技术领域Technical field
本发明涉及数据安全技术领域,具体涉及一种数据安全传输控制系统、方法、装置及电子设备。The present invention relates to the field of data security technology, and specifically relates to a data security transmission control system, method, device and electronic equipment.
背景技术Background technique
随着互联网技术的飞速发展,企业数据中心数据的多样性、存储量迎来了巨大的增长,同时也面临着越来越多的数据安全问题。With the rapid development of Internet technology, the diversity and storage volume of data in enterprise data centers have experienced tremendous growth, and they are also facing more and more data security issues.
目前现有的解决数据中心解决安全问题的方法根据安全等级不同分为以下三种:1、数据中心网络划分为内网和外网,内网和外网物理隔离,内网数据无法发送到外网,这种方法安全性最高,但是数据使用便捷性较低,数据无法导出、分析、再利用。2、通过防火墙进行数据分析,拦截非法数据流,这种方法依赖硬件,硬件投入较大,架构调整麻烦。3、使用虚拟专用网络(Virtual Private Network)VPN进行网络接入,但这种方法会使数据暴露在外网,安全性较低。4、现有的内网数据发送到外网,都是基于文件的数据传输,缺少一种既支持文件传输、也支持实时字符串传输、且具备统一web端管理的内外网数据传输审查系统5、现有的内外网数据传输系统存在端口众多,数据未加密等安全风险。Currently, the existing methods for solving data center security problems are divided into the following three types according to different security levels: 1. The data center network is divided into an internal network and an external network. The internal network and the external network are physically isolated, and internal network data cannot be sent to the outside. Internet, this method has the highest security, but the convenience of data use is low, and the data cannot be exported, analyzed, and reused. 2. Conduct data analysis through firewalls and intercept illegal data flows. This method relies on hardware, requires a large investment in hardware, and is troublesome to adjust the architecture. 3. Use Virtual Private Network (Virtual Private Network) VPN for network access, but this method will expose the data to the external network and has low security. 4. Existing intranet data sent to the external network is all file-based data transmission. There is a lack of an internal and external network data transmission review system that supports both file transmission and real-time string transmission and has unified web-side management5. , The existing internal and external network data transmission system has security risks such as numerous ports and unencrypted data.
因此亟需提供一个既保证数据安全,又保证数据多样性、便捷性且兼顾企业成本的新的数据安全控制系统。Therefore, there is an urgent need to provide a new data security control system that not only ensures data security, but also ensures data diversity and convenience while taking into account enterprise costs.
发明内容Contents of the invention
有鉴于此,本发明实施例提供了涉及一种数据安全传输控制系统、方法、装置及电子设备,以解决现有技术中随着互联网技术的飞速发展,企业数据中心数据的多样性、数据安全问题越来越多,现有的数据安全控制系统无法既保证数据安全,又保证数据多样性、便捷性且兼顾企业成本的技术问题。In view of this, embodiments of the present invention provide a data security transmission control system, method, device and electronic equipment to solve the existing problems of data diversity and data security in enterprise data centers with the rapid development of Internet technology. There are more and more problems. The existing data security control system cannot not only ensure data security, but also ensure data diversity and convenience while taking into account the technical issues of enterprise costs.
本发明提出的技术方案如下:The technical solutions proposed by the present invention are as follows:
第一方面,本发明实施例提供一种数据安全传输控制系统,该数据安全传输控制系统包括:服务器、代理节点和服务端,所述服务器包括客户端,所述服务器和所述代理节点设置在内网中,所述服务端设置在外网中,所述代理节点的一端与所述客户端连接,另一端与所述服务端连接;所述服务端,用于获取用户数据库、黑名单关键字数据组、白名单关键字数据组和红名单关键字数据组,以及将所述黑名单关键字数据组、所述白名单关键字数据组和所述红名单关键字数据组发送至所述代理节点;所述客户端,用于获取目标用户数据和服务器数据,并将所述目标用户数据通过所述代理节点发送至所述服务端;所述服务端,还用于基于所述用户数据库,对所述目标用户数据进行验证,并将验证结果通过所述代理节点发送至所述客户端;所述客户端,还用于当所述验证结果为验证通过时,利用国密算法对所述服务器数据进行加密,得到服务器加密数据,以及将所述服务器加密数据发送至所述代理节点;所述代理节点,用于基于所述服务器加密数据,经过国密算法、所述黑名单关键字数据组、所述白名单关键字数据组和所述红名单关键字数据组处理,得到目标服务器加密数据,并将所述目标服务器加密数据发送至所述服务端;所述服务端,还用于利用所述国密算法对所述目标服务器加密数据进行解密,得到目标服务器数据,并将所述目标服务器数据发送至对应的用户。In a first aspect, embodiments of the present invention provide a data secure transmission control system. The data secure transmission control system includes: a server, a proxy node, and a server. The server includes a client, and the server and the proxy node are configured on In the internal network, the server is set in the external network, one end of the proxy node is connected to the client, and the other end is connected to the server; the server is used to obtain user database, blacklist keywords data group, whitelist keyword data group and redlist keyword data group, and sending the blacklist keyword data group, the whitelist keyword data group and the redlist keyword data group to the agent Node; the client is used to obtain target user data and server data, and send the target user data to the server through the proxy node; the server is also used to based on the user database, Verify the target user data, and send the verification result to the client through the proxy node; the client is also configured to use the national secret algorithm to verify the verification when the verification result is passed. The server data is encrypted to obtain the server encrypted data, and the server encrypted data is sent to the agent node; the agent node is used to use the national secret algorithm and the blacklist keyword data based on the server encrypted data. The group, the white list keyword data group and the red list keyword data group are processed to obtain the target server encrypted data, and send the target server encrypted data to the server; the server is also used to Use the national secret algorithm to decrypt the encrypted data of the target server to obtain the target server data, and send the target server data to the corresponding user.
结合第一方面,在第一方面的一种可能的实现方式中,所述服务端,包括:用户模块,用于创建所述用户数据库,并基于所述用户数据库配置黑名单关键字数据组、白名单关键字数据组和红名单关键字数据组,以及接收所述客户端发送的调整指令,并基于所述调整指令更新所述红名单关键字数据组。In conjunction with the first aspect, in a possible implementation of the first aspect, the server includes: a user module, configured to create the user database and configure a blacklist keyword data group based on the user database, The white list keyword data group and the red list keyword data group receive the adjustment instruction sent by the client, and update the red list keyword data group based on the adjustment instruction.
结合第一方面,在第一方面的另一种可能的实现方式中,所述客户端,包括:登录模块,用于获取所述目标用户数据;第一数据传输模块,用于定期检查所述服务器中文件夹内的文件时间戳,并当所述文件时间戳发生改变时,获取服务器更新数据,并利用所述国密算法对所述服务器更新数据进行加密后,通过所述代理节点将加密后的所述服务器更新数据发送至所述服务端。In conjunction with the first aspect, in another possible implementation of the first aspect, the client includes: a login module, used to obtain the target user data; a first data transmission module, used to regularly check the The file timestamp in the folder in the server, and when the file timestamp changes, the server update data is obtained, and the server update data is encrypted using the national secret algorithm, and the encrypted data is encrypted through the agent node. The subsequent server update data is sent to the server.
结合第一方面,在第一方面的又一种可能的实现方式中,所述第一数据传输模块,还用于利用正则匹配方法获取所述文件夹的文件名,并利用所述国密算法对所述文件名进行加密后,通过所述代理节点将加密后的所述文件名发送至所述服务端。In connection with the first aspect, in another possible implementation of the first aspect, the first data transmission module is also configured to obtain the file name of the folder using a regular matching method, and use the national secret algorithm After the file name is encrypted, the encrypted file name is sent to the server through the proxy node.
