CN110401673B - Method and device for safely transmitting data between networks - Google Patents

Method and device for safely transmitting data between networks Download PDF

Info

Publication number
CN110401673B
CN110401673B CN201910735855.1A CN201910735855A CN110401673B CN 110401673 B CN110401673 B CN 110401673B CN 201910735855 A CN201910735855 A CN 201910735855A CN 110401673 B CN110401673 B CN 110401673B
Authority
CN
China
Prior art keywords
data
network
dimensional code
network end
data transmission
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910735855.1A
Other languages
Chinese (zh)
Other versions
CN110401673A (en
Inventor
邓冰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Anxin Weiye Technology Co ltd
Original Assignee
Beijing Anxin Weiye Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Anxin Weiye Technology Co ltd filed Critical Beijing Anxin Weiye Technology Co ltd
Priority to CN201910735855.1A priority Critical patent/CN110401673B/en
Publication of CN110401673A publication Critical patent/CN110401673A/en
Application granted granted Critical
Publication of CN110401673B publication Critical patent/CN110401673B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06KGRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
    • G06K17/00Methods or arrangements for effecting co-operative working between equipments covered by two or more of main groups G06K1/00 - G06K15/00, e.g. automatic card files incorporating conveying and reading operations
    • G06K17/0022Methods or arrangements for effecting co-operative working between equipments covered by two or more of main groups G06K1/00 - G06K15/00, e.g. automatic card files incorporating conveying and reading operations arrangements or provisious for transferring data to distant stations, e.g. from a sensing device
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L1/00Arrangements for detecting or preventing errors in the information received
    • H04L1/004Arrangements for detecting or preventing errors in the information received by using forward error control
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Power Engineering (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a method and a device for safely transmitting data among networks, wherein the method comprises the following steps: scanning a two-dimensional code display area of a second network end by a first network end to obtain first two-dimensional code data; the first network and the second network are physically isolated from each other; receiving and processing the first two-dimensional code data according to a preset data transmission requirement to obtain connection request data; performing identity authentication on the current access user of the second network terminal according to the user identity information in the connection request data; if the identity authentication is passed, sending the first data to be sent to the second network terminal and the user identity information according to the data transmission requirement to obtain second two-dimensional code data; and displaying the two-dimensional code image corresponding to the second two-dimensional code data at the first network end so that the second network end scans the display area of the first network end to obtain the second two-dimensional code data, thereby obtaining the first data. By the scheme, safe and real-time data transmission between different physically isolated networks can be realized.

Description

Method and device for safely transmitting data between networks
Technical Field
The present invention relates to the field of data transmission technologies, and in particular, to a method and an apparatus for secure transmission of data between networks.
Background
The network security of the intranet can be ensured by carrying out network isolation on the intranet (private network) and the extranet (internet). At present, data exchange is generally carried out between an internal network and an external network in the modes of optical disk ferry, infrared unidirectional transmission, image ferry and the like. However, the optical disk ferry system often has mechanical failure, the real-time performance is poor, and a large amount of optical disks are consumed for data exchange each time; the infrared unidirectional transmission and the existing image ferry technology have the disadvantages of low transmission rate, high cost, complex installation and debugging and inconvenient operation.
How to realize the data exchange of internal and external networks with higher real-time data requirements is particularly suitable for industries with relatively poor working environments and clear requirements on data security, such as: the automobile exhaust detection industry requires data exchange between a public security internal network and a public security external network, and is really an urgent problem to be solved. On one hand, the mobile internet and the mobile payment have penetrated the daily life of the car owner, and the detection station needs to provide convenient and fast service quality; on the other hand, private networks such as public security networks and environmental protection networks have hard requirements on security, and physical isolation between internal and external networks needs to be guaranteed. However, the existing optical disk ferrying, infrared unidirectional transmission and image ferrying technologies cannot meet the requirements of real-time performance, safety and the like.
Disclosure of Invention
The invention provides a method and a device for safely transmitting data among networks, which are used for realizing safe and real-time data transmission among different physically isolated networks.
In one aspect, a method for securely transmitting data between networks is provided, including:
scanning a two-dimensional code display area of a second network end by a first network end to obtain first two-dimensional code data; wherein the first network and the second network are physically isolated from each other;
receiving and processing the first two-dimensional code data according to a preset data transmission requirement to obtain connection request data sent to the first network end by the second network end;
performing identity authentication on the current access user of the second network terminal according to the user identity information in the connection request data;
under the condition that the identity authentication is passed, sending first data to be sent to the second network end by the first network end and the user identity information according to the data transmission requirement to obtain second two-dimensional code data;
and displaying the two-dimensional code image corresponding to the second two-dimensional code data in the display area of the first network end so that the second network end scans the display area of the first network end to obtain the second two-dimensional code data, and receiving and processing the second two-dimensional code data according to the data transmission requirement, so that the current access user of the second network end obtains the first data.
In another aspect, an apparatus for securely transmitting data between networks is provided, including:
the scanning unit is used for scanning a two-dimensional code display area of a second network end by a first network end to obtain first two-dimensional code data; wherein the first network and the second network are physically isolated from each other;
the receiving unit is used for receiving and processing the first two-dimensional code data according to a preset data transmission requirement to obtain connection request data sent to the first network end by the second network end;
the verification unit is used for verifying the identity of the current access user of the second network terminal according to the user identity information in the connection request data;
the sending unit is used for sending and processing the first data to be sent to the second network end by the first network end and the user identity information according to the data transmission requirement under the condition that the identity authentication is passed, so as to obtain second two-dimensional code data;
and the display unit is used for displaying the two-dimensional code image corresponding to the second two-dimensional code data in the display area of the first network end so that the second network end scans the display area of the first network end to obtain the second two-dimensional code data, and receiving and processing the second two-dimensional code data according to the data transmission requirement, so that the current access user of the second network end obtains the first data.
