CN-122001680-A - Network data security encryption transmission method and system

Abstract

The invention relates to the field of network security, in particular to a network data security encryption transmission method and system, wherein a transmitting end responds to an encryption transmission instruction to divide and encode original data into a plurality of data fragments, the fragments are respectively transmitted to a plurality of preselected intermediate nodes for storage, and the transmission destination address of the data fragments is the intermediate node instead of a receiving end. After the transmission configuration information is sent to the receiving end, when a trigger request sent by the receiving end is received, each intermediate node storing the corresponding data segment is indicated to send the stored data segment to the receiving end at the same time within a preset time window. And after the receiving end receives the data fragments in the preset time window, restoring the original data according to the corresponding decoding mode, returning the recombination result to the transmitting end, and completing the encryption transmission according to the recombination result by the transmitting end. By storing the data in the intermediate nodes in a scattered manner and synchronously recovering the data after triggering, the risk that the data is easy to be intercepted by the whole body in continuous transmission on a single link is reduced.

Inventors

• WANG GUANHONG
• YIN PENG
• LI JIANGHONG

Assignees

• 深圳迅销科技股份有限公司

Dates

Publication Date

20260508

Application Date

20260403

Claims (10)

1. 1. A method for secure encrypted transmission of network data, the method comprising: Responding to the acquired data encryption transmission instruction, dividing and encoding the original data to generate a plurality of data fragments, and endowing each data fragment with a unique identifier; Each data segment is respectively sent to a plurality of preselected intermediate nodes for storage, wherein each intermediate node only stores part of the data segments, and the transmission destination address of any data segment is the intermediate node instead of the receiving end; transmitting transmission configuration information to a receiving end, wherein the transmission configuration information comprises unique identifiers corresponding to a plurality of data fragments, and the transmission configuration information is used for the receiving end to use when data are recombined; After receiving a trigger request sent by the receiving end when the original data needs to be restored, responding to the trigger request, and indicating each intermediate node stored with the corresponding data segment to send the stored data segment to the receiving end within a preset time window; Receiving a data reorganization result returned by a receiving end, wherein the reorganization result is obtained by restoring original data according to a decoding mode corresponding to the coding processing after the receiving end receives the data fragments in the preset time window; and according to the data reorganization result, the encryption transmission of the original data is completed.
2. 2. The method for secure encrypted transmission of network data according to claim 1, wherein said step of transmitting each data segment to a plurality of preselected intermediate nodes for storage comprises: acquiring topology structure information of a current network, autonomous domain attribution information of each node, geographic position information and network information of an affiliated operator; according to the topological structure information, identifying nodes of different levels in the network, and eliminating candidate node combinations positioned on the same physical link from candidate intermediate nodes based on the identification result; Classifying candidate intermediate nodes according to the belonging autonomous domains according to the autonomous domain attribution information, wherein the selected plurality of intermediate nodes are at least distributed in more than two different autonomous domains; according to the geographic position information, calculating the geographic distance between candidate nodes, wherein a plurality of selected intermediate nodes are distributed in nodes in different geographic areas; classifying the candidate intermediate nodes according to the affiliated operators according to the operator network information, wherein the selected plurality of intermediate nodes are at least distributed in more than two different operator networks; Based on the selected candidate nodes, selecting a plurality of intermediate nodes as storage nodes, and distributing different intermediate nodes for a plurality of data segments corresponding to the same original data, so that any intermediate node stores only one data segment, and all data segments corresponding to the same original data are stored in the intermediate nodes with different network positions in a scattered manner; A network transmission path from a sender to a corresponding intermediate node is planned for each data segment, the transmission paths for the different data segments having no overlapping nodes at the physical link layer and the routing layer.
3. 3. The method for secure encrypted transmission of network data according to claim 1, wherein said method further comprises, prior to said step of receiving the result of the data reassembly returned by the receiving terminal: if the data reorganization result is not received within a preset waiting time threshold, acquiring failure reason information; determining a data segment to be supplemented according to the failure cause information, and carrying out coding processing again on the data segment to be supplemented; based on the recoding result, resending to new intermediate node for storage, and updating transmission configuration information of receiving end; And re-executing the steps of triggering and receiving the data reorganization result until a successful data reorganization result is received.
4. 4. The method for securely encrypting and transmitting network data according to claim 1, wherein said step of indicating each intermediate node storing a corresponding data segment to transmit the stored data segment to the receiving end within a predetermined time window comprises: Acquiring clock attribute information of each intermediate node; According to the clock attribute information, performing clock precision grade division on each intermediate node, and determining the clock reliability grade of each node, wherein the clock reliability grade is used for representing the expected deviation range between the node clock and the receiving end clock; Determining a reference time window width according to the receiving capability of a receiving end and the clock reliability level of each intermediate node, and calculating personalized sending time offset for each intermediate node; Generating a trigger instruction for each intermediate node, the trigger instruction comprising personalized transmission parameters including a reference transmission time, a transmission time offset calculated for the node, and an allowable transmission jitter range; And respectively transmitting trigger instructions of different personalized transmission parameters to corresponding intermediate nodes, wherein the trigger instructions are used for the intermediate nodes with high clock precision to transmit in a concentrated manner in a reference time window, and the intermediate nodes with low clock precision transmit in advance or delay according to the transmission time offset, but all data fragments transmitted by the intermediate nodes arrive in a continuous monitoring window of a receiving end.
5. 5. The method for secure encrypted transmission of network data according to claim 1, further comprising: determining a plurality of intermediate nodes used for the transmission in a randomized selection mode from a candidate intermediate node set meeting the preset network dispersibility requirement when responding to a new data encryption transmission instruction each time; After receiving a trigger request sent by a receiving end each time, generating a preset time window parameter of the transmission in a randomization mode; And carrying the preset time window parameters in a trigger instruction and sending the trigger instruction to each intermediate node.
6. 6. The method for secure encrypted transmission of network data according to claim 1, wherein before said step of transmitting the transmission configuration information to the receiving end, said method further comprises: Generating transmission configuration information comprising a real monitoring window parameter and a false monitoring window parameter, wherein the real monitoring window parameter is used for indicating a receiving end to monitor a data port in the preset time window; And transmitting the transmission configuration information corresponding to the real monitoring window parameter and the false monitoring window parameter to a receiving end.
7. 7. The network data security encryption transmission method according to claim 6, wherein after the step of transmitting transmission configuration information of the real listening window parameters and the false listening window parameters to the receiving end, the method further comprises: Generating a decoy data packet with the same network protocol type and the same port number as the plurality of data fragments transmitted at the time; And sending the decoy data packet to a receiving end, and controlling the decoy data packet to reach the receiving end in each time window indicated by the false monitoring window parameter.
8. 8. A network data secure encrypted transmission system, comprising: The acquisition generation module is used for responding to the acquired data encryption transmission instruction, carrying out segmentation and coding processing on the original data, generating a plurality of data fragments, and endowing each data fragment with a unique identifier; The system comprises a first sending module, a second sending module and a third sending module, wherein the first sending module is used for respectively sending each data segment to a plurality of preselected intermediate nodes for storage, each intermediate node only stores part of the data segments, and the transmission destination address of any data segment is the intermediate node but not a receiving end; The second sending module is used for sending transmission configuration information to the receiving end, wherein the transmission configuration information comprises unique identifiers corresponding to a plurality of data fragments, and the transmission configuration information is used for the receiving end to use when the data are recombined; The first receiving module is used for responding to the trigger request after receiving the trigger request sent by the receiving end when the original data needs to be restored, and indicating each intermediate node storing the corresponding data fragment to send the stored data fragment to the receiving end within a preset time window; The second receiving module is used for receiving a data reorganization result returned by the receiving end, wherein the reorganization result is obtained by restoring the original data according to a decoding mode corresponding to the encoding processing after the receiving end receives the data fragments in the preset time window; And the transmission determining module is used for completing the encryption transmission of the original data according to the data reorganization result.
9. 9. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any of claims 1 to 7 when the computer program is executed.
10. 10. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 7.