结合第一方面,在第一方面的又一种可能的实现方式中,所述代理节点,包括:数据清洗模块和第二数据传输模块,所述数据清洗模块包括第二国密加解密模块;所述第二国密加解密模块,用于利用所述国密算法对所述服务器加密数据进行解密,得到所述服务器数据,并将所述服务器数据发送至所述数据清洗模块;所述数据清洗模块,用于利用所述黑名单关键字数据组、所述白名单关键字数据组和所述红名单关键字数据组对所述服务器数据进行处理,得到所述目标服务器数据,并将所述服务器数据发送至所述第二国密加解密模块;所述第二国密加解密模块,用于利用所述国密算法对所述服务器数据进行加密,得到所述目标服务器加密数据,以及将所述目标服务器加密数据发送至所述第二数据传输模块;所述第二数据传输模块,用于将所述目标服务器加密数据发送至所述服务端。In conjunction with the first aspect, in another possible implementation of the first aspect, the agent node includes: a data cleaning module and a second data transmission module, where the data cleaning module includes a second national encryption and decryption module; The second national encryption and decryption module is used to decrypt the server encrypted data using the national encryption algorithm, obtain the server data, and send the server data to the data cleaning module; the data A cleaning module used to process the server data using the blacklist keyword data group, the whitelist keyword data group and the red list keyword data group, obtain the target server data, and convert the The server data is sent to the second national encryption and decryption module; the second national encryption and decryption module is used to encrypt the server data using the national encryption algorithm to obtain the target server encrypted data, and Send the target server encrypted data to the second data transmission module; the second data transmission module is used to send the target server encrypted data to the server.
结合第一方面,在第一方面的又一种可能的实现方式中,所述服务端,还包括:第三国密加解密模块,用于利用所述国密算法对所述目标服务器加密数据进行解密,得到所述目标服务器数据,以及将所述目标服务器数据发送至消息推送模块和告警模块;所述消息推送模块,用于将所述目标服务器数据按照预设推送方式发送至所述用户;所述告警模块,用于当所述目标服务器数据中存在不合规数据且所述不合规数据符合预设告警要求时,发送告警指令至对应的管理员用户。In conjunction with the first aspect, in another possible implementation of the first aspect, the server further includes: a third country encryption and decryption module, configured to use the country encryption algorithm to perform encryption on the target server's encrypted data. Decrypt, obtain the target server data, and send the target server data to a message push module and an alarm module; the message push module is used to send the target server data to the user according to a preset push method; The alarm module is configured to send an alarm instruction to the corresponding administrator user when there is non-compliant data in the target server data and the non-compliant data meets the preset alarm requirements.
第二方面,本发明实施例提供一种数据安全传输控制方法,用于如本发明实施例第一方面及第一方面任一项所述的数据安全传输控制系统;该数据安全传输控制方法包括:所述数据安全传输控制系统中客户端获取目标用户数据和服务器数据,并将所述服务器数据发送至所述数据安全传输控制系统中代理节点,以及将所述目标用户数据通过所述代理节点发送至所述数据安全传输控制系统中服务端进行验证;当验证通过后,所述客户端利用国密算法对所述服务器数据进行加密,得到服务器加密数据,以及将所述服务器加密数据发送至所述代理节点;所述代理节点接收所述服务端发送的黑名单关键字数据组、白名单关键字数据组和红名单关键字数据组,并基于所述服务器加密数据,经过国密算法、所述黑名单关键字数据组、所述白名单关键字数据组和所述红名单关键字数据组处理,得到目标服务器加密数据,并将所述目标服务器加密数据发送至所述服务端;所述服务端利用所述国密算法对所述目标服务器加密数据进行解密,得到目标服务器数据,并将所述目标服务器数据发送至对应的用户。In a second aspect, an embodiment of the present invention provides a data secure transmission control method, which is used in the data secure transmission control system as described in the first aspect of the embodiment of the present invention and any one of the first aspects; the data secure transmission control method includes : The client in the data secure transmission control system obtains target user data and server data, sends the server data to the proxy node in the data secure transmission control system, and passes the target user data through the proxy node Sent to the server in the data security transmission control system for verification; when the verification is passed, the client uses the national secret algorithm to encrypt the server data, obtains the server encrypted data, and sends the server encrypted data to The agent node; the agent node receives the blacklist keyword data group, the whitelist keyword data group and the red list keyword data group sent by the server, and encrypts the data based on the server, through the national secret algorithm, The blacklist keyword data group, the whitelist keyword data group and the red list keyword data group are processed to obtain target server encrypted data, and the target server encrypted data is sent to the server; so The server uses the national secret algorithm to decrypt the encrypted data of the target server, obtains the target server data, and sends the target server data to the corresponding user.
第三方面,本发明实施例提供一种数据安全传输控制装置,用于如本发明实施例第一方面及第一方面任一项所述的数据安全传输控制系统;该数据安全传输控制装置包括:获取与传输模块,用于所述数据安全传输控制系统中客户端获取目标用户数据和服务器数据,并将所述服务器数据发送至所述数据安全传输控制系统中代理节点,以及将所述目标用户数据通过所述代理节点发送至所述数据安全传输控制系统中服务端进行验证;加密与传输模块,用于当验证通过后,所述客户端利用国密算法对所述服务器数据进行加密,得到服务器加密数据,以及将所述服务器加密数据发送至所述代理节点;处理与传输模块,用于所述代理节点接收所述服务端发送的黑名单关键字数据组、白名单关键字数据组和红名单关键字数据组,并基于所述服务器加密数据,经过国密算法、所述黑名单关键字数据组、所述白名单关键字数据组和所述红名单关键字数据组处理,得到目标服务器加密数据,并将所述目标服务器加密数据发送至所述服务端;解密与传输模块,用于所述服务端利用所述国密算法对所述目标服务器加密数据进行解密,得到目标服务器数据,并将所述目标服务器数据发送至对应的用户。In a third aspect, an embodiment of the present invention provides a data secure transmission control device for use in a data secure transmission control system as described in the first aspect of the embodiment of the present invention and any one of the first aspects; the data secure transmission control device includes : Acquisition and transmission module, used for the client in the data secure transmission control system to obtain target user data and server data, and send the server data to the agent node in the data secure transmission control system, and send the target User data is sent to the server in the data security transmission control system through the proxy node for verification; the encryption and transmission module is used to encrypt the server data using the national secret algorithm on the client after the verification is passed, Obtain server encrypted data, and send the server encrypted data to the agent node; a processing and transmission module for the agent node to receive the blacklist keyword data group and the whitelist keyword data group sent by the server and the red list keyword data group, and based on the server encrypted data, processed by the national secret algorithm, the black list keyword data group, the white list keyword data group and the red list keyword data group, we obtain The target server encrypts data and sends the target server encrypted data to the server; a decryption and transmission module is used for the server to use the national secret algorithm to decrypt the target server encrypted data to obtain the target server data, and send the target server data to the corresponding user.
第四方面,本发明实施例提供一种计算机可读存储介质,所述计算机可读存储介质存储有计算机程序,所述计算机程序用于使所述计算机执行如本发明实施例第二方面所述的数据安全传输控制方法。In a fourth aspect, embodiments of the present invention provide a computer-readable storage medium. The computer-readable storage medium stores a computer program. The computer program is used to cause the computer to execute as described in the second aspect of the embodiment of the present invention. Data security transmission control method.
第五方面,本发明实施例提供一种电子设备,包括:存储器和处理器,所述存储器和所述处理器之间互相通信连接,所述存储器存储有计算机程序,所述处理器通过执行所述计算机程序,从而执行如本发明实施例第二方面所述的数据安全传输控制方法。In a fifth aspect, an embodiment of the present invention provides an electronic device, including: a memory and a processor, the memory and the processor are communicatively connected to each other, the memory stores a computer program, and the processor executes the The computer program is used to execute the data secure transmission control method described in the second aspect of the embodiment of the present invention.
本发明提供的技术方案,具有如下效果:The technical solution provided by the present invention has the following effects:
本发明实施例提供的数据安全传输控制系统,弃用了传统的防火墙或VPN方案,采用客户端->代理节点处理转发->服务端的配置、展示、使用数据的方式,内网代理节点只需要一个端口和外网服务端通信,减少了风险暴露面,既保证了内网数据导出的安全性,又保证了内网数据使用的便捷性;创新性的使用了黑名单关键字数据组、白名单关键字数据组和红名单关键字数据组的三级数据管控方式;保证了数据导出的正确性、合规性;抛弃了传统的AES加密算法,使用国密算法对数据进行加密保护,消除了AES可能存在的安全隐患,实现数据安全的完全自主可控。The data secure transmission control system provided by the embodiment of the present invention abandons the traditional firewall or VPN solution, and adopts the client->agent node to process forwarding->server configuration, display, and use of data. The intranet proxy node only needs One port communicates with the external network server, reducing risk exposure, ensuring the safety of intranet data export and the convenience of intranet data use; innovative use of blacklist keyword data groups, whitelist Three-level data control method for list keyword data group and red list keyword data group; ensuring the correctness and compliance of data export; abandoning the traditional AES encryption algorithm and using the national secret algorithm to encrypt and protect data, eliminating the need for It eliminates possible security risks of AES and achieves complete independent control of data security.
