Search

CN-121396661-B - SM 4-based VPN construction method and device, electronic equipment and storage medium

CN121396661BCN 121396661 BCN121396661 BCN 121396661BCN-121396661-B

Abstract

The invention belongs to the field of information security, and relates to a VPN (virtual private network) constructing method, device, electronic equipment and storage medium based on SM4, wherein the method comprises the steps of accelerating SM4 algorithm based on a pre-calculation and memory searching mode, and providing a bottom encryption engine for a VPN system; the method comprises the steps of designing an optimized communication protocol based on Base91 and partial encryption, adding transmission control information for an encrypted data block, identifying a security policy combination adopted by the data block, enabling a receiving end to be capable of analyzing and processing correctly, setting a message confusion mechanism to provide a confusion encryption layer for data needing higher-level confidentiality protection, carrying out dynamic one-time secret key management based on a secret key derivation function and a timestamp, integrating a time window, carrying out comprehensive security verification on HMAC, updating a dynamic relation library supporting distributed computation, and expanding VPN service architecture. The computing efficiency is improved, the encryption and decryption speed is remarkably improved, the resource occupation is optimized, and the safety is effectively ensured.

Inventors

  • QI JIANHUAI
  • XU GUOQIAN
  • HAN DANDAN
  • HU JINHUA

Assignees

  • 深圳市永达电子信息股份有限公司

Dates

Publication Date
20260512
Application Date
20251223

Claims (8)

  1. 1. A method for constructing a VPN based on SM4, comprising the steps of: based on a pre-calculation and memory searching mode, SM4 algorithm acceleration is carried out, and a bottom encryption engine is provided for the VPN system; The method comprises the steps of designing an optimized communication protocol based on Base91 and partial encryption, adding transmission control information for an encrypted data block, and identifying a security policy combination adopted by the data block, so that a receiving end can accurately analyze and process the data block; based on the chain decoding dependence of Base91 coding, a message confusion mechanism is set, and an optional and enhanced confusion encryption layer is provided for data needing higher-level confidentiality protection; Based on the key derivation function and the time stamp, carrying out dynamic one-time secret key management on a session key of VPN communication; integrating a time window, and comprehensively verifying the security of the HMAC; updating a dynamic relation library supporting distributed computing, and expanding a VPN service architecture; the steps for accelerating SM4 algorithm and providing a bottom encryption engine for a VPN system based on the pre-calculation and memory searching mode specifically comprise the following steps: constructing a plaintext-Hash mapping relation library; generating an SM4 encryption and decryption bidirectional relation library; After the SM4 encryption and decryption bidirectional relation library is encrypted and issued by the security management and control platform, the encryption and decryption bidirectional relation library is decrypted by the security management and control agent at the VPN client and is loaded into the protected memory area; the step of providing an optional and enhanced confusion encryption layer for data requiring higher-level confidentiality protection specifically comprises the following steps of: the sending end carries out header extraction and secondary Base91 coding on the encrypted data block; SM4 encryption is carried out on the header of the data after the secondary Base91 coding; The secondarily encrypted obfuscated header is recombined with the remainder of the original data to form a complete data block.
  2. 2. The method for constructing VPN based on SM4 as recited in claim 1, wherein the step of designing adds transmission control information to the encrypted data block based on Base91 and a partially encrypted optimized communication protocol, and identifies a security policy combination adopted by the data block, so that the receiving end can correctly parse and process the data block specifically includes: The sending end carries out fixed-length blocking and Base91 coding on the original message; Based on the SM4 relation library, performing Base91 coding block header encryption; And carrying out data block encapsulation and strategy identification.
  3. 3. The method for constructing VPN based on SM4 as recited in claim 1, wherein the step of performing dynamic one-time-pad key management on the session key of VPN communication based on the key derivation function and the timestamp specifically includes: Generating key derivative material; Dynamically deriving a session key based on HKDF; and using the session key to conduct life cycle management on the session key.
  4. 4. The method for constructing VPN based on SM4 as recited in claim 1, wherein the step of integrating the time window to perform comprehensive security verification on HMAC specifically includes: carrying out data packet encapsulation and HMAC generation at a transmitting end; HMAC verification and integrity verification are carried out at the receiving end; After the HMAC verification is passed, it is further verified whether the time stamp of the data packet is verified by the time window.
  5. 5. The method for constructing VPN based on SM4 according to any one of claims 1 to 4, wherein the step of updating the dynamic relational library supporting distributed computing and expanding the VPN service architecture specifically includes: When a relation library needs to be generated for a new SM4 key, decomposing and scheduling a pre-calculation task to a plurality of calculation nodes for parallel execution; Distributing the new relation library generated by distributed computation to all online VPN terminals, completing the switching of the relation library and realizing the dynamic updating of the secret key; and carrying out load balancing, and setting an elastic telescopic VPN service architecture.
  6. 6. A SM 4-based VPN device comprising: the algorithm acceleration module is used for carrying out SM4 algorithm acceleration based on a pre-calculation and memory searching mode and providing a bottom encryption engine for the VPN system; The protocol optimization module is used for designing an optimized communication protocol based on Base91 and partial encryption, adding transmission control information for the encrypted data block, and identifying a security policy combination adopted by the data block so that a receiving end can accurately analyze and process the data block; the data confusion module is used for setting a message confusion mechanism based on the chain decoding dependence of Base91 coding and providing an optional and enhanced confusion encryption layer for data needing higher-level confidentiality protection; The dynamic key management module is used for carrying out dynamic one-time secret key management on the session key of VPN communication based on the key derivation function and the time stamp; The safety verification module is used for integrating the time window and carrying out comprehensive safety verification on the HMAC; the elastic expansion module is used for updating a dynamic relation library supporting distributed computation and expanding a VPN service architecture; the algorithm acceleration module is further configured to: constructing a plaintext-Hash mapping relation library; generating an SM4 encryption and decryption bidirectional relation library; After the SM4 encryption and decryption bidirectional relation library is encrypted and issued by the security management and control platform, the encryption and decryption bidirectional relation library is decrypted by the security management and control agent at the VPN client and is loaded into the protected memory area; the data obfuscation module is further configured to: the sending end carries out header extraction and secondary Base91 coding on the encrypted data block; SM4 encryption is carried out on the header of the data after the secondary Base91 coding; The secondarily encrypted obfuscated header is recombined with the remainder of the original data to form a complete data block.
  7. 7. An electronic device comprising a memory and a processor, the memory having stored therein computer readable instructions that when executed by the processor implement the steps of the SM 4-based VPN method of any one of claims 1 to 5.
  8. 8. A computer readable storage medium, characterized in that it has stored thereon computer readable instructions, which when executed by a processor, implement the steps of the SM 4-based VPN construction method according to any of the claims 1 to 5.

