response algorithm and SCRAM (Salted Challenge Response Authentication Mechanism). The communication key is used to transparently encrypt data communication between the device and the secure server.

透明加密设备完成注册后，会继续保持与安全服务器的连接，通过该连接，安全服务器可周期探查该透明加密设备的状态，向其更新公共密钥，下发加密规则。After the transparent encryption device is registered, it will continue to maintain the connection with the security server. Through this connection, the security server can periodically probe the status of the transparent encryption device, update the public key to it, and issue encryption rules.

1.2对端发现1.2 Peer discovery

对端发现的目的是确定网络会话中对端的透明加密设备。直接通过标识网络会话的五元组(输层协议、源IP地址，源端口号、目的IP地址、目的端口号)来确定对端设备信息通常是不可行的，比如处在同一个网络会话中的两个透明加密终端都将其观测到的网络会话五元组上报安全服务器，由安全服务器进行匹配再分别告知它们，但当透明加密设备和应用终端处在有防火墙保护的局域网的时候，这是不可行的，因为此时两个透明加密设备所观测的网络会话五元组信息是不同的。图3给出了一个示例，当应用终端A向应用终端B发起网络会话时，防火墙A和B会分别对应用终端A发出的IP包做SNAT和DNAT操作，这样透明加密设备A和透明加密设备B通过该IP包看到的是不同的网络会话。The purpose of peer discovery is to determine the peer's transparent encryption device in a network session. It is usually not feasible to determine the peer device information directly by identifying the quintuple of the network session (transport layer protocol, source IP address, source port number, destination IP address, destination port number), such as in the same network session. Both the two transparent encryption terminals report the observed network session quintuple to the security server, and the security server matches and then informs them respectively, but when the transparent encryption device and the application terminal are in the LAN protected by a firewall, this It is infeasible, because the network session quintuple information observed by the two transparent encryption devices is different at this time. Figure 3 shows an example. When application terminal A initiates a network session to application terminal B, firewalls A and B will perform SNAT and DNAT operations on the IP packets sent by application terminal A, so that transparent encryption device A and transparent encryption device What B sees through this IP packet is a different network session.

实现对端发现功能的最简单的方法就是直接告知通信对端自己的设备标识号和会话标识号。因为本系统的加密是基于网络会话的，所以需要将网络会话的相关信息也一并告知对端。实现的方式有两种：一是利用会话IP包头部的某些字段，二是直接伪造IP包。直接伪造IP包的方式在某些情况下可能会导致对端发现功能失败或者网络会话的失败，比如防火墙识别出了伪造的IP包而丢弃，或者对端没有透明加密设备。所以比较可行的方法是IP包头部的某些字段来携带设备标识号。The easiest way to realize the peer discovery function is to directly inform the communication peer of its own device identification number and session identification number. Because the encryption of this system is based on the network session, it is necessary to inform the opposite end of the relevant information of the network session. There are two ways to achieve this: one is to use some fields in the header of the session IP packet, and the other is to directly forge the IP packet. The method of directly forging IP packets may lead to the failure of the peer discovery function or the failure of the network session in some cases. For example, the firewall recognizes the forged IP packets and discards them, or the peer does not have a transparent encryption device. Therefore, a more feasible method is to carry the device identification number in some fields of the IP packet header.

我们使用IP头部的标识字段来携带设备标识号。如图4所示，IP头部的标识字段长度为16比特，在IP包被分片时，用于指示哪些分片属于同一个被拆开的IP包。由于分片操作会影响路由器的转发性能，所以部分路由器选择直接丢弃过大的IP包，而不是将其分片后再转发，所以实际上IP头部的标识字段基本上不会被使用。对于没有分片的IP包，设置其头部的标识字段不会给网络会话造成任何影响。We use the identification field of the IP header to carry the device identification number. As shown in FIG. 4 , the length of the identification field of the IP header is 16 bits, and when the IP packet is fragmented, it is used to indicate which fragments belong to the same split IP packet. Since the fragmentation operation will affect the forwarding performance of routers, some routers choose to directly discard oversized IP packets instead of fragmenting them and then forwarding them. In fact, the identification field of the IP header is basically not used. For non-fragmented IP packets, setting the ID field in the header will not have any effect on the network session.