本发明实施例提供的数据安全传输控制方法,利用本发明实施例提供的数据安全传输控制系统进行数据的安全传输,保证了传输数据的正确性、合规性,实现了数据安全传输的完全自主可控。The data secure transmission control method provided by the embodiment of the present invention utilizes the data secure transmission control system provided by the embodiment of the present invention for secure transmission of data, ensuring the correctness and compliance of the transmitted data, and realizing complete autonomy in secure data transmission. Controllable.
附图说明Description of the drawings
为了更清楚地说明本发明具体实施方式或现有技术中的技术方案,下面将对具体实施方式或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图是本发明的一些实施方式,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly explain the specific embodiments of the present invention or the technical solutions in the prior art, the accompanying drawings that need to be used in the description of the specific embodiments or the prior art will be briefly introduced below. Obviously, the drawings in the following description The drawings illustrate some embodiments of the present invention. For those of ordinary skill in the art, other drawings can be obtained based on these drawings without exerting any creative effort.
图1是根据本发明实施例提供的一种数据安全传输控制系统的结构框图;Figure 1 is a structural block diagram of a data secure transmission control system provided according to an embodiment of the present invention;
图2是根据本发明实施例提供的一种基于国密的安全网络数据发送控制系统的结构框图;Figure 2 is a structural block diagram of a secure network data transmission control system based on state secrets provided according to an embodiment of the present invention;
图3是根据本发明实施例提供的一种数据安全传输控制方法的流程图;Figure 3 is a flow chart of a data secure transmission control method provided according to an embodiment of the present invention;
图4是根据本发明实施例提供的一种基于国密的安全网络数据发送控制系统的工作流程图;Figure 4 is a work flow chart of a secure network data transmission control system based on state secrets provided according to an embodiment of the present invention;
图5是根据本发明实施例提供的一种数据安全传输控制装置的结构框图;Figure 5 is a structural block diagram of a data secure transmission control device provided according to an embodiment of the present invention;
图6是根据本发明实施例提供的计算机可读存储介质的结构示意图;Figure 6 is a schematic structural diagram of a computer-readable storage medium provided according to an embodiment of the present invention;
图7是根据本发明实施例提供的一种电子设备的结构示意图。FIG. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
具体实施方式Detailed ways
为使本发明实施例的目的、技术方案和优点更加清楚,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to make the purpose, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the drawings in the embodiments of the present invention. Obviously, the described embodiments These are some embodiments of the present invention, rather than all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative efforts fall within the scope of protection of the present invention.
需要说明的是,本发明的说明书和权利要求书及上述附图中的术语“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换,以便这里描述的本发明的实施例能够以除了在这里图示或描述的那些以外的顺序实施。此外,术语“包括”和“具有”以及他们的任何变形,意图在于覆盖不排他的包含,例如,包含了一系列步骤或单元的过程、方法、系统、产品或设备不必限于清楚地列出的那些步骤或单元,而是可包括没有清楚地列出的或对于这些过程、方法、产品或设备固有的其它步骤或单元。It should be noted that the terms "first", "second", etc. in the description and claims of the present invention and the above-mentioned drawings are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It is to be understood that the data so used are interchangeable under appropriate circumstances so that the embodiments of the invention described herein are capable of being practiced in sequences other than those illustrated or described herein. In addition, the terms "including" and "having" and any variations thereof are intended to cover non-exclusive inclusions, e.g., a process, method, system, product, or apparatus that encompasses a series of steps or units and need not be limited to those explicitly listed. Those steps or elements may instead include other steps or elements not expressly listed or inherent to the process, method, product or apparatus.
本发明实施例提供一种数据安全传输控制系统,如图1所示,该数据安全传输控制系统1包括:服务器11、代理节点12和服务端13。An embodiment of the present invention provides a data secure transmission control system. As shown in FIG. 1 , the data secure transmission control system 1 includes: a server 11 , an agent node 12 and a server 13 .
其中,服务器11和代理节点12设置在内网中;服务端13设置在外网中。Among them, the server 11 and the proxy node 12 are set in the internal network; the server 13 is set in the external network.
应理解,上述系统还包括其他设备、装置。It should be understood that the above system also includes other equipment and devices.
具体地,服务器11包括客户端111;代理节点12的一端与客户端111连接,另一端与服务端13连接。Specifically, the server 11 includes a client 111; one end of the proxy node 12 is connected to the client 111, and the other end is connected to the server 13.
进一步,客户端111包括登录模块1111和第一数据传输模块1112;Further, the client 111 includes a login module 1111 and a first data transmission module 1112;
代理节点12包括数据清洗模块121和第二数据传输模块122,进一步,数据清洗模块121包括第二国密加解密模块1211。其中,第二国密加解密模块1211分别与数据清洗模块121和第二数据传输模块122连接。The agent node 12 includes a data cleaning module 121 and a second data transmission module 122. Furthermore, the data cleaning module 121 includes a second national encryption and decryption module 1211. Among them, the second national encryption and decryption module 1211 is connected to the data cleaning module 121 and the second data transmission module 122 respectively.
服务端13包括用户模块131、第三国密加解密模块132、消息推送模块133和告警模块134。其中,第三国密加解密模块132分别与消息推送模块133和告警模块134连接。The server 13 includes a user module 131, a third country encryption and decryption module 132, a message push module 133 and an alarm module 134. Among them, the third country encryption and decryption module 132 is connected to the message push module 133 and the alarm module 134 respectively.
进一步,对上述系统中各个装置的功能进行描述。Further, the functions of each device in the above system are described.
服务端13,用于获取用户数据库、黑名单关键字数据组、白名单关键字数据组和红名单关键字数据组,以及将该黑名单关键字数据组、白名单关键字数据组和红名单关键字数据组发送至代理节点12。The server 13 is used to obtain the user database, the blacklist keyword data group, the whitelist keyword data group, and the redlist keyword data group, and combine the blacklist keyword data group, the whitelist keyword data group, and the redlist The keyword data set is sent to the agent node 12.
具体地,服务端13中用户模块131创建用户数据库,并基于该用户数据库配置黑名单关键字数据组、白名单关键字数据组和红名单关键字数据组。其中,用户数据库可以包括多个用户数据,进一步,用户数据可以为用户名+密码或者token(令牌)密钥等。Specifically, the user module 131 in the server 13 creates a user database, and configures a blacklist keyword data group, a whitelist keyword data group, and a redlist keyword data group based on the user database. The user database may include multiple user data, and further, the user data may be user name + password or token key, etc.
客户端111,用于获取目标用户数据和服务器数据,并将该目标用户数据通过代理节点12发送至服务端13。The client 111 is used to obtain target user data and server data, and send the target user data to the server 13 through the proxy node 12 .
具体地,客户端111中登录模块1111获取目标用户数据,比如,用户名+密码或者token密钥。Specifically, the login module 1111 in the client 111 obtains the target user data, such as user name + password or token key.
进一步,客户端111将该目标用户数据发送至服务端13进行验证。Further, the client 111 sends the target user data to the server 13 for verification.
进一步,服务端13接收到该目标用户数据后,将该目标用户数据与用户数据库进行比对并完成验证,然后,将验证结果通过代理节点12发送至该客户端111。Further, after receiving the target user data, the server 13 compares the target user data with the user database and completes the verification, and then sends the verification result to the client 111 through the proxy node 12 .
当验证结果为验证通过时,客户端111有向服务端发送数据的权限。When the verification result is that the verification is passed, the client 111 has the authority to send data to the server.
具体地,客户端111利用国密算法对获取的服务器11的服务器数据进行加密,得到服务器加密数据,并将该服务器加密数据通过代理节点12处理后发送至服务端13。Specifically, the client 111 uses the national encryption algorithm to encrypt the obtained server data of the server 11 to obtain the server encrypted data, and processes the server encrypted data through the proxy node 12 before sending it to the server 13 .