In a further aspect, a computer-readable storage medium is provided, on which a computer program is stored, which program, when being executed by a processor, carries out the steps of the method of the above-mentioned embodiments.
The internetwork data secure transmission method, the internetwork data secure transmission device and the computer readable storage medium can realize the secure and real-time data transmission among different physically isolated networks.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts. In the drawings:
fig. 1 is a flowchart illustrating a method for securely transmitting data between networks according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of an internetwork data secure transmission apparatus according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of an apparatus for securely transmitting data between networks according to an embodiment of the present invention;
FIG. 4 is a block diagram illustrating a method for securely transmitting data between networks according to an embodiment of the present invention;
FIG. 5 is a block diagram illustrating a user authentication and identification method according to an embodiment of the invention;
FIG. 6 is a block diagram illustrating a user authentication parsing method according to an embodiment of the invention;
FIG. 7 is a block diagram illustrating a data encryption methodology in one embodiment of the invention;
fig. 8 is a block diagram illustrating a data decryption method according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the embodiments of the present invention are further described in detail below with reference to the accompanying drawings. The exemplary embodiments and descriptions of the present invention are provided to explain the present invention, but not to limit the present invention.
For two different networks which are physically isolated, such as a private network (intranet) and an internet (extranet), the existing data exchange mode is difficult to be carried out in real time, the efficiency is low, and the requirement of the network which needs physical isolation on the safety cannot be well met.
In order to solve the above problem, an embodiment of the present invention provides a method for securely transmitting data between networks, which is suitable for data transmission between different networks, and particularly for different networks that are physically isolated, not only can implement real-time transmission, but also can greatly improve security of data transmission.
Fig. 1 is a flowchart illustrating a method for securely transmitting data between networks according to an embodiment of the present invention. Referring to fig. 1, a method for securely transmitting data between networks according to some embodiments may include steps S110 to S150, which mainly include processes of receiving a connection request and transmitting data based on the connection request.
The embodiments of each step from step S110 to step S150 are specifically described below.
Step S110: scanning a two-dimensional code display area of a second network end by a first network end to obtain first two-dimensional code data; wherein the first network and the second network are physically isolated from each other.
The different networks which are physically separated from each other can be an internal network and an external network. For example, the first network is the internet, and the second network is a private network; or, the first network is a private network, and the second network is the internet.
A scanning device, such as a scanner, may be provided at the first network side. The second network end can be provided with a display device, and a two-dimensional code image of data needing to be output can be displayed in a two-dimensional code display area of the display device. By scanning the two-dimensional code image of the display area of the second network terminal by using the scanning device of the first network terminal, the data sent to the first network terminal by the second network terminal can be acquired under the condition of physical isolation.
Further, the scanning device of the first network may scan the two-dimensional code display area of the second network at regular time (for example, scan once at an interval of 5 s), and if the two-dimensional code display area has a two-dimensional code image, the scanning device of the first network may recognize two-dimensional code data corresponding to the two-dimensional code image. Therefore, the first network end can acquire the two-dimensional code data sent by the second network end in real time. The specific scanning time interval may be determined according to specific situations, for example, according to the transceiving states of the two ends, the processing state, the user priority, and the like.
In other embodiments, the second network may also scan the two-dimensional code display area of the first network to obtain the two-dimensional code data, and the manner of obtaining the two-dimensional code data is similar to the manner of obtaining the two-dimensional code data from the second network by the first network, for example, the scanning manner may also be performed at regular time. Therefore, data can be transmitted from the second network terminal to the first network terminal based on the two-dimension code, and data can be transmitted from the first network terminal to the second network terminal based on the two-dimension code, so that bidirectional and real-time data transmission can be realized under the condition that the first network and the second network are physically isolated.
Step S120: and receiving and processing the first two-dimensional code data according to a preset data transmission requirement to obtain connection request data sent to the first network end by the second network end.
The predetermined data transmission requirements may include formats, protocols, etc. involved in the transmission process of the data, such as interface definition format, data frame format, etc. The purpose of the predetermined data transmission requirement is to enable the second network side to identify the data sent by the first network side.
When the first two-dimensional code data can be received according to the predetermined data transmission requirement, specifically, the first two-dimensional code data can be decoded first, and then the data decoded by the two-dimensional code is subjected to unpacking, protocol analysis and other processing to obtain the original data. The second network may send connection request data to be sent to the first network, where the connection request data may include one or more of framing, packaging, user authorization, protocol adaptation, data encryption, channel coding, CRC checking, and two-dimensional code generation. The transmission processing procedure of the second network may be similar to that of the first network. The step S120 may be a reverse process of the second network performing the transmission processing, and may include one or more processes of two-dimensional code decoding, CRC checking, channel decoding, data decryption, protocol parsing, authorization parsing, unpacking and reassembling, and the like.
Illustratively, the step S120 may specifically include the steps of: s121, performing two-dimensional code decoding processing on the first two-dimensional code data; s122, performing channel decoding on the data subjected to the two-dimensional code decoding processing by using an agreed channel coding mode, and performing CRC (Cyclic Redundancy Check) verification on the data subjected to the two-dimensional code decoding processing by using an agreed CRC verification mode; s123, carrying out data splitting and protocol analysis on the data after channel decoding and CRC verification according to a preset data frame format; s124, analyzing and recombining the data after the data splitting and protocol analysis according to a preset interface definition format to obtain connection request data sent to the first network end by the second network end; wherein the predetermined data transmission requirements include a predetermined interface definition format and a predetermined data frame format.
