CN-122001671-A - Cross-network data transmission method and system

Abstract

The application provides a cross-network data transmission method and a system, and relates to the technical field of network security. The method comprises the steps of carrying out security detection analysis on files uploaded to a source data site according to a flow approval result of a cross-network file transmission request submitted by a user to obtain files after security processing, establishing an encryption transmission channel between a source terminal and a target terminal through bidirectional identity authentication based on a national secret digital certificate and on-line certificate state inquiry according to a preset transmission strategy and security authentication requirements, carrying out parallel transmission of fragments on file data according to the encryption transmission channel, carrying out integrity verification of fragments and file levels before and after file data transmission based on a national secret SM3 algorithm, and recording audit logs containing all elements at a management site according to a transmission completion result. The application realizes the whole flow of cross-network data transmission, is safe and controllable, efficient and reliable, is complete and auditable, and effectively solves the problem of safe exchange of sensitive data between different network domains.

Inventors

• YI WEI
• ZHU CHENGHAO

Assignees

• 兴业银行股份有限公司

Dates

Publication Date

20260508

Application Date

20260319

Claims (13)

1. 1. A method for cross-network data transmission, the method comprising: According to the flow approval result of the cross-network file transmission request submitted by the user, carrying out security detection analysis on the file uploaded to the source data site to obtain a file after security processing; Establishing an encryption transmission channel between a source end and a target end through bidirectional identity authentication based on a national secret digital certificate and on-line certificate state inquiry according to a preset transmission strategy and a safety authentication requirement; Executing the parallel transmission of the fragments of the file data according to the encryption transmission channel, and executing the integrity check of the fragments and the file level before and after the transmission of the file data based on the SM3 cryptographic algorithm; And recording audit logs containing user, approval, transmission and verification information at the management site according to the transmission completion result.
2. 2. The method of cross-network data transmission according to claim 1, wherein establishing an encrypted transmission channel between a source terminal and a destination terminal comprises: Inquiring the state of a certificate at the opposite end to the OCSP service of the management site when communication is initiated according to the national secret digital certificates issued by the management site for each node to obtain a certificate validity verification result; And executing bidirectional identity authentication according to the verification result and the certificate bidirectional exchange mechanism, and establishing an encrypted communication link.
3. 3. The cross-network data transmission method according to claim 1, wherein performing the fragmented parallel transmission of the file data according to the encrypted transmission channel comprises: dividing file data into a plurality of fragments according to a transmission strategy; The plurality of tiles is transmitted through a parallel pipeline mechanism.
4. 4. The method of claim 3, wherein performing the fragmentation-level and file-level integrity check on the file data before and after transmission based on the national secret SM3 algorithm comprises: after at least one fragment is transmitted, generating hash values of the corresponding fragments based on a SM3 cryptographic algorithm and checking the hash values; after all file data are transmitted, hash values of the whole file are generated and verified based on a national cipher SM3 algorithm.
5. 5. The cross-network data transmission method as claimed in claim 1, wherein performing the fragmented parallel transmission of the file data according to the encrypted transmission channel further comprises: When the source terminal and the target terminal network can not be directly connected, forwarding data through a relay station; The relay station establishes an encryption link with a source terminal and a target terminal through bidirectional identity authentication based on a national secret digital certificate, and performs transparent forwarding of data flow on file data among the encryption links.
6. 6. The cross-network data transmission method of claim 1, wherein the method further comprises: according to the site registration request, the management site audits and issues site certificates to obtain nodes for controlled access; and triggering a certificate updating process in a preset period before the expiration of the site certificate according to the certificate validity monitoring result.
7. 7. A cross-network data transmission system adapted to the cross-network data transmission method of any one of claims 1 to 6, comprising: the management station is used for receiving and processing the cross-network file transmission request to complete flow approval and issuing and managing the national secret digital certificate for each node in the system; the data sites are deployed in different network areas and are used for carrying out security detection analysis on files passing approval, and establishing an encryption transmission channel based on the national encryption digital certificate and a target end so as to execute file fragment transmission and integrity verification; And the relay station is used for establishing an encryption link and carrying out transparent data forwarding when the source terminal and the target terminal are not directly connectable.
8. 8. The system of claim 7, wherein the management site further comprises: the strategy control module is used for configuring a transmission strategy, wherein the transmission strategy is used for controlling the target, bandwidth and concurrency number of file transmission; And the certificate authority module is used for issuing certificates, maintaining a certificate trust list and providing OCSP state query service to support the bidirectional identity authentication.
9. 9. The system of claim 7, wherein the data site further comprises: the security service interface module is used for calling virus scanning, data leakage prevention detection and encryption service so as to perform security processing on the file; And the transmission engine module is used for executing file slicing, parallel transmission, breakpoint continuous transmission and integrity check based on a national cipher SM3 algorithm.
10. 10. The system of claim 7, wherein the cross-network data transmission system employs a centralized management and distributed service architecture, wherein the management sites are deployed centrally and the plurality of data sites are deployed in a distributed manner across branch office network areas.
11. 11. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method of any of claims 1 to 6 when executing the computer program.
12. 12. A computer readable storage medium, characterized in that the computer readable storage medium stores a computer program which, when executed by a processor, implements the method of any of claims 1 to 6.
13. 13. A computer program product comprising computer programs/instructions which, when executed by a processor, implement the steps of the method of any of claims 1 to 6.