首先,客户端111将该服务器加密数据发送至代理节点12;First, the client 111 sends the server encrypted data to the proxy node 12;
然后,代理节点12利用国密算法、黑名单关键字数据组、白名单关键字数据组和红名单关键字数据组对接收到的服务器加密数据进行处理,得到目标服务器加密数据,并将该目标服务器加密数据发送至服务端13。Then, the agent node 12 processes the received server encrypted data using the national secret algorithm, blacklist keyword data group, whitelist keyword data group and red list keyword data group to obtain the target server encrypted data, and converts the target server encrypted data to the target server encrypted data. The server encrypts the data and sends it to the server 13.
具体地,代理节点12中第二国密加解密模块1211利用国密算法对接收到的服务器加密数据进行解密,得到对应的服务器数据,并在数据清洗模块121中利用黑名单关键字数据组、白名单关键字数据组和红名单关键字数据组对该服务器数据进行处理,并得到目标服务器数据。Specifically, the second national encryption and decryption module 1211 in the agent node 12 uses the national encryption algorithm to decrypt the received server encrypted data to obtain the corresponding server data, and uses the blacklist keyword data group, The white list keyword data group and the red list keyword data group process the server data and obtain the target server data.
其中,黑名单关键字数据组中的关键字对所有用户生效,即服务器数据中如果包含了黑名单关键字数据组中的关键字,则会被数据清洗模块121清洗,无法发送给服务端13;Among them, the keywords in the blacklist keyword data group are effective for all users, that is, if the server data contains keywords in the blacklist keyword data group, it will be cleaned by the data cleaning module 121 and cannot be sent to the server 13 ;
进一步,每个用户可配置独立的红名单关键字数据组,且关键字符串组中字符串可配置生效时间或者永久生效,当服务器数据中包含红名单关键字数据组中的关键字,则同样会被数据清洗模块121清洗,无法发送给服务端13,但是可以随时向admin用户申请调整关键字组的内容,增加关键字字符串或进行某个关键字符串的临时或永久放开,即服务端13中用户模块131可以根据客户端111发送的调整指令更新该红名单关键字数据组。Furthermore, each user can configure an independent red list keyword data group, and the strings in the key string group can be configured to take effect or take effect permanently. When the server data contains keywords in the red list keyword data group, the same applies. It will be cleaned by the data cleaning module 121 and cannot be sent to the server 13, but you can apply to the admin user at any time to adjust the content of the keyword group, add keyword strings, or temporarily or permanently release a certain key string, that is, service The user module 131 in the terminal 13 can update the red list keyword data group according to the adjustment instruction sent by the client 111.
进一步,白名单关键字符串组中的字符串由用户自己配置,即服务器数据中每一行数据必须包括字符串组中的字符串。Furthermore, the strings in the whitelist key string group are configured by the user themselves, that is, each row of data in the server data must include the strings in the string group.
因此,经过该数据清洗模块121处理,可以去除该服务器数据中包含在黑名单关键字数据组、红名单关键字数据组中关键字的字符串,只保留白名单关键字数据组中关键字的字符串,得到清洗后可以发送至服务端13的服务器数据,即目标服务器数据。Therefore, after processing by the data cleaning module 121, the strings containing keywords in the blacklist keyword data group and the red list keyword data group can be removed from the server data, and only the keyword strings in the whitelist keyword data group are retained. The string, after being cleaned, can be sent to the server data of the server 13, that is, the target server data.
最后,数据清洗模块121将该目标服务器数据发送至第二国密加解密模块1211中,并在该第二国密加解密模块1211中利用国密算法对该目标服务器数据进行加密,得到目标服务器加密数据,并将该目标服务器加密数据发送至服务端13。Finally, the data cleaning module 121 sends the target server data to the second country encryption and decryption module 1211, and uses the country encryption and decryption module 1211 to encrypt the target server data using the country encryption algorithm to obtain the target server Encrypt the data, and send the target server encrypted data to the server 13.
服务端13接收到该目标服务器加密数据后,对该目标服务器加密数据进行解密并发送至对应的用户。After receiving the target server encrypted data, the server 13 decrypts the target server encrypted data and sends it to the corresponding user.
具体地,在第三国密加解密模块132中利用国密算法对该目标服务器加密数据进行解密,得到目标服务器数据,并将该目标服务器数据发送至消息推送模块133。Specifically, the third country encryption and decryption module 132 uses the national encryption algorithm to decrypt the encrypted data of the target server to obtain the target server data, and sends the target server data to the message push module 133 .
消息推送模块133接收到该目标服务器数据后,通过预设推送方式,比如邮件或钉钉发送至用户,供用户使用。After receiving the target server data, the message push module 133 sends it to the user through a preset push method, such as email or DingTalk, for the user's use.
进一步,第三国密加解密模块132还用于将目标服务器数据发送至告警模块134。Furthermore, the third country encryption and decryption module 132 is also used to send the target server data to the alarm module 134.
告警模块134接收到该目标服务器数据后,判断该目标服务器数据中是否存在不合规数据,当存在不合规数据时,判断存在的不合规数据是否符合预设告警要求,若符合,则发出告警至对应的管理员用户。After receiving the target server data, the alarm module 134 determines whether there is non-compliant data in the target server data. When there is non-compliant data, it determines whether the existing non-compliant data meets the preset alarm requirements. If so, then Send an alert to the corresponding administrator user.
其中,预设告警要求为预先配置,可以为每条不合规数据都触发告警或者一段时间内发送了N条不合规数据触发告警。Among them, the preset alarm requirements are pre-configured, and an alarm can be triggered for each piece of non-compliant data or an alarm can be triggered if N pieces of non-compliant data are sent within a period of time.
进一步,客户端111中第一数据传输模块1112,用于定期检查服务器11中文件夹内的文件时间戳,当文件时间戳发生改变,表示当前服务器数据存在更新,此时,根据上次读取文件的行数n,检查文件目前行数m,m-n即为此次需要发送的数据,即服务器更新数据。Further, the first data transmission module 1112 in the client 111 is used to regularly check the file timestamp in the folder in the server 11. When the file timestamp changes, it indicates that there is an update to the current server data. At this time, according to the last read The number of lines in the file is n, check the current number of lines in the file m, m-n is the data that needs to be sent this time, that is, the server update data.
然后,利用国密算法对服务器更新数据进行加密后,通过代理节点12将加密后的服务器更新数据发送至服务端13。具体的发送过程参考上述对服务器数据的加密过程和发送过程,此处不再赘述。Then, after using the national secret algorithm to encrypt the server update data, the encrypted server update data is sent to the server 13 through the proxy node 12 . For the specific sending process, refer to the above-mentioned encryption process and sending process of server data, which will not be described again here.
进一步,第一数据传输模块1112还用于利用正则匹配方法获取服务器11中文件夹的文件名,并利用国密算法对文件名进行加密后,通过代理节点12将加密后的文件名发送至服务端13。具体的发送过程参考上述对服务器数据的加密过程和发送过程,此处不再赘述。Further, the first data transmission module 1112 is also used to obtain the file name of the folder in the server 11 using the regular matching method, and after using the national secret algorithm to encrypt the file name, send the encrypted file name to the service through the proxy node 12 End 13. For the specific sending process, refer to the above-mentioned encryption process and sending process of server data, which will not be described again here.
本发明实施例提供的数据安全传输控制系统,弃用了传统的防火墙或VPN方案,采用客户端->代理节点处理转发->服务端的配置、展示、使用数据的方式,内网代理节点只需要一个端口和外网服务端通信,减少了风险暴露面,既保证了内网数据导出的安全性,又保证了内网数据使用的便捷性;创新性的使用了黑名单关键字数据组、白名单关键字数据组和红名单关键字数据组的三级数据管控方式;保证了数据导出的正确性、合规性;抛弃了传统的AES加密算法,使用国密算法对数据进行加密保护,消除了AES可能存在的安全隐患,实现数据安全的完全自主可控。The data secure transmission control system provided by the embodiment of the present invention abandons the traditional firewall or VPN solution, and adopts the client->agent node to process forwarding->server configuration, display, and use of data. The intranet proxy node only needs One port communicates with the external network server, reducing risk exposure, ensuring the safety of intranet data export and the convenience of intranet data use; innovative use of blacklist keyword data groups, whitelist Three-level data control method for list keyword data group and red list keyword data group; ensuring the correctness and compliance of data export; abandoning the traditional AES encryption algorithm and using the national secret algorithm to encrypt and protect data, eliminating the need for It eliminates possible security risks of AES and achieves complete independent control of data security.