In step S121, the two-dimensional code may be decoded by using an existing algorithm. Some transmission parameters, such as interface definition format, data frame format, etc., may be fixed for the first network and the second network. In step S122, for two fixed networks, for example, a first network and a second network, when data transmission is performed, the channel coding scheme and the CRC check scheme may be fixed; or, the network side performing data transmission may determine in real time, in which case, after the transmitting side (the second network side) determines the channel coding method and the CRC check method, the transmitting side (the second network side) needs to transmit the determined channel coding method and CRC check method to the receiving side (the first network side) so that the receiving side (the first network side) performs channel decoding and CRC check on the received data. The channel coding and decoding are carried out by using the agreed channel coding mode, the stability of the second network end when sending the connection request data to the first network end can be ensured, and the accuracy of the receiving end (the first network end) for receiving the connection request data can be ensured by using the agreed CRC check mode to carry out CRC check. In the step S123, the data frame format can be unified through the protocol adaptation and the protocol analysis, so as to ensure that the interfaces of the first network and the second network are unified, which is helpful for ensuring the absolute security of the first network to the data analysis and the first network, and preventing the attack of the illegal intrusion.
Of course, in other examples, fewer steps may be included, for example, only the above steps S121, S123, and S124; in some examples, further steps may be included, for example, before step S123, a step of decryption may be included. The confidentiality of the connection request data transmitted from the second network to the first network can be increased by encryption and decryption.
Step S130: and performing identity authentication on the current access user of the second network terminal according to the user identity information in the connection request data.
The connection request data may include information required for handshaking between the second network and the first network, for example, user identity information, a file transfer mechanism, an interface definition format, a data frame format, and the like. The user identity information may include a user ID (identity code) and the like, and may be used to notify the first network of the access user of the second network, so that the first network may determine whether to perform authorization for receiving data for the access user of the second network.
The file transfer mechanism may include, for example, when data is transmitted from the first network to the second network, checking after all data packets are transmitted, or checking every time a data packet is transmitted. And under the condition of transmitting all the data packets at one time, if the data packets fail to be checked, only transmitting the data packets which fail to be checked or retransmitting all the data packets. Under the condition that the data packet is checked once every time the data packet is sent, the next data packet is sent only after the check is passed, or the next data packet is continuously sent even if the check fails.
The second network end can send the proposed file transmission mechanism to the first network end for negotiation, the first network end can confirm whether to receive the file transmission mechanism, if so, the mechanism can send data to the second network end, and if not, the second network end can continue to send a new file transmission mechanism to the second network end based on the two-dimensional code until the first network end and the second network end achieve the agreement on the file transmission mechanism.
In some embodiments, the step S130 may specifically include the steps of: s131, the identity of the current access user of the second network end is verified by searching whether the user identity information in the connection request data exists locally on the first network end. In step S131, the local database of the first network may store the identity information of the authorized user, or the access user of the second network is considered to have the right to receive data only if the database stores the user identity information sent by the second network. In some embodiments, if the access user of the second network requests to receive the data sent by the first network for the first time, the connection request data may carry more information about the access user, so that the registration is performed at the first network (the process may be automatic or manual), and after the registration is successful, the user is authorized, and when the user requests to receive the data from the first network again, the authorization may be performed through the step S131.
Step S140: and under the condition that the identity authentication is passed, sending and processing the first data to be sent to the second network end by the first network end and the user identity information according to the data transmission requirement to obtain second two-dimensional code data.
If the identity authentication is passed, it indicates that the access user of the second network has the receiving authority, and in this case, the first network may prepare to send data to the second network. In other embodiments, if the authentication fails, the data transmission processing may be rejected, specifically, the data transmission processing may only be stopped, or a reject message may be sent to the second network in a two-dimensional code-based manner (similar to a process in which the first network normally sends data to the second network). And only when the identity authentication is passed, the data is sent to the second network terminal, so that the confidentiality and the safety of data transmission can be ensured.
In some embodiments, the step S140 may specifically include the steps of: s141, determining data transmission parameters in real time under the condition that the identity authentication is passed, wherein the data transmission parameters comprise one or more of an encryption mode, a channel coding mode, a CRC (cyclic redundancy check) mode and a data distribution mechanism; and S142, sending the first data sent to the second network end by the first network end, the user identity information and the data transmission parameters determined in real time according to the data transmission requirements and the data transmission parameters determined in real time to obtain second two-dimensional code data.
In step S141, the data transmission parameters may be various parameters involved in data transmission, such as an encryption method, a channel coding method, a CRC check method, and a data distribution mechanism. The data transmission parameters can be determined according to various information, so that the real-time performance and the safety of data transmission between the first network and the second network are more in line with the requirements of users. Exemplarily, the step S141 of determining the data transmission parameter in real time may include the steps of: s1411, determining data transmission parameters in real time according to one or more of the current network, the security level requirement and the size of the first data.
For example, if the security of the first network and the second network is known to be better, an encryption mode with a lower security level may be selected, and conversely, an encryption mode with a higher security level may be selected; if the transmission modes such as the first network interface definition, the second network interface definition and the like are uniform and the interference is small, a simpler channel coding mode and a CRC (cyclic redundancy check) mode can be selected, and conversely, a channel coding mode and a CRC check mode with higher requirements can be selected. For another example, the priority of the current access user may be a security level preset for an access user (an access user at the second network end) that is to receive the first data, and if the security level is higher, an encryption algorithm with stronger confidentiality may be selected, and a more accurate channel coding manner and CRC check manner may be selected. Or for example, if the first data is larger, a simpler channel coding mode and a CRC check mode may be selected to save the calculation resources, and conversely, a channel coding mode and a CRC check mode with higher standards may be selected.
In step S142, the data transmission requirement may include an interface definition format, a data frame format, and the like. The data transmission requirements may generally be predetermined and the data transmission parameters may be predetermined or may be determined in real time. The first data is transmitted and processed, and at the same time, the user identity information and the data transmission parameter are also transmitted and processed, and the user identity information and the data transmission parameter can also be transmitted to the second network, so that the second network end can perform user authority analysis according to the received user identity information, so that only the user receives the first data.