由于IP头部的标识字段只有16比特，而设备标识号通常是4个字节或者更长，所以需要将设备标识号分成若干个部分，再使用多个IP包来分别携带它们。考虑到中间的网络设备也可能会使用IP头部的标识字段来携带一些信息，为了将网络标识号与其它信息区分开来，我们将IP头部的标识字段分成两个部分来使用，一个部分写入固定的数值，用于表示该标识字段携带有部分设备标识号及其属于设备标识号的哪个部分，另一部分携带设备标识号的某个部分。这里我们使用IP头部标识字段的第一个字节携带固定数值，第二个字节携带设备标识号中一个字节的信息，这样对于长度为n个字节的设备标识号和长度为m个字节的会话标识号，至少需要使用n+m个IP包来携带完整的设备标识号和会话标识号。具体的步骤如下：Since the identification field of the IP header is only 16 bits, and the device identification number is usually 4 bytes or longer, it is necessary to divide the device identification number into several parts, and then use multiple IP packets to carry them respectively. Considering that the intermediate network device may also use the identification field of the IP header to carry some information, in order to distinguish the network identification number from other information, we divide the identification field of the IP header into two parts for use, one part A fixed value is written to indicate that the identification field carries part of the device identification number and which part of the device identification number it belongs to, and the other part carries a certain part of the device identification number. Here we use the first byte of the IP header identification field to carry a fixed value, and the second byte to carry one byte of information in the device identification number, so that for a device identification number with a length of n bytes and a length of m A session identification number of bytes, at least n+m IP packets need to be used to carry the complete device identification number and session identification number. The specific steps are as follows:

(1)系统预先选定n个长度为8比特的随机数，记为R1,R2,…,Rn、Rn+1,Rn+2,…,Rn+m，用于指示设备标识号的n个部分和会话标识号的m个部分，R1,R2,…,Rn、Rn+1,Rn+2,…,Rn+m各不相同；(1) The system preselects n random numbers with a length of 8 bits, denoted as R1, R2,..., Rn, Rn+1, Rn+2,..., Rn+m, which are used to indicate the n number of equipment identification numbers Parts and m parts of the session identification number, R1, R2,..., Rn, Rn+1, Rn+2,..., Rn+m are different;

(2)发送方的透明加密设备将其设备标识号SDid分成n个字节，分别用SDid1,SDid2,…,SDidn表示，然后将Ri与SDidi串接在一起，记为Ri|SDidi；将其会话标识号Sess_id分成n个字节，分别用Sess_id1,Sess_id2,…,Sess_idm表示，然后将Rn+i与Sess_idi串接在一起，记为Rn+i|Sess_idi；(2) The transparent encryption device of the sender divides its device identification number SDid into n bytes, which are represented by SDid1, SDid2, ..., SDidn respectively, and then concatenates Ri and SDidi together, denoted as Ri|SDidi; The session identification number Sess_id is divided into n bytes, which are represented by Sess_id1, Sess_id2,..., Sess_idm respectively, and then Rn+i and Sess_idi are concatenated together, recorded as Rn+i|Sess_idi;

(3)发送方的透明加密设备n个Ri|SDidi和m个Rn+i|Sess_idi分别写入n+m个流经的指定网络会话的IP包的头部标识字段；(3) The transparent encryption devices of the sender n Ri|SDidi and m Rn+i|Sess_idi respectively write the header identification fields of the IP packets of the n+m specified network sessions flowing through;