在一实例中,提供一种基于国密的安全网络数据发送控制系统,如图2所示,包括客户端、proxy(代理)节点,服务端三个部分。客户端负责收集服务器的数据发送给proxy节点。proxy节点和客户端都处于内网中,proxy节点负责对接所有的客户端数据,进行数据清洗后发送给处于外网的服务端。In one example, a secure network data transmission control system based on state secrets is provided, as shown in Figure 2, including three parts: a client, a proxy node, and a server. The client is responsible for collecting server data and sending it to the proxy node. Both the proxy node and the client are in the internal network. The proxy node is responsible for connecting all client data, cleaning the data and sending it to the server on the external network.
进一步,对各个部分的功能进行描述:Further, describe the functions of each part:
(一)客户端:客户端包含登录模块、数据发送/接收模块两个部分。(1) Client: The client includes two parts: login module and data sending/receiving module.
登录模块:负责用户名+密码或者token密钥的方式,通过proxy节点和服务端通信,完成认证后可使用用户对应权限的功能。Login module: Responsible for the method of user name + password or token key. It communicates with the server through the proxy node. After completing the authentication, the functions corresponding to the user's permissions can be used.
数据发送/接收模块:1、定期检查客户端所在服务器的文件夹内的文件时间戳,时间戳发生更改代表文件数据存在更新,根据上次读取文件的行数n,检查文件目前行数m,m-n即为此次需要发送的数据,文件名可通过正则匹配获取,将文件中新增的数据通过国密加密算法加密后,通过proxy节点发送给服务端。2、通过命令行获取服务器信息,通过proxy节点发送给服务器端.3、点击进行文件上传,国密加密后通过proxy节点发送给服务端。4、同时接受服务端经过proxy节点发来的数据,解密后完成agent配置。Data sending/receiving module: 1. Regularly check the file timestamp in the folder of the server where the client is located. A change in the timestamp means that the file data has been updated. According to the number of lines n of the file last read, check the current number of lines in the file m. , m-n is the data that needs to be sent this time. The file name can be obtained through regular matching. The new data in the file is encrypted by the national encryption algorithm and then sent to the server through the proxy node. 2. Obtain the server information through the command line and send it to the server through the proxy node. 3. Click to upload the file, encrypt the national secret and send it to the server through the proxy node. 4. At the same time, accept the data sent from the server through the proxy node, and complete the agent configuration after decryption.
(二)proxy节点:proxy节点包含数据清洗模块和数据发送/接受两个部分。(2) Proxy node: The proxy node contains two parts: data cleaning module and data sending/receiving.
数据清洗模块:接受客户端发来的每一行数据,验证IP地址正确后,去除包含在用户权限中黑名单、红名单中关键字的字符串,只保留白名单中关键字的字符串。Data cleaning module: accepts each line of data sent from the client, and after verifying that the IP address is correct, removes the strings containing keywords in the blacklist and red list of user permissions, and only retains the strings of keywords in the whitelist.
数据发送/接收模块:将数据清洗模块中完成清洗的数据、客户端认证信息发送给服务端。将服务端配置信息、服务端认证返回信息返回给客户端。定期与服务端通信,更新所有用户的权限(ip地址、白名单、黑名单、红名单),所有的数据发送都通过国密加密算法加密,所有的数据接收后都经过国密加密算法解密。Data sending/receiving module: Sends the cleaned data and client authentication information in the data cleaning module to the server. Return the server configuration information and server authentication return information to the client. Communicate regularly with the server to update the permissions of all users (IP addresses, whitelists, blacklists, and redlists). All data sent is encrypted by the national secret encryption algorithm, and all data received is decrypted by the national secret encryption algorithm.
(三)服务端:服务端包含用户模块、消息推送模块、告警模块、加/解密模块四个部分。(3) Server: The server includes four parts: user module, message push module, alarm module, and encryption/decryption module.
用户模块:提供web页面,进行用户登录,页面化查看客户端发来的数据。管理员用户可进行用户创建,配置用户客户端所能发送数据的ip地址及黑名单、白名单、红名单关键字组。其中黑名单关键字组中的关键字对所有用户生效,所有用户客户端发送的数据如果包含了关键字,将会被proxy节点清洗,无法发送给服务端。每个用户可配置独立的红名单关键字组,关键字符串组中字符串可配置生效时间或者永久生效,所有用户客户端发送的数据如果包含了关键字,将会被proxy节点清洗,无法发送给服务端,但是可以随时向admin用户申请调整关键字组的内容,增加关键字字符串或进行某个关键字符串的临时或永久放开。白名单关键字符串组中的字符串由用户自己配置,客户端发送的每一行数据必须包括字符串组中的字符串。User module: Provides a web page for user login and page-based viewing of data sent from the client. Administrator users can create users and configure the IP addresses and blacklist, whitelist, and redlist keyword groups that the user's client can send data to. The keywords in the blacklist keyword group are effective for all users. If the data sent by all user clients contains keywords, it will be cleaned by the proxy node and cannot be sent to the server. Each user can configure an independent red list keyword group. The strings in the key string group can be configured to take effect or take effect permanently. If the data sent by all user clients contains keywords, it will be cleaned by the proxy node and cannot be sent. To the server, but you can apply to the admin user at any time to adjust the content of the keyword group, add keyword strings, or temporarily or permanently release a certain key string. The strings in the whitelist key string group are configured by the user. Each line of data sent by the client must include the strings in the string group.
消息推送模块:用户通过客户端发来的数据,至少可以提供邮件和钉钉两种方式发送给用户,供用户使用。Message push module: The data sent by the user through the client can be sent to the user in at least two ways: email and DingTalk for the user's use.
告警模块:通过邮件通知管理员用户在某IP节点发送了不合规数据,可配置每条不合规数据都触发告警或者一段时间内发送了N条不合规数据触发告警。Alarm module: Notify the administrator via email that the user has sent non-compliant data to a certain IP node. It can be configured to trigger an alarm for each piece of non-compliant data or trigger an alarm if N pieces of non-compliant data are sent within a period of time.
加/解密模块:负责使用国密算法解密proxy节点发来的数据,使用国密算法加密发给proxy节点的数据。Encryption/decryption module: Responsible for using the national encryption algorithm to decrypt the data sent by the proxy node, and using the national encryption algorithm to encrypt the data sent to the proxy node.
本系统弃用了传统的防火墙或VPN方案,采用客户端->proxy节点清洗转发->服务端配置、展示、使用数据的方式,内网proxy节点只需要一个端口和外网服务端通信,减少了风险暴露面,既保证了内网数据导出的安全性,又保证了内网数据使用的便捷性;创新性的使用了黑名单、白名单、红名单,三级数据管控方式,黑名单中的关键字对所有用户生效,所有用户agent发送的数据均不能包含关键字组中的关键字。红名单中关键字符串组中字符串可配置生效时间或者永久生效,用户agent发送的数据不能包含该关键字组中的关键字,但是可以随时向admin用户申请调整关键字组的内容,进行某个关键字符串的临时或永久放开。白名单关键字符串组中的字符串由用户自己配置,agent发送的每一行数据必须包括字符串组中的字符串,保证了数据导出的正确性、合规性;抛弃了传统的AES加密算法,使用国产商密算法对数据进行加密保护,消除了AES可能存在的安全隐患,实现数据安全的完全自主可控。This system abandons the traditional firewall or VPN solution and adopts the method of client->proxy node cleaning and forwarding->server configuration, display and use of data. The internal network proxy node only needs one port to communicate with the external network server, reducing It reduces the risk exposure, not only ensuring the security of intranet data export, but also ensuring the convenience of intranet data use; innovatively uses blacklist, whitelist, redlist, and three-level data control methods. The keywords are effective for all users, and the data sent by all user agents cannot contain keywords in the keyword group. The strings in the key string group in the red list can be configured to take effect or take effect permanently. The data sent by the user agent cannot contain the keywords in the keyword group, but you can apply to the admin user to adjust the content of the keyword group at any time to perform certain tasks. Temporary or permanent release of a key string. The strings in the whitelist key string group are configured by the user. Each line of data sent by the agent must include the strings in the string group, ensuring the correctness and compliance of data export; the traditional AES encryption algorithm is abandoned. , using domestic commercial secret algorithms to encrypt and protect data, eliminating possible security risks of AES and achieving complete independent controllability of data security.