Description

Cross-network data transmission method and system Technical Field The present application relates to the field of network security and data communication technologies, and in particular, to a method and a system for transmitting cross-network data. Background Within critical industries and enterprises, there are often multiple network areas (e.g., office and production networks, intranet and private networks, etc.) that are isolated from each other or have different levels of security. When data transmission is carried out between the networks, multiple challenges are faced, namely firstly, strict security management and control are needed in the data transmission process to prevent security risks such as sensitive information leakage and virus propagation, the traditional mode depends on manual approval and medium copying, efficiency is low and audit dead areas exist, secondly, equipment such as a firewall is usually deployed at a network boundary, direct connectivity is limited, identity credibility and communication encryption of a transmission channel are needed to be ensured, furthermore, the requirements of large files or massive data transmission on timeliness and reliability are high, the traditional single-thread transmission mode is low in efficiency and lacks an effective integrity verification mechanism, the data is difficult to be tampered or damaged in the transmission process, and finally, the whole transmission process needs to meet compliance requirements to realize whole-process auditable from approval and transmission to completion. The prior art scheme is often improved on a single level (such as encryption or fragmentation), and lacks a comprehensive solution combining an approval process, a high-strength national security system, a high-efficiency transmission mechanism and a complete audit trail depth. Disclosure of Invention The application aims to overcome the defects of the prior art, provides a cross-network data transmission method and a system, and aims to realize the safe, controllable, efficient and reliable whole flow of cross-network boundary file transmission and meet strict compliance audit requirements. The method comprises the steps of ensuring the safety of transmission contents through a front process approval and safety detection, establishing a trusted channel through bidirectional authentication and encryption based on a national encryption algorithm, improving the transmission efficiency and the data integrity ensuring capability through a slicing parallel and multistage verification mechanism, and realizing the whole process traceability through centralized audit log records. The method comprises the steps of carrying out security detection analysis on files uploaded to a source data site according to a process approval result of a cross-network file transmission request submitted by a user to obtain files after security processing, establishing an encryption transmission channel between a source and a target through bidirectional identity authentication based on a national secret digital certificate and on-line certificate state inquiry according to a pre-configured transmission strategy and security authentication requirements, carrying out parallel transmission of fragments on file data according to the encryption transmission channel, carrying out integrity verification of fragments and file levels before and after the file data transmission based on a national secret SM3 algorithm, and recording audit logs containing user, approval, transmission and verification information at a management site according to a transmission completion result. In the above cross-network data transmission method, optionally, establishing an encrypted transmission channel between the source end and the destination end includes inquiring the state of the certificate of the opposite end to obtain a certificate validity verification result according to the national secret digital certificate issued by the management site for each node when communication is initiated, executing bidirectional identity authentication according to the verification result and a certificate bidirectional exchange mechanism, and establishing an encrypted communication link. In the cross-network data transmission method, optionally, performing the sliced parallel transmission on the file data according to the encrypted transmission channel comprises dividing the file data into a plurality of slices according to a transmission strategy, and transmitting the plurality of slices through a parallel pipeline mechanism. In the cross-network data transmission method, optionally, performing fragment-level and file-level integrity check on the file data before and after transmission based on the national secret SM3 algorithm comprises generating hash values of the corresponding fragments based on the national secret SM3 algorithm and checking after at least one fragment transmission is completed, and generating hash