Illustratively, the step S142 may, more specifically, include the steps of: s1421, framing and packaging data of the first data to be sent from the first network to the second network according to a predetermined interface definition format to obtain a first data packet; framing and packaging data of the data transmission parameters determined in real time and the user identity information according to a preset interface definition format to obtain a second data packet; s1422, performing protocol adaptation on the first data packet and the second data packet according to a predetermined data frame format; s1423, encrypting the protocol-adapted first data packet by using a real-time determined encryption mode; s1424, channel coding is performed on the encrypted first data packet by using a channel coding mode determined in real time, and CRC is performed on the encrypted first data packet by using an allocated CRC checking mode; s1425, converting the second data packet after protocol adaptation and the first data after channel coding and CRC check into second two-dimensional code data; wherein the determined data transmission requirements comprise a predetermined interface definition format and a predetermined data frame format; the data transmission parameters determined in real time comprise an encryption mode determined in real time, a channel coding mode determined in real time and a CRC (cyclic redundancy check) mode determined in real time.
Under the condition that the data transmission requirement comprises an interface definition format and a data frame format, framing and packaging can be carried out according to the interface definition format, and protocol adaptation is carried out according to the data frame format. In addition, in the case where the interface definition format and the data frame format are predetermined, the second network knows the interface definition format and the data frame format in advance, and these data transmission requirements may not be sent to the second network side together with the first data. When the data transmission parameters include an encryption scheme, a channel coding scheme, and a CRC check scheme, data encryption, channel coding, and CRC check can be performed using these parameters. The confidentiality of data transmission can be increased through data encryption, and the uniformity of data transmission and reception can be increased through channel coding and CRC (cyclic redundancy check). In addition, the database at the first network end may store one or more channel coding schemes (e.g., BCH, Turbo, LDPC, etc., coding schemes), one or more CRC check schemes, and one or more encryption schemes. When determining that data can be transmitted or transmission processing can be performed, a channel coding mode, a CRC check mode, and an encryption mode can be selected from the database to perform corresponding processing. Therefore, since the channel coding scheme, the CRC check scheme, and the encryption scheme that are determined can be dynamically changed, it is possible to better prevent an unauthorized intruder at the second network from analyzing and decrypting the transmitted data by temporarily determining the channel coding scheme, the CRC check scheme, and the encryption scheme.
In other embodiments, the specific implementation of the step S142 may only include the steps of framing and packaging, protocol adapting, and converting the two-dimensional code data, that is, the steps S1421, S1422, and S1425 are included. Using the step S1421, framing and packaging the first data, that is, framing and packaging the data of the first data to be sent from the first network to the second network according to the predetermined interface definition format to obtain a first data packet; using the step S1422, protocol adaptation can be performed on framing and the first packet obtained by grouping according to a predetermined data frame format; in step S1425, the second data packet after the protocol adaptation is converted into two-dimensional code data for displaying.
In still other embodiments, the specific implementation of step S142 may include a step of encrypting data similar to step S1423, or a step of channel coding (similar to step S1424), or a step of CRC check (similar to step S1424), in addition to the steps of framing and packaging, protocol adapting, and converting two-dimensional code data, and in the specific implementation, the differences from step S1423 and step S1424 mainly lie in differences in input data, and thus are not described again.
Step S150: and displaying the two-dimensional code image corresponding to the second two-dimensional code data in the display area of the first network end so that the second network end scans the display area of the first network end to obtain the second two-dimensional code data, and receiving and processing the second two-dimensional code data according to the data transmission requirement, so that the current access user of the second network end obtains the first data.
The first network side can be provided with a display module, such as a display screen, and if the two-dimensional code data exist, the two-dimensional code image can be displayed. The second network may be provided with a scanning device, such as a scanner, which may scan the two-dimensional code image displayed by the display module of the first network at regular time, and if a new two-dimensional code image is found, the scanning device may notify the end where the second network is located to perform other receiving processing steps, such as unpacking, protocol decoding, decryption, channel decoding, CRC check, and the like, which may be the reverse process of the second network performing transmission processing. The implementation manner of the second network performing the sending process may be similar to the process of the first network performing the sending process described in each embodiment.
In other embodiments, the method for securely transmitting data between networks shown in fig. 1 may further include the steps of:
s160, monitoring whether the first data to be sent to a second network end or the first two-dimensional code data to be received from the second network end exists in a first network end;
s170, when it is monitored that the first network end has the first two-dimensional code data to be received from the second network end, determining whether to receive the first two-dimensional code data according to the receiving and sending state of the first network end, and under the condition that the first two-dimensional code data is determined to be received, executing a step of scanning a two-dimensional code display area of the second network end by the first network end to obtain the first two-dimensional code data;
s180, when it is monitored that the first network side has the first data to be sent to the second network side, whether the first data are sent or not is determined according to the receiving and sending states of the first network side, and under the condition that the first data are determined to be sent, the first data to be sent to the second network side by the first network side and the user identity information are sent according to the data transmission requirements, so that second two-dimensional code data are obtained.
The step S160 may be before the step S110. In step S160, the data to be sent to the second network may be original data; alternatively, the raw data may be framed and packed in a predetermined interface definition format, in which case the basic processing steps may be dispensed with subsequently. The data to be received from the second network is two-dimensional code data, such as the second two-dimensional code data in step S150. Therefore, in some embodiments, when the data type of the data to be sent to the second network is different from the data type of the data to be received from the second network, it may be determined whether a certain data needs to be sent out or received in according to the data type. In other embodiments, the data to be sent to the second network and the data to be received from the second network may correspond to different data interfaces, and in this case, it may be determined whether the monitored data needs to be sent out or received in according to the data interfaces.
The step S170 may be before the step S120. The step S180 may be before the step S140. In step S180, the first data may be original data. The transceiving state may include whether transmission processing or reception processing should be performed at a certain time, or whether a module of transmission processing or a module of reception processing is busy or idle, or the like. Generally, the purpose of determining whether to perform the transmission processing on the first data according to the transceiving state of the first network end is to correctly perform the transmission processing on the first data.