本发明实施例提供一种数据安全传输控制方法,用于如本发明实施例所述的数据安全传输控制系统1;如图3所示,该方法包括如下步骤:The embodiment of the present invention provides a data secure transmission control method, which is used in the data secure transmission control system 1 as described in the embodiment of the present invention; as shown in Figure 3, the method includes the following steps:
步骤301:所述数据安全传输控制系统中客户端获取目标用户数据和服务器数据,并将所述服务器数据发送至所述数据安全传输控制系统中代理节点,以及将所述目标用户数据通过所述代理节点发送至所述数据安全传输控制系统中服务端进行验证。Step 301: The client in the data secure transmission control system obtains target user data and server data, sends the server data to the agent node in the data secure transmission control system, and transmits the target user data through the The agent node sends it to the server in the data security transmission control system for verification.
具体的获取与传输过程参考上述对数据安全传输控制系统1中客户端111、代理节点12和服务端13的交互过程描述,此处不再赘述。For the specific acquisition and transmission process, refer to the above description of the interaction process between the client 111, the proxy node 12 and the server 13 in the data secure transmission control system 1, and will not be described again here.
进一步,对目标用户数据的验证过程参考上述对数据安全传输控制系统1中服务端13的功能描述,此处不再赘述。Further, for the verification process of the target user data, refer to the above functional description of the server 13 in the data secure transmission control system 1, which will not be described again here.
步骤302:当验证通过后,所述客户端利用国密算法对所述服务器数据进行加密,得到服务器加密数据,以及将所述服务器加密数据发送至所述代理节点。Step 302: After the verification is passed, the client uses the national encryption algorithm to encrypt the server data, obtains the server encrypted data, and sends the server encrypted data to the agent node.
具体的加密过程参考上述对数据安全传输控制系统1中客户端111的功能描述,具体的发送过程参考上述对数据安全传输控制系统1中客户端111和代理节点12的交互过程描述,此处不再赘述。For the specific encryption process, refer to the above-mentioned functional description of the client 111 in the data secure transmission control system 1. For the specific sending process, refer to the above-mentioned description of the interaction process between the client 111 and the proxy node 12 in the data secure transmission control system 1. This is not the case here. Again.
步骤303:所述代理节点接收所述服务端发送的黑名单关键字数据组、白名单关键字数据组和红名单关键字数据组,并基于所述服务器加密数据,经过国密算法、所述黑名单关键字数据组、所述白名单关键字数据组和所述红名单关键字数据组处理,得到目标服务器加密数据,并将所述目标服务器加密数据发送至所述服务端。Step 303: The agent node receives the blacklist keyword data group, whitelist keyword data group and redlist keyword data group sent by the server, and encrypts the data based on the server, through the national secret algorithm and the The blacklist keyword data group, the whitelist keyword data group and the redlist keyword data group are processed to obtain target server encrypted data, and the target server encrypted data is sent to the server.
具体地,黑名单关键字数据组、白名单关键字数据组和红名单关键字数据组的获取参考上述对数据安全传输控制系统1中服务端13中用户模块的功能描述,此处不再赘述。Specifically, for obtaining the blacklist keyword data group, the whitelist keyword data group and the redlist keyword data group, refer to the above functional description of the user module in the server 13 in the data security transmission control system 1, and will not be described again here. .
进一步,得到目标服务器加密数据的过程参考上述对数据安全传输控制系统1中代理节点12中第二国密加解密模块1211、数据清洗模块121和第二数据传输模块122的交互过程以及功能描述,此处不再赘述。Further, the process of obtaining the target server's encrypted data refers to the above-mentioned interaction process and functional description of the second national encryption and decryption module 1211, the data cleaning module 121 and the second data transmission module 122 in the agent node 12 in the data secure transmission control system 1. No further details will be given here.
进一步,将目标服务器加密数据发送至服务端的过程参考上述对数据安全传输控制系统1中代理节点12和服务端13的交互过程描述,此处不再赘述。Further, for the process of sending the target server's encrypted data to the server, refer to the above description of the interaction process between the agent node 12 and the server 13 in the data secure transmission control system 1, which will not be described again here.
步骤304:所述服务端利用所述国密算法对所述目标服务器加密数据进行解密,得到目标服务器数据,并将所述目标服务器数据发送至对应的用户。Step 304: The server uses the national secret algorithm to decrypt the encrypted data of the target server, obtains the target server data, and sends the target server data to the corresponding user.
具体的解密过程参考上述对数据安全传输控制系统1中第三国密加解密模块132的功能描述,此处不再赘述。For the specific decryption process, refer to the above functional description of the third country encryption and decryption module 132 in the data secure transmission control system 1, and will not be described again here.
具体的发送过程参考上述对数据安全传输控制系统1中消息推送模块133的功能描述,此处不再赘述。For the specific sending process, refer to the above functional description of the message push module 133 in the data secure transmission control system 1, and will not be described again here.
进一步,如果目标服务器加密数据中存在不合规数据且存在的不合规数据符合预设告警要求时,发送告警指令至对应的管理员用户。Further, if there is non-compliant data in the encrypted data of the target server and the existing non-compliant data meets the preset alarm requirements, an alarm instruction is sent to the corresponding administrator user.
其中,预设告警要求为预先配置,可以为每条不合规数据都触发告警或者一段时间内发送了N条不合规数据触发告警。Among them, the preset alarm requirements are pre-configured, and an alarm can be triggered for each piece of non-compliant data or an alarm can be triggered if N pieces of non-compliant data are sent within a period of time.
具体的发送过程参考上述对数据安全传输控制系统1中告警模块134的功能描述,此处不再赘述。For the specific sending process, refer to the above functional description of the alarm module 134 in the data secure transmission control system 1 and will not be described again here.
本发明实施例提供的数据安全传输控制方法,利用本发明实施例提供的数据安全传输控制系统进行数据的安全传输,保证了传输数据的正确性、合规性,实现了数据安全传输的完全自主可控。The data secure transmission control method provided by the embodiment of the present invention utilizes the data secure transmission control system provided by the embodiment of the present invention for secure transmission of data, ensuring the correctness and compliance of the transmitted data, and realizing complete autonomy in secure data transmission. Controllable.
在一实例中,如图4所示,提供上述实例中基于国密的安全网络数据发送控制系统的工作流程:In an example, as shown in Figure 4, the workflow of the secure network data transmission control system based on state secrets in the above example is provided:
1、管理员登录服务端用户模块web页面,配置全局黑名单、用户默认红名单,所有用户agent发送的数据均不能包含黑名单和红名单关键字组中的关键字,用户向admin用户申请调整红名单关键字组的内容,增加关键字字符串或进行某个关键字符串的临时或永久放开,创建告警(用户黑名单、红名单中字符串匹配到N次或者每次匹配到就向管理员发送告警),创建用户(用户名、密码、合规IP)1. The administrator logs in to the server user module web page and configures the global blacklist and user default red list. The data sent by all user agents cannot contain keywords in the blacklist and red list keyword groups. The user applies to the admin user for adjustment. The contents of the red list keyword group, add keyword strings or temporarily or permanently release a certain key string, create an alarm (user blacklist, string in the red list matches N times, or reports to the police every time a match is found) The administrator sends an alarm) and creates a user (user name, password, compliance IP)
2、用户通过服务端用户模块web页面,查看当前生效的红名单,向管理员按需申请增加红名单内容或修改红名单内容和生效时长,配置白名单,用户发送的数据必须包含白名单字符串组中的字符串,配置数据邮件或者钉钉发送。2. Users can view the currently effective red list through the server user module web page, apply to the administrator to add red list content or modify the red list content and validity period as needed, and configure the white list. The data sent by the user must contain white list characters. The string in the string group is used to configure the data to be sent via email or DingTalk.
3、用户使用客户端通过用户名+密码或者token的方式,通过proxy节点向服务端申请鉴权,鉴权通过后有发送数据权限,客户端发出数据流经过国密加密算法加密。3. The user uses the client to apply for authentication to the server through the proxy node through the user name + password or token. After passing the authentication, the user has the permission to send data. The data stream sent by the client is encrypted by the national encryption algorithm.
4、服务端通过proxy节点给客户端返回鉴权结果,客户端鉴权通过后,定期通过proxy节点发送文件内容至服务端,proxy节点进行数据清洗并记录不合规数据,proxy节点将合规数据及不合规数据情况发送给服务端,proxy节点发送的数据流经过国密加密算法加密。4. The server returns the authentication result to the client through the proxy node. After the client passes the authentication, it regularly sends the file content to the server through the proxy node. The proxy node cleans the data and records non-compliant data. The proxy node will be compliant. Data and non-compliant data are sent to the server. The data stream sent by the proxy node is encrypted by the national encryption algorithm.