Description

SM 4-based VPN construction method and device, electronic equipment and storage medium Technical Field The present invention relates to the field of information security technologies, and in particular, to a method, an apparatus, an electronic device, and a storage medium for constructing a VPN based on SM 4. Background In the current digital age, VPN (virtual private network) is widely used as a key technology for guaranteeing data transmission security in the fields of enterprise office, remote access, cross-border data transmission and the like. However, when the conventional VPN adopts the SM4 encryption algorithm, the conventional VPN often faces the problems of low calculation efficiency and high communication delay, and especially in the case of processing large-scale data transmission or high concurrent access, it is difficult to satisfy the dual requirements of users on speed and security. Disclosure of Invention In order to solve the technical problems, the invention provides a VPN construction method based on SM4, which adopts the following technical scheme that the method comprises the following steps: based on a pre-calculation and memory searching mode, SM4 algorithm acceleration is carried out, and a bottom encryption engine is provided for the VPN system; The method comprises the steps of designing an optimized communication protocol based on Base91 and partial encryption, adding transmission control information for an encrypted data block, and identifying a security policy combination adopted by the data block, so that a receiving end can accurately analyze and process the data block; based on the chain decoding dependence of Base91 coding, a message confusion mechanism is set, and an optional and enhanced confusion encryption layer is provided for data needing higher-level confidentiality protection; Performing dynamic one-time secret key management based on the key derivation function and the time stamp; integrating a time window, and comprehensively verifying the security of the HMAC; and updating a dynamic relation library supporting distributed computation, and expanding a VPN service architecture. Preferably, the step of providing the bottom encryption engine for the VPN system by performing SM4 algorithm acceleration based on the pre-calculation and the memory search method specifically includes: constructing a plaintext-Hash mapping relation library; generating an SM4 encryption and decryption bidirectional relation library; After the SM4 encryption and decryption bidirectional relation library is encrypted and issued by the security management and control platform, the secure management and control agent decrypts the secure management and control information and loads the secure management and decryption bidirectional relation library into the protected memory area at the VPN client. Preferably, the step of adding transmission control information to the encrypted data block and identifying a security policy combination adopted by the data block based on the Base91 and a partially encrypted optimized communication protocol to enable the receiving end to correctly analyze and process specifically includes: The sending end carries out fixed-length blocking and Base91 coding on the original message; Based on the SM4 relation library, performing Base91 coding block header encryption; And carrying out data block encapsulation and strategy identification. Preferably, the step of providing an optional and enhanced obfuscated encryption layer for data requiring a higher level of confidentiality protection by setting a message obfuscation mechanism based on the Base91 encoding chain decoding dependency specifically includes: the sending end carries out header extraction and secondary Base91 coding on the encrypted data block; SM4 encryption is carried out on the header of the data after the secondary Base91 coding; The secondarily encrypted obfuscated header is recombined with the remainder of the original data to form a complete data block. Preferably, the step of performing dynamic one-time-pad key management based on the key derivation function and the timestamp specifically includes: Generating key derivative material; Dynamically deriving a session key based on HKDF; and using the session key to conduct life cycle management on the session key. Preferably, the step of integrating the time window to perform comprehensive security verification on the HMAC specifically includes: carrying out data packet encapsulation and HMAC generation at a transmitting end; HMAC verification and integrity verification are carried out at the receiving end; After the HMAC verification is passed, it is further verified whether the time stamp of the data packet is verified by the time window. Preferably, the step of updating the dynamic relation library supporting distributed computing and expanding the VPN service architecture specifically includes: When a relation library needs to be generated for a new SM