In an exemplary embodiment, the step S170 is to determine whether to perform the transmission processing on the first data according to the transceiving state of the first network, where when the first network shares processing resources in transmitting and receiving data, it may be determined whether to perform the transmission processing or the reception processing according to the transceiving state of the first network, and when the transmission processing is possible, the first data may be transmitted, so as to prevent mutual interference between the transmission and reception processes. More specific embodiments may further determine whether the first data needs to be processed when the transmission processing is available, and if so, may perform the transmission processing on the first data, and otherwise, for example, if the transmission processing on the first data is found, the transmission processing on the first data is not performed.
In the step S180, if it is determined that the first data is to be transmitted, and if it is determined that the authentication is passed through the step S130, the data transmission process of the step S140 may be performed. In other embodiments, if it is determined in step S170 that the first network has the first two-dimensional code data to be received from the second network, it may be further determined whether to perform the receiving process on the first two-dimensional code data, and if so, the step S120 or the similar step may be performed to perform the receiving process.
By monitoring whether the data to be received or to be sent is received or not, the real-time performance of data transmission can be further improved. Whether the data is received or not is judged when the data needs to be received, whether the data is sent or not is judged when the data needs to be sent, mutual interference of receiving and sending can be reduced, and the bidirectional transmission among different networks is facilitated.
Based on the same inventive concept as the method for securely transmitting internetwork data shown in fig. 1, the embodiment of the present application further provides an apparatus for securely transmitting internetwork data, as described in the following embodiments. Because the principle of solving the problems of the internetwork data security transmission device is similar to that of the internetwork data security transmission method, the implementation of the internetwork data security transmission device can refer to the implementation of the internetwork data security transmission method, and repeated parts are not described again.
Fig. 2 is a schematic structural diagram of an internetwork data secure transmission apparatus according to an embodiment of the present invention. As shown in fig. 2, the inter-network data secure transmission apparatus of some embodiments may include:
the scanning unit 210 is configured to scan a two-dimensional code display area of a second network by a first network to obtain first two-dimensional code data; wherein the first network and the second network are physically isolated from each other;
a receiving unit 220, configured to receive the first two-dimensional code data according to a predetermined data transmission requirement, so as to obtain connection request data sent from the second network to the first network;
the verifying unit 230 is configured to perform identity verification on the current access user of the second network according to the user identity information in the connection request data;
a sending unit 240, configured to, when the identity authentication passes, send, according to the data transmission requirement, first data to be sent from the first network to the second network and the user identity information, so as to obtain second two-dimensional code data;
the display unit 250 is configured to display the two-dimensional code image corresponding to the second two-dimensional code data in the display area of the first network, so that the second network scans the display area of the first network to obtain the second two-dimensional code data, and receives the second two-dimensional code data according to the data transmission requirement, so that the current access user of the second network obtains the first data.
In some embodiments, the receiving unit 220 may include:
the two-dimensional code decoding module is used for carrying out two-dimensional code decoding processing on the first two-dimensional code data;
the channel decoding and CRC verifying module is used for carrying out channel decoding on the data subjected to the two-dimensional code decoding processing by using an agreed channel coding mode and carrying out CRC verification on the data subjected to the two-dimensional code decoding processing by using an agreed CRC verifying mode;
the protocol analysis module is used for carrying out data splitting and protocol analysis on the data after channel decoding and CRC verification according to a preset data frame format;
the data recombination module is used for analyzing and recombining the data after the data splitting and protocol analysis according to a preset interface definition format to obtain connection request data sent to the first network end by the second network end; wherein the predetermined data transmission requirements include a predetermined interface definition format and a predetermined data frame format.
In some embodiments, the sending unit 240 may include:
the parameter optimization module is used for determining data transmission parameters in real time under the condition that the identity authentication is passed, wherein the data transmission parameters comprise one or more of an encryption mode, a channel coding mode, a CRC (cyclic redundancy check) mode and a data distribution mechanism;
and the data packaging module is used for sending and processing the first data sent to the second network end by the first network end, the user identity information and the data transmission parameters determined in real time according to the data transmission requirements and the data transmission parameters determined in real time to obtain second two-dimensional code data.
In some embodiments, the data framing and packing module may include:
the data framing module is used for framing and packaging data of first data to be sent to the second network end by the first network end according to a preset interface definition format to obtain a first data packet; framing and packaging data of the data transmission parameters determined in real time and the user identity information according to a preset interface definition format to obtain a second data packet;
the protocol adaptation module is used for carrying out protocol adaptation on the first data packet and the second data packet according to a preset data frame format;
the data encryption module is used for encrypting the first data packet after the protocol adaptation by utilizing an encryption mode determined in real time;
the channel coding and CRC checking module is used for carrying out channel coding on the encrypted first data packet by utilizing a channel coding mode determined in real time and carrying out CRC checking on the encrypted first data packet by utilizing an allocated CRC checking mode;
the two-dimensional code generating module is used for converting the second data packet after the protocol adaptation and the first data after the channel coding and the CRC check into second two-dimensional code data; wherein the determined data transmission requirements comprise a predetermined interface definition format and a predetermined data frame format; the data transmission parameters determined in real time comprise an encryption mode determined in real time, a channel coding mode determined in real time and a CRC (cyclic redundancy check) mode determined in real time.
In some embodiments, the parameter optimization module may include: and the parameter determining module is used for determining data transmission parameters in real time according to one or more of the current network, the security level requirement and the size of the first data.
In some embodiments, the verification unit 230 may include: and the identity authentication module is used for authenticating the current access user of the second network terminal by searching whether the user identity information in the connection request data exists locally at the first network terminal.
In some embodiments, the first network is the internet and the second network is a private network; or, the first network is a private network, and the second network is the internet.