5、服务端接收proxy节点发来的数据,国密算法解密后,进行前端页面展示,根据用户配置将数据通过邮件或者钉钉发送给用户,判断不合规数据情况符合告警要求向管理员发送邮件告警。5. The server receives the data sent by the proxy node, decrypts it with the national secret algorithm, displays it on the front-end page, and sends the data to the user via email or DingTalk according to the user configuration. It determines that the non-compliant data meets the alarm requirements and sends it to the administrator. Email alert.
本发明实施例还提供一种数据安全传输控制装置,用于如本发明实施例所述的数据安全传输控制系统1;如图5所示,该装置包括:An embodiment of the present invention also provides a data secure transmission control device for use in the data secure transmission control system 1 described in the embodiment of the present invention; as shown in Figure 5, the device includes:
获取与传输模块501,用于所述数据安全传输控制系统中客户端获取目标用户数据和服务器数据,并将所述服务器数据发送至所述数据安全传输控制系统中代理节点,以及将所述目标用户数据通过所述代理节点发送至所述数据安全传输控制系统中服务端进行验证;详细内容参见上述方法实施例中步骤301的相关描述。The acquisition and transmission module 501 is used for the client in the data secure transmission control system to obtain target user data and server data, send the server data to the agent node in the data secure transmission control system, and send the target The user data is sent to the server in the data secure transmission control system through the proxy node for verification; for details, please refer to the relevant description of step 301 in the above method embodiment.
加密与传输模块502,用于当验证通过后,所述客户端利用国密算法对所述服务器数据进行加密,得到服务器加密数据,以及将所述服务器加密数据发送至所述代理节点;详细内容参见上述方法实施例中步骤302的相关描述。The encryption and transmission module 502 is used to encrypt the server data using the national secret algorithm on the client after passing the verification, obtain the server encrypted data, and send the server encrypted data to the agent node; details Please refer to the relevant description of step 302 in the above method embodiment.
处理与传输模块503,用于所述代理节点接收所述服务端发送的黑名单关键字数据组、白名单关键字数据组和红名单关键字数据组,并基于所述服务器加密数据,经过国密算法、所述黑名单关键字数据组、所述白名单关键字数据组和所述红名单关键字数据组处理,得到目标服务器加密数据,并将所述目标服务器加密数据发送至所述服务端;详细内容参见上述方法实施例中步骤303的相关描述。The processing and transmission module 503 is used for the agent node to receive the blacklist keyword data group, whitelist keyword data group and redlist keyword data group sent by the server, and encrypt the data based on the server, through the national The encryption algorithm, the blacklist keyword data group, the whitelist keyword data group and the red list keyword data group are processed to obtain the target server encrypted data, and send the target server encrypted data to the service terminal; for details, please refer to the relevant description of step 303 in the above method embodiment.
解密与传输模块504,用于所述服务端利用所述国密算法对所述目标服务器加密数据进行解密,得到目标服务器数据,并将所述目标服务器数据发送至对应的用户;详细内容参见上述方法实施例中步骤304的相关描述。Decryption and transmission module 504 is used for the server to use the national secret algorithm to decrypt the encrypted data of the target server, obtain the target server data, and send the target server data to the corresponding user; for details, see the above Relevant description of step 304 in the method embodiment.
本发明实施例提供的数据安全传输控制装置,利用本发明实施例提供的数据安全传输控制系统进行数据的安全传输,保证了传输数据的正确性、合规性,实现了数据安全传输的完全自主可控。The data secure transmission control device provided by the embodiment of the present invention utilizes the data secure transmission control system provided by the embodiment of the present invention for secure transmission of data, ensuring the correctness and compliance of the transmitted data, and realizing complete autonomy in secure data transmission. Controllable.
本发明实施例提供的数据安全传输控制装置的功能描述详细参见上述实施例中数据安全传输控制方法描述。For a detailed functional description of the data secure transmission control device provided by the embodiment of the present invention, please refer to the description of the data secure transmission control method in the above embodiment.
本发明实施例还提供一种存储介质,如图6所示,其上存储有计算机程序601,该程序被处理器执行时实现上述实施例中数据安全传输控制方法的步骤。其中,存储介质可为磁碟、光盘、只读存储记忆体(Read-Only Memory,ROM)、随机存储记忆体(Random AccessMemory,RAM)、快闪存储器(Flash Memory)、硬盘(Hard Disk Drive,HDD)或固态硬盘(Solid-State Drive,SSD)等;所述存储介质还可以包括上述种类的存储器的组合。An embodiment of the present invention also provides a storage medium, as shown in Figure 6, on which a computer program 601 is stored. When the program is executed by a processor, the steps of the data secure transmission control method in the above embodiment are implemented. Among them, the storage medium can be a magnetic disk, an optical disk, a read-only memory (Read-Only Memory, ROM), a random access memory (Random Access Memory, RAM), a flash memory (Flash Memory), a hard disk (Hard Disk Drive, HDD) or solid-state drive (SSD), etc.; the storage medium may also include a combination of the above types of memories.
本领域技术人员可以理解,实现上述实施例方法中的全部或部分流程,是可以通过计算机程序来指令相关的硬件来完成,所述的程序可存储于一计算机可读取存储介质中,该程序在执行时,可包括如上述各方法的实施例的流程。其中,所述存储介质可为磁碟、光盘、只读存储记忆体(Read-Only Memory,ROM)、随机存储记忆体(Random AccessMemory,RAM)、快闪存储器(Flash Memory)、硬盘(Hard Disk Drive,HDD)或固态硬盘(Solid-State Drive,SSD)等;所述存储介质还可以包括上述种类的存储器的组合。Those skilled in the art can understand that all or part of the processes in the methods of the above embodiments can be completed by instructing relevant hardware through a computer program. The program can be stored in a computer-readable storage medium. The program can be stored in a computer-readable storage medium. During execution, the process may include the processes of the embodiments of each of the above methods. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), a random access memory (RAM), a flash memory (Flash Memory), or a hard disk (Hard Disk). Drive, HDD) or solid-state drive (Solid-State Drive, SSD), etc.; the storage medium may also include a combination of the above types of memories.
本发明实施例还提供了一种电子设备,如图7所示,该电子设备可以包括处理器71和存储器72,其中处理器71和存储器72可以通过总线或者其他方式连接,图7中以通过总线连接为例。An embodiment of the present invention also provides an electronic device. As shown in Figure 7, the electronic device may include a processor 71 and a memory 72. The processor 71 and the memory 72 may be connected through a bus or other means. In Figure 7, Take bus connection as an example.
处理器71可以为中央处理器(Central Processing Unit,CPU)。处理器71还可以为其他通用处理器、数字信号处理器(Digital Signal Processor,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)、现场可编程门阵列(Field-Programmable Gate Array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等芯片,或者上述各类芯片的组合。The processor 71 may be a central processing unit (Central Processing Unit, CPU). The processor 71 can also be other general-purpose processor, digital signal processor (Digital Signal Processor, DSP), application specific integrated circuit (Application Specific Integrated Circuit, ASIC), field programmable gate array (Field-Programmable Gate Array, FPGA) or Other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components and other chips, or combinations of the above types of chips.
存储器72作为一种非暂态计算机可读存储介质,可用于存储非暂态软件程序、非暂态计算机可执行程序以及模块,如本发明实施例中的对应的程序指令/模块。处理器71通过运行存储在存储器72中的非暂态软件程序、指令以及模块,从而执行处理器的各种功能应用以及数据处理,即实现上述方法实施例中的数据安全传输控制方法。As a non-transitory computer-readable storage medium, the memory 72 can be used to store non-transitory software programs, non-transitory computer executable programs and modules, such as corresponding program instructions/modules in embodiments of the present invention. The processor 71 executes various functional applications and data processing of the processor by running non-transient software programs, instructions and modules stored in the memory 72 , that is, implementing the data secure transmission control method in the above method embodiment.