Description

Network data security encryption transmission method and system Technical Field The application relates to the technical field of network security, in particular to a network data security encryption transmission method and system. Background Security of data during network transmission is increasingly of concern. The existing data security transmission method generally adopts an end-to-end encryption communication mode, after the original data is encrypted by a sending end, ciphertext data is directly transmitted to a receiving end through a single communication link, and the receiving end receives complete data and then decrypts and restores the complete data. In this transmission mode, the end-to-end encryption transmission method has a risk of exposing the data set. In the conventional transmission mode, a complete encrypted data stream is continuously transmitted from a transmitting end to a receiving end through a single communication link, and an attacker only needs to access the communication link and perform continuous monitoring, i.e. has an opportunity to capture the complete encrypted data stream. Although the data itself is encrypted, with the continuous improvement of computing power and the continuous evolution of the cryptanalysis method, the encrypted data is still at risk of being cracked after being completely intercepted. In addition, the continuous data flow has relatively stable flow characteristics, and an attacker can identify the transmission behavior of high-value data under the condition of not decrypting through a flow analysis technology, so that targeted attack is implemented. Secondly, in an actual network environment, an attacker may not only monitor the transmission link, but also perform continuous traffic monitoring on the potential data receiving end. When a receiving end receives data within a specific time window, the monitoring state of its network port and the traffic characteristics of the arrival of the data may be captured by an attacker. For example, an attacker may find out that the IP has regular characteristics such as port opening, burst arrival of a data packet, etc. at a specific moment by monitoring the communication behavior of a certain target IP for a long period of time, thereby locking the IP as a receiver of valuable data. Even if the data in the transmission process is protected by encryption or scattered storage, the explicit behavior of the receiving end in the data recovery stage may still expose the identity and the position of the receiving end, which leads to subsequent targeted attacks. Therefore, reducing the risk of identifying the behavior characteristics of the receiving end in the data recovery stage while ensuring the safety of the data transmission process is also a problem to be solved. Disclosure of Invention In order to solve one or more problems in the prior art, the main purpose of the application is to provide a network data security encryption transmission method and system. In order to achieve the above object, the present application provides a network data secure encryption transmission method, which includes: Responding to the acquired data encryption transmission instruction, dividing and encoding the original data to generate a plurality of data fragments, and endowing each data fragment with a unique identifier; Each data segment is respectively sent to a plurality of preselected intermediate nodes for storage, wherein each intermediate node only stores part of the data segments, and the transmission destination address of any data segment is the intermediate node instead of the receiving end; transmitting transmission configuration information to a receiving end, wherein the transmission configuration information comprises unique identifiers corresponding to a plurality of data fragments, and the transmission configuration information is used for the receiving end to use when data are recombined; After receiving a trigger request sent by the receiving end when the original data needs to be restored, responding to the trigger request, and indicating each intermediate node stored with the corresponding data segment to send the stored data segment to the receiving end within a preset time window; Receiving a data reorganization result returned by a receiving end, wherein the reorganization result is obtained by restoring original data according to a decoding mode corresponding to the coding processing after the receiving end receives the data fragments in the preset time window; and according to the data reorganization result, the encryption transmission of the original data is completed. The embodiment of the application also provides a network data security encryption transmission system, which comprises: The acquisition generation module is used for responding to the acquired data encryption transmission instruction, carrying out segmentation and coding processing on the original data, generating a plurality of data fragm