In other embodiments, the apparatus for securely transmitting data between networks shown in fig. 2 may further include:
the access control module is used for monitoring whether the first data to be sent to a second network end exists in a first network end or the first two-dimensional code data to be received from the second network end exists in the first network end;
the receiving and sending control module is used for determining whether to receive the first two-dimensional code data according to the receiving and sending state of the first network end when the first two-dimensional code data from the second network end to be received exists in the first network end, and executing the step of scanning a two-dimensional code display area of the second network end by the first network end to obtain the first two-dimensional code data under the condition of determining to receive the first two-dimensional code data;
and the sending processing module is used for determining whether to send the first data according to the receiving and sending state of the first network end when monitoring that the first network end has the first data to be sent to the second network end, and executing the step of sending the first data to be sent to the second network end by the first network end and the user identity information according to the data transmission requirement to obtain second two-dimensional code data under the condition of determining to send the first data.
Embodiments of the present invention further provide a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the method described in the above embodiments.
In order that those skilled in the art will better understand the present invention, embodiments of the present invention will be described below with reference to specific examples.
In order to ensure the transmission of real-time, safety and effectiveness of data under the condition of complex application environment requirements, thereby achieving data exchange between networks, and simultaneously reducing cost and improving efficiency, the present embodiment provides a method and a device for safely transmitting data between networks, taking data transmission between an internal network and an external network as an example, and can ensure that authority identification, authentication, file distribution confirmation mechanism and channel encryption are enhanced in the data exchange process.
For physically isolated internal and external networks, the information transmission of the internal and external networks is safely data-transmitted by a two-dimensional code technology, so that the problem of real-time interaction of the internal and external networks is solved, and the requirement of completely physically isolating the internal networks is really met, thereby ensuring the safety of the internal networks.
Referring to fig. 3, an inter-network data secure transmission apparatus according to an embodiment may include an external network transceiving control unit 300 and an internal network transceiving control unit 400, where the external network control unit 300 may include an external network data transmitting unit 310, an external network data receiving unit 320, an external network control unit 330, and an external network log auditing unit 340. Intranet control unit 400 may include an intranet data transmission unit 410, an intranet data reception unit 420, an intranet control unit 430, and an intranet log audit unit 440.
For the external network transmission/reception control unit 300 and the internal network transmission/reception control unit 400: the data sending unit is mainly used for sending data, the control unit is mainly used for controlling the sending and receiving time, the sending and receiving permission and the service scheduling of the whole external network (or the external network), and the log auditing unit is mainly used for recording each operated step and record and storing the operation steps and the record, so that the operation steps can be backed up and checked and tracked later; the data transmission unit may mainly include: the system comprises a data framing module, a user authorization identification module, a protocol adaptation module, a data encryption module, a channel coding and data CRC (cyclic redundancy check) verification module, a two-dimensional code generation module, a two-dimensional code display module and other functional modules; the data receiving unit may mainly include: the device comprises a scanning module, a two-dimensional code decoding module, a channel decoding and data CRC (cyclic redundancy check) checking module, a data decryption module, a protocol analysis module, a user authorization analysis module and a data recombination module; the control unit may mainly include: the system comprises an access control module, a transceiving control module and a task scheduling module; the log auditing unit mainly comprises: the system comprises a log recording module, a log approval module and a log storage module.
Wherein, in the data transmission unit: the digital framing module is mainly used for framing and packaging data to be transmitted according to interface definition. The user authorization identification module is mainly used for determining user authorization identification and access strategy. The data encryption module can encrypt the data to be sent, the channel coding and data CRC check module can perform channel coding and CRC check, and in addition, the algorithm for encrypting the information exchange, the channel coding mode and the algorithm for CRC check can be determined in real time, so that the encryption grade can be further improved, and the real-time requirements on encryption, channel coding and CRC can be better ensured. The protocol adaptation module is mainly used for completing the adaptation of the protocol, thereby ensuring the consistency and the uniformity of the internal interface and ensuring the absolute safety and the stability of the network interface. The data encryption module is mainly used for encrypting according to the current agreed encryption algorithm. The channel coding and data CRC check module is mainly used for performing according to an agreed channel coding mode and CRC check mode, wherein a dynamic channel coding mode, for example, BCH, Turbo, LDPC, and other channel coding modes may be used. The two-dimensional code generation module may be configured to perform two-dimensional code generation on the data after the channel coding and the CRC check, so that the data may be displayed on a display module (e.g., a display screen), and the whole data transmission process may be completed.
In the data receiving module, the inverse process of the data sending module can be realized. The two-dimensional code decoding module can obtain a data sequence related to the two-dimensional code by scanning the two-dimensional code image displayed on the display module through a scanning module (such as a scanner). The channel coding and data CRC check module may perform a channel decoding process and CRC check on the data according to a convention, if the CRC check on the data is correct, the flow of the next module may be entered, and if the CRC check is incorrect, the process of retransmitting the data may be performed. The data decoding module is mainly used for completing the process of decrypting the data and restoring the real data analyzed by the protocol. The protocol analysis module can be used for carrying out processes of splitting and protocol analysis on data according to a protocol. The user authorization analysis module can be used for carrying out user authorization analysis according to the ID number of the current user, so that the current data can only be analyzed by the current user, and other users cannot effectively analyze the data required by the current user. The data reassembly module may be configured to parse the data according to the interface definition, so as to obtain the data sent by the sending end. For subsequent business and related operations.