存储器72可以包括存储程序区和存储数据区,其中,存储程序区可存储操作装置、至少一个功能所需要的应用程序;存储数据区可存储处理器71所创建的数据等。此外,存储器72可以包括高速随机存取存储器,还可以包括非暂态存储器,例如至少一个磁盘存储器件、闪存器件、或其他非暂态固态存储器件。在一些实施例中,存储器72可选包括相对于处理器71远程设置的存储器,这些远程存储器可以通过网络连接至处理器71。上述网络的实例包括但不限于互联网、企业内部网、局域网、移动通信网及其组合。The memory 72 may include a program storage area and a data storage area, where the program storage area may store an operating device and an application program required for at least one function; the storage data area may store data created by the processor 71 and the like. In addition, memory 72 may include high-speed random access memory and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid-state storage device. In some embodiments, memory 72 optionally includes memory located remotely relative to processor 71 , and these remote memories may be connected to processor 71 through a network. Examples of the above-mentioned networks include but are not limited to the Internet, intranets, local area networks, mobile communication networks and combinations thereof.
所述一个或者多个模块存储在所述存储器72中,当被所述处理器71执行时,执行如图3-4所示实施例中的数据安全传输控制方法。The one or more modules are stored in the memory 72, and when executed by the processor 71, the data secure transmission control method in the embodiment shown in Figures 3-4 is executed.
上述电子设备具体细节可以对应参阅图3至图4所示的实施例中对应的相关描述和效果进行理解,此处不再赘述。The specific details of the above electronic device can be understood by referring to the corresponding descriptions and effects in the embodiments shown in FIGS. 3 to 4 , and will not be described again here.
虽然结合附图描述了本发明的实施例,但是本领域技术人员可以在不脱离本发明的精神和范围的情况下做出各种修改和变型,这样的修改和变型均落入由所附权利要求所限定的范围之内。Although the embodiments of the present invention have been described in conjunction with the accompanying drawings, those skilled in the art can make various modifications and variations without departing from the spirit and scope of the invention, and such modifications and variations fall within the scope of the appended rights. within the scope of the requirements.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310542687.0ACN116545706B (en) | 2023-05-15 | 2023-05-15 | Data security transmission control system, method and device and electronic equipment |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310542687.0ACN116545706B (en) | 2023-05-15 | 2023-05-15 | Data security transmission control system, method and device and electronic equipment |
| Publication Number | Publication Date |
|---|---|
| CN116545706A CN116545706A (en) | 2023-08-04 |
| CN116545706Btrue CN116545706B (en) | 2024-01-23 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310542687.0AActiveCN116545706B (en) | 2023-05-15 | 2023-05-15 | Data security transmission control system, method and device and electronic equipment |
| Country | Link |
|---|---|
| CN (1) | CN116545706B (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117319093A (en)* | 2023-11-30 | 2023-12-29 | 国网江苏省电力有限公司 | A data access service method based on isolation device |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102646173A (en)* | 2012-02-29 | 2012-08-22 | 成都新云软件有限公司 | Safety protection control method and system based on white and black lists |
| CN104767752A (en)* | 2015-04-07 | 2015-07-08 | 西安汇景倬元信息技术有限公司 | Distributed network isolating system and method |
| CN108337249A (en)* | 2018-01-19 | 2018-07-27 | 论客科技(广州)有限公司 | A kind of data safe transmission method, system and device |
| CN111934879A (en)* | 2020-07-08 | 2020-11-13 | 福建亿能达信息技术股份有限公司 | Data transmission encryption method, device, equipment and medium for internal and external network system |
| CN112751839A (en)* | 2020-12-25 | 2021-05-04 | 江苏省未来网络创新研究院 | Anti-virus gateway processing acceleration strategy based on user traffic characteristics |
| WO2021088641A1 (en)* | 2019-11-07 | 2021-05-14 | 中兴通讯股份有限公司 | Data transmission method, data processing method, data reception method and device, and storage medium |
| CN113094697A (en)* | 2021-04-20 | 2021-07-09 | 云南电网有限责任公司信息中心 | Safety protection control method based on black and white list |
| CN115174262A (en)* | 2022-08-02 | 2022-10-11 | 浙江中控技术股份有限公司 | Method and device for safely accessing internal network and electronic equipment |
| CN115549988A (en)* | 2022-09-19 | 2022-12-30 | 江苏省人民医院(南京医科大学第一附属医院) | Internal and external network data transmission system and method |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170171170A1 (en)* | 2015-12-09 | 2017-06-15 | Xasp Security, Llc | Dynamic encryption systems |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102646173A (en)* | 2012-02-29 | 2012-08-22 | 成都新云软件有限公司 | Safety protection control method and system based on white and black lists |
| CN104767752A (en)* | 2015-04-07 | 2015-07-08 | 西安汇景倬元信息技术有限公司 | Distributed network isolating system and method |
| CN108337249A (en)* | 2018-01-19 | 2018-07-27 | 论客科技(广州)有限公司 | A kind of data safe transmission method, system and device |
| WO2021088641A1 (en)* | 2019-11-07 | 2021-05-14 | 中兴通讯股份有限公司 | Data transmission method, data processing method, data reception method and device, and storage medium |
| CN111934879A (en)* | 2020-07-08 | 2020-11-13 | 福建亿能达信息技术股份有限公司 | Data transmission encryption method, device, equipment and medium for internal and external network system |
| CN112751839A (en)* | 2020-12-25 | 2021-05-04 | 江苏省未来网络创新研究院 | Anti-virus gateway processing acceleration strategy based on user traffic characteristics |
| CN113094697A (en)* | 2021-04-20 | 2021-07-09 | 云南电网有限责任公司信息中心 | Safety protection control method based on black and white list |
| CN115174262A (en)* | 2022-08-02 | 2022-10-11 | 浙江中控技术股份有限公司 | Method and device for safely accessing internal network and electronic equipment |
| CN115549988A (en)* | 2022-09-19 | 2022-12-30 | 江苏省人民医院(南京医科大学第一附属医院) | Internal and external network data transmission system and method |
| Title |
|---|
| 基于转发隔离的文件安全传输系统;夏演;王煜;;安徽理工大学学报(自然科学版)(第01期);全文* |
| 夏演 ; 王煜 ; .基于转发隔离的文件安全传输系统.安徽理工大学学报(自然科学版).2018,(第01期),全文.* |
| Publication number | Publication date |
|---|---|
| CN116545706A (en) | 2023-08-04 |
| Publication | Publication Date | Title |
|---|---|---|
| US9852300B2 (en) | Secure audit logging | |
| US9065593B2 (en) | Securing speech recognition data | |
| CN104244026B (en) | A kind of key distribution device in video monitoring system | |
| CA2939956C (en) | Secure removable storage for aircraft systems | |
| CN112235232A (en) | System and method for remote debugging of intellectual property protection | |
| US9998287B2 (en) | Secure authentication of remote equipment | |
| US11063917B2 (en) | Communication network with rolling encryption keys and data exfiltration control | |
| CN106797310A (en) | The security and data-privacy of illumination sensor network | |
| US10230695B2 (en) | Distribution of secure data with entitlement enforcement | |
| CN105939484A (en) | Audio/video encrypted playing method and system thereof | |
| US20120167196A1 (en) | Automatic Virtual Private Network | |
| WO2017215582A1 (en) | Encrypted content detection method and apparatus | |
| US20180124025A1 (en) | Providing visibility into encrypted traffic without requiring access to the private key | |
| US10158610B2 (en) | Secure application communication system | |
| KR101839048B1 (en) | End-to-End Security Platform of Internet of Things | |
| CN116545706B (en) | Data security transmission control system, method and device and electronic equipment | |
| CN109039997A (en) | Key preparation method, apparatus and system | |
| CN105991606A (en) | OpenFlow message processing method and network element | |
| CN110912941A (en) | Transmission processing method and device for multicast data | |
| US20240250815A1 (en) | Scalable key state for network encryption | |
| US12375471B2 (en) | Securely deliver decrypted data of mirrored VPN traffic | |
| US20130283363A1 (en) | Secure data transfer over an arbitrary public or private transport | |
| US20250226974A1 (en) | Method and apparatus for distributing encrypted device unique credentials | |
| WO2019141113A1 (en) | Data decryption method and apparatus, and electronic device | |
| US11153288B2 (en) | System and method for monitoring leakage of internal information by analyzing encrypted traffic |
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| PP01 | Preservation of patent right | ||
| PP01 | Preservation of patent right | Effective date of registration:20250725 Granted publication date:20240123 |