(4)接收方的透明加密设备检查流入的每个IP包头部的标识字段，将其第一个字节与R1,R2,…,Rn、Rn+1,Rn+2,…,Rn+m分别进行较，提取出全部的之后SDid1,SDid1,…,SDidn和Sess_id1,Sess_id2,…,Sess_idm之后，再恢复出SDid和Sess_id，实现对端透明加密设备的发现。(4) The transparent encryption device of the receiver checks the identification field of each incoming IP packet header, and compares its first byte with R1, R2,..., Rn, Rn+1, Rn+2,..., Rn+m After comparing respectively, extract all SDid1, SDid1,...,SDidn and Sess_id1, Sess_id2,..., Sess_idm, and then restore SDid and Sess_id to realize the discovery of peer-to-peer transparent encryption devices.

1.3密钥管理1.3 Key Management

表1介绍了本系统使用了四种不同类型的密钥：认证密钥、通信密钥、公共密钥和会话密钥。其中认证密钥和通信密钥是在透明加密设备部署之前预置其中的，分别用于透明加密设备身份的认证和透明加密设备与安全服务器之间的数据通信，认证密钥和通信密钥不会在线更新。会话密钥是两个透明加密设备协商的用于加密某个网络会话的密钥。公共密钥是系统中所有透明加密设备共享的密钥，由安全服务器分发并定时更新，在两个透明加密设备没有协商出会话密钥之前，透明加密设备使用公共密钥加密网络会话。Table 1 describes that the system uses four different types of keys: authentication keys, communication keys, public keys and session keys. Among them, the authentication key and the communication key are preset before the transparent encryption device is deployed, and they are used for the authentication of the transparent encryption device identity and the data communication between the transparent encryption device and the security server respectively. will be updated online. A session key is a key negotiated by two transparent encryption devices to encrypt a network session. The public key is the key shared by all transparent encryption devices in the system. It is distributed by the security server and updated regularly. Before the two transparent encryption devices negotiate a session key, the transparent encryption device uses the public key to encrypt the network session.

在对端发现完成之后，接收方的透明加密设备就知道发送方透明加密设备的设备标识号和会话标识号，接收方的透明加密设备将这两个信息和自己的设备标识号、会话标识号告知安全服务器，请求安全服务器分发会话密钥。安全服务器生成会话密钥连同会话标识号一起分发给相关的透明加密终端。透明加密终端收到这些密钥之后，即可使用这些密钥加密相应的网络会话。安全服务器可以为透明加密终端定时更新会话密钥，更新的间隔可以自行配置。After the peer discovery is completed, the receiver's transparent encryption device knows the device identification number and session identification number of the sender's transparent encryption device, and the receiver's transparent encryption device combines these two information with its own device identification number and session identification number. Tell the security server to request the security server to distribute the session key. The security server generates a session key and distributes it to the relevant transparent encryption terminal together with the session identification number. After the transparent encryption terminal receives these keys, it can use these keys to encrypt the corresponding network session. The security server can regularly update the session key for the transparent encryption terminal, and the update interval can be configured by itself.

1.4规则管理1.4 Rule management

安全服务器提供规则管理功能，当运维人员添加/删除/更改相关加密规则之后，安全服务器会将这些规则通过安全连接下发给所有或者指定的透明加密终端。透明加密终端收到这些规则管理的指令之后，根据指令内容更新自己的规则库。The security server provides the rule management function. When the operation and maintenance personnel add/delete/change the relevant encryption rules, the security server will issue these rules to all or specified transparent encryption terminals through a secure connection. After receiving the instructions managed by these rules, the transparent encryption terminal updates its own rule base according to the content of the instructions.