The control unit can realize data bidirectional transmission, enables the receiving and transmitting not to interfere with each other and can work effectively, and mainly comprises an access control module, a receiving and transmitting control module and a task scheduling module. The access control module is mainly used for monitoring the current working state of the current transceiving unit, whether data needs to be received and sent or not is judged, if the data needs to be accessed currently, whether the access control module starts access control or not can be determined according to the working state of the current transceiving control unit through the access control module, if yes, current data access is started, and if not, current data access is rejected. For the transceiving control module, if the current data needs to be continuously accessed, the transceiving control module controls to prepare the data and performs transceiving control, and can be used for determining whether to process the received data or transmit the data currently according to the current transceiving condition. The task scheduling module can be used for cooperating with the work among all the modules inside, so that the whole receiving and sending process is smooth.
The log auditing unit can mainly authenticate the current log, record the current data transmission and the log, and store the current data transmission and the log into the corresponding storage unit according to the corresponding control authority so as to provide basis and evidence for subsequent retrieval and tracking. The system mainly comprises a log recording module, a log approval module and a log storage module. The log recording module is mainly used for effectively recording logs of all operations and data transmission, so that related operations are guaranteed to be well documented. The log approval can be used for classifying and managing logs according to the authority of each person, so that the safety and controllability of log data are guaranteed. The log storage module can be used for storing the logs in corresponding storage units according to the authority and the classification, and the traceability requirement of subsequent data is guaranteed.
In short, the module can be mainly used for realizing the functions of data transceiving, data packaging and unpacking, channel coding and decoding, encryption and decryption, two-dimensional code generation, scanning and reading, recording and auditing the process of the two-dimensional code generation, and the like. Meanwhile, in order to ensure the transmission efficiency, the receiving and transmitting of the transmission unit are effectively controlled and scheduled, and the normal work and operation of the whole receiving and transmitting unit can be ensured.
Referring to fig. 4, taking an example that an extranet sends data to an intranet, the method for securely transmitting data between networks according to a specific embodiment may include the following steps:
s501: framing and packaging data of data to be sent according to a format defined by an interface;
s502: the method comprises the steps that user access authority identification is carried out on a receiver passing through an intranet, if a current access user is not authorized, data interaction is not carried out, and if the current access user passes through the user authority identification, an encryption key, a channel coding mode and a CRC (cyclic redundancy check) mode which are determined in real time at present are exchanged, so that the safety of current user data can be better protected;
s503: the protocol adaptation is carried out on the current data frame, so that the interface of the intranet is ensured to be uniform, the data analysis and the absolute safety of the intranet are facilitated by the intranet, and the attack of illegal invasion cannot be sent;
s504: encrypting the data adapted by the protocol, wherein the transmission can temporarily distribute an encryption mode, and an encryption algorithm is dynamically changed, so that an illegal intruder cannot analyze the content of the transmission; referring to fig. 7, the encryption method of step S504 may include the steps of: and generating a key from the plaintext, then generating a ciphertext, and packaging the data for sending to a receiving end.
S505: channel coding is performed on the encrypted data, for example, the channel coding can be performed in BCH, Turbo, LDPC and other coding modes, so that the stability of data transmission is ensured; in addition, CRC can be performed after the data is encrypted, so that the accuracy of the data at the receiving end is ensured;
s506: the data passing through the channel coding and the CRC enters a two-dimensional code generation module, the two-dimensional code generation can be carried out on the current data, the current data is pushed to a display module, and data display is carried out on a display screen; so that the extranet data transmission is ready. Of course, in the process, each step of the operation can be recorded, audited and stored by using the log auditing unit, so that the data reversibility and traceability are ensured.
S507: the intranet can scan the two-dimensional code image on the display screen in the extranet at regular time by using a code scanner to obtain two-dimensional code data, and the two-dimensional code decoding module can decode the two-dimensional code data;
s508: channel decoding and CRC (cyclic redundancy check) can be carried out on the data decoded by the two-dimensional code, wherein the channel decoding mode and the CRC check mode which are determined in real time can be obtained by packaging the data to be sent together with the data to be sent from an external network to an internal network after the step S502;
s509: decoding according to the information such as the key and the encryption sequence sent by the external network after the step S502; referring to fig. 8, the step S509 may specifically include the steps of: and unpacking the data after channel decoding and CRC verification, obtaining a plaintext according to a decryption algorithm according to the ciphertext sequence, and decoding.
S510: carrying out protocol decoding on the decoded data according to a format defined by an appointed interface;
s511: the user authorization analysis module is used for carrying out user authorization analysis so as to enable the current user to have access authority;
s512: and recombining the analyzed data packet to obtain original data, and finishing data receiving by the intranet.
Wherein, the user authorization identification module: the receiving end can be connected to the identity authentication module in the user authentication and identification through a network request; the identity authentication module carries out identity ID verification on the applicant at the receiving end, 3) if the user is legal, connection is established and contents such as an encryption mode, a channel coding mode, a ciphertext, an encryption serial number and the like to be established are returned, and if the user is illegal, the connection is refused; 4) when the receiving end sends out the access request, the access control unit judges the access request according to the current condition of the sending end and feeds back the result to the receiving end; 5) if the connection is established, according to contents such as an encryption mode, a ciphertext, a channel coding mode, an encryption sequence and the like agreed by the two parties, because many parameters are involved, complete analysis can be performed as long as all the parameters are taken, otherwise, the transmitted contents cannot be analyzed, and therefore the technical difficulty of an intruder is increased.
The user authorization identification module can comprise an identity identification module, a file distribution mechanism module, a parameter optimization module and a data packaging module. The identity identification module can identify the user identity of the receiving end through the network request connection, if the legal identity is connected, the connection is established, and if the legal identity is illegal, the connection is rejected; the file distribution mechanism module can be arranged at the sending end and the receiving end, and can negotiate through the file distribution mechanism, and how to establish a data transmission mode and a mechanism of the two parties through a channel of the two parties; the parameter optimization module can optimize parameters according to the current network, the user priority level, the security level and the data transmission size, so that parameters such as an encryption mode, a ciphertext, a channel coding mode, an encryption sequence and the like can be effectively selected; the data packing module can frame and pack the related data according to the related distribution mechanism, thereby preparing for the links of the next step of channel coding and CRC check.