1.5网络数据加密1.5 Network data encryption

透明加密终端根据加密规则对流经的网络数据包进行加密，但只对传输层以上(不包括传输层)的数据进行加密和认证，加密和认证的算法由加密规则指定，加密密钥优先使用会话密钥，在没有会话密钥的情况下，使用公共密钥进行加密。如图5所示，为了方便对端透明加密设备的解密，我们向加密后的网络数据包中插入了一个加密头部，以指示相关的加密信息。The transparent encryption terminal encrypts the network data packets flowing through it according to the encryption rules, but only encrypts and authenticates the data above the transport layer (excluding the transport layer). The encryption and authentication algorithms are specified by the encryption rules. The key, in the absence of a session key, is encrypted with the public key. As shown in Figure 5, in order to facilitate the decryption of the peer-to-peer transparent encryption device, we insert an encryption header into the encrypted network data packet to indicate the relevant encryption information.

加密头部的格式如图6所示，包括版本号、加密头部标识、加密数据长度、密钥ID等字段。加密头部标识长度12比特，内容为固定值，本系统设定为0xCDE，这样对端的透明加密设备一个网络包之后，可以根据这个字段的值来判断该网络包是否有可能是一个加密的数据包。版本号长度4比特，用于指示加密头部的格式，本系统设定为1。加密数据长度表示加密后的TCP/UDP数据长度，以字节为单位。加密和认证算法字段长度1字节，指示该数据包的加密和认证算法；密钥ID长度3字节，指示用于加密该数据包的密钥信息。The format of the encrypted header is shown in Figure 6, including fields such as version number, encrypted header identifier, encrypted data length, and key ID. The length of the encrypted header is 12 bits, and the content is a fixed value. The system is set to 0xCDE, so that after a network packet is sent to the transparent encryption device at the opposite end, it can judge whether the network packet may be an encrypted data according to the value of this field. Bag. The version number has a length of 4 bits and is used to indicate the format of the encrypted header, which is set to 1 in this system. Encrypted data length indicates the encrypted TCP/UDP data length, in bytes. The length of the encryption and authentication algorithm field is 1 byte, indicating the encryption and authentication algorithm of the data packet; the length of the key ID is 3 bytes, indicating the key information used to encrypt the data packet.

需要注意的是，对TCP/UDP数据进行加密和认证后，数据的长度会增加，再加上加密头部的长度，加密后的网络包的长度会大于原始网络包的长度，甚至会超过路径的MTU，从而导致传输失败。为了避免这种情况，透明加密设备在对网络包进行加密之前，会先对超过指定长度(本系统设定为1200字节)的网络包分片，分片的方法按照标准的IP包分片规则进行，然后再对分片后的网络包进行加密。It should be noted that after the TCP/UDP data is encrypted and authenticated, the length of the data will increase, plus the length of the encrypted header, the length of the encrypted network packet will be greater than the length of the original network packet, or even exceed the path. MTU, causing the transmission to fail. In order to avoid this situation, before encrypting the network packets, the transparent encryption device will first fragment the network packets exceeding the specified length (set to 1200 bytes in this system), and the fragmentation method is based on the standard IP packet fragmentation. The rules are carried out, and then the fragmented network packets are encrypted.

对端的透明加密设备收到加密的数据之后，首先检查该网络包是否一个加密包，如果是，再从加密头部中读取密钥ID信息，根据密钥ID找出相应的会话密钥或者公共密钥，对加密的内容进行加密和认证，恢复出原始的内容，再转发给后面的应用终端。具体检查和解密的步骤如图7所示。After the transparent encryption device of the opposite end receives the encrypted data, it first checks whether the network packet is an encrypted packet, and if so, reads the key ID information from the encrypted header, and finds out the corresponding session key or The public key encrypts and authenticates the encrypted content, restores the original content, and then forwards it to the subsequent application terminal. The specific inspection and decryption steps are shown in Figure 7.

综合本发明的实施例可知，本发明的通信链路安全加固方法，提出了一种即插即用的通信链路安全加固系统，工作在数据链路层，不会影响已有网络的拓扑，能够自动发现通信对端的数据加密设备，并与之建立安全隧道，系统采用对称密码机制，可应付潜在的量子计算的威胁，保证系统是量子安全的。Based on the embodiments of the present invention, it can be seen that the communication link security reinforcement method of the present invention proposes a plug-and-play communication link security reinforcement system, which works at the data link layer and does not affect the topology of the existing network. It can automatically discover the data encryption device of the communication peer and establish a secure tunnel with it. The system adopts a symmetric cryptographic mechanism, which can cope with the potential threat of quantum computing and ensure that the system is quantum safe.

Claims (4)

1. A communication link security reinforcing method is characterized by comprising a link reinforcing system, wherein the link reinforcing system comprises a security server and a transparent encryption device, the security server is responsible for providing key management and encryption rule management for the transparent encryption device, the transparent encryption device is connected in series before an application device and encrypts or decrypts flowing data according to a specified rule, after the transparent encryption device is connected to a network, the transparent encryption device firstly registers in the security server to obtain a public key and a flow encryption rule, and the reinforcing method comprises the following steps:

a) equipment registration: after the transparent encryption equipment is accessed to a network, connection is initiated to the security server by using preconfigured information, the preconfigured information comprises an IP address or a domain name of the security server, a port number, an equipment identification number, an authentication key, a communication key and a current IP address of the equipment, the authentication key and the communication key are generated by the security server and are injected into the transparent encryption equipment, the authentication key is used for mutual authentication between the transparent encryption equipment and the security server, the communication key is used for data communication between the transparent encryption equipment and the security server,

after the transparent encryption equipment finishes registering, the transparent encryption equipment can continuously keep connection with the security server, and through the connection, the security server can periodically probe the state of the transparent encryption equipment, update a public key to the transparent encryption equipment and issue an encryption rule;

b) and the opposite end discovers: determining transparent encryption equipment of an opposite terminal in a network session;

c) and (3) key management: after the opposite end is found, the transparent encryption device of the receiving party knows the device identification number and the session identification number of the transparent encryption device of the sending party, the transparent encryption device of the receiving party informs the security server of the two pieces of information, the device identification number and the session identification number of the receiving party, the security server is requested to distribute the session key, the security server generates the session key and distributes the session key and the session identification number to the corresponding transparent encryption terminal, and the transparent encryption terminal can use the session key to encrypt the corresponding network session after receiving the session key;

d) and (3) rule management: the safety server provides a rule management function, after the operation and maintenance personnel add/delete/change related encryption rules, the safety server issues the rules to all or appointed transparent encryption terminals through safety connection, and after the transparent encryption terminals receive the instructions managed by the rules, the rules base of the safety server is updated according to the instruction contents;

e) network data encryption: the transparent encryption terminal encrypts the network data packet flowing through according to the encryption rule, but only encrypts and authenticates the data above the transmission layer, the algorithm of the encryption and the authentication is specified by the encryption rule, the session key is preferentially used by the encryption key, and the public key is used for encryption under the condition that the session key does not exist.

2. The method for strengthening communication link security of claim 1, wherein the encryption rule is expressed by six-tuple, the transport layer protocol is one of TCP and UDP, the source/destination IP address field is expressed by IP address and subnet mask, the source/destination port number range is expressed by start port number and end port number, the transparent encryption device checks the network data packet flowing through according to the encryption rule issued by the security server, and encrypts the network data packet conforming to the rule according to the algorithm specified by the rule. Before negotiating a session key with the transparent encryption equipment of the opposite terminal, the local transparent encryption equipment encrypts a data packet by adopting a public key of the system, and then encrypts the data packet by using the session key, so that the transmission safety of all data in a session period is ensured.

3. The method for strengthening communication link security according to claim 1 or 2, wherein in the b) peer discovery step, the peer is also informed of the related information of the network session and is configured to use some identification fields of the session IP packet header to carry the device identification number.

4. The method for securing communication links according to claim 1 or 2, wherein in the e) network data encryption step, an encryption header is inserted into the encrypted network data packet to indicate the corresponding encryption information.

Images