Referring to fig. 5, the user authentication and identification method in step S502 may specifically include the following steps:
s5021, performing identity authentication on a request sent by a receiving end, if the identity is legal, entering data sending preparation work, and entering a file distribution mechanism of the step S5022;
s5022, a file distribution mechanism is determined through receiving and sending negotiation, so that the distribution mechanism is dynamically distributed, mechanism protection is dynamically carried out, and invasion of an illegal person is prevented;
s5023, selecting appropriate parameters such as encryption, channel coding and distribution mechanisms according to the size of the data, the security level requirement of the user and the authority of the user through a parameter optimization algorithm to prepare for data transmission;
s5024, data packing is performed according to the related content, so that the protocol adaptation step S503 and the data encryption step S504 are performed.
Referring to fig. 6, for the receiving end, a reverse processing procedure may be performed according to the processing of the transmitting end, that is, the method for user authentication analysis may include the following steps:
s5025, unpacking the received data;
s5026, analyzing parameters of the split data according to parameter optimization;
s5027, analyzing a distribution mechanism according to the relevant parameters;
s5028, the user authentication analysis is completed.
The whole external network control unit comprises a data sending process and a data receiving process. By combining the data sent by the external network and the data received by the internal network into the same transceiving control unit, the cost can be reduced, and the requirement of data real-time property is ensured. The purpose of the extranet control unit is to acquire the data which is really transmitted by forming a two-dimensional code picture by the two-dimensional code technology on the data which needs to be received and sent, then scanning and reading the related data by the scanner, and then analyzing, unpacking, decoding and the like on the data.
The system can meet the unique exchange requirements of the internal network and the external network and has a scene with requirements on real-time performance; in the process of transmitting the two-dimensional code, the channel is coded and encrypted, and the error correction capability and efficiency of channel transmission are improved. The transmitted data are effectively encrypted, so that the safety risk and hidden danger can be reduced. The stability and the transmission efficiency of data transmission can be ensured by adding CRC in the channel transmission process. The mutual interference of receiving and transmitting in the transmission process can be eliminated through receiving and transmitting control, so that the requirement of bidirectional transmission can be met.
On the one hand, the relative stability and the security of internal and external network data exchange can be ensured, and on the other hand, the real-time performance and the high efficiency of data are ensured by adopting two-way data of a two-dimensional code technology. The method can solve the problems that the prior data transmission mode is easy to have mechanical failure, poor in real-time performance and complex to operate, and can also solve the problems that the prior art cannot realize bidirectional transmission, is low in transmission efficiency and poor in stability. The characteristics and the advantages of the two-dimensional code technology are fully facilitated, the characteristics that the security level is high, and the requirement of the current Internet on the real-time performance is met are provided, and the purposes of improving the transmission security and the stability and reducing the cost of the whole device can be achieved. This enables data transmission to be adapted to many complex environments.
To sum up, in the internetwork data secure transmission method, the internetwork data secure transmission apparatus and the computer readable storage medium according to the embodiments of the present invention, the first network scans the two-dimensional code display area of the second network to obtain the first two-dimensional code data, receives and processes the first two-dimensional code data according to the predetermined data transmission requirement to obtain the connection request data sent from the second network to the first network, performs the identity authentication on the currently accessed user of the second network according to the user identity information in the connection request data, sends and processes the first data and the user identity information sent from the first network to the second network according to the data transmission requirement to obtain the second two-dimensional code data when the identity authentication passes, and displays the two-dimensional code image corresponding to the second two-dimensional code data in the display area of the first network, the second network terminal scans the display area of the first network terminal to obtain the second two-dimensional code data, and receives and processes the second two-dimensional code data according to the data transmission requirement, so that the current access user of the second network terminal obtains the first data, real-time data transmission at two ends can be realized under the condition of physical isolation of the first network and the second network, and the security of data transmission can be greatly improved through user authorization.
In the description herein, reference to the description of the terms "one embodiment," "a particular embodiment," "some embodiments," "for example," "an example," "a particular example," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. The sequence of steps involved in the various embodiments is provided to schematically illustrate the practice of the invention, and the sequence of steps is not limited and can be suitably adjusted as desired.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above-mentioned embodiments are intended to illustrate the objects, technical solutions and advantages of the present invention in further detail, and it should be understood that the above-mentioned embodiments are only exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.

Claims (8)

1. A method for securely transmitting data between networks is characterized by comprising the following steps:
scanning a two-dimensional code display area of a second network end by a first network end to obtain first two-dimensional code data; wherein the first network and the second network are physically isolated from each other;
receiving and processing the first two-dimensional code data according to a preset data transmission requirement to obtain connection request data sent to the first network end by the second network end;
performing identity authentication on the current access user of the second network terminal according to the user identity information in the connection request data;
under the condition that the identity authentication is passed, sending first data to be sent to the second network end by the first network end and the user identity information according to the data transmission requirement to obtain second two-dimensional code data;
displaying a two-dimensional code image corresponding to the second two-dimensional code data in a display area of the first network end so that the second network end scans the display area of the first network end to obtain the second two-dimensional code data, and receiving and processing the second two-dimensional code data according to the data transmission requirement so that a current access user of the second network end obtains the first data;
under the condition that the identity authentication is passed, sending and processing first data to be sent to the second network end by the first network end and the user identity information according to the data transmission requirement to obtain second two-dimensional code data, wherein the sending and processing comprises the following steps:
determining data transmission parameters in real time under the condition that the identity authentication is passed, wherein the data transmission parameters comprise an encryption mode, a channel coding mode, a CRC (cyclic redundancy check) mode and a data distribution mechanism;
sending and processing first data to be sent to the second network end by the first network end, the user identity information and the data transmission parameters determined in real time according to the data transmission requirements and the data transmission parameters determined in real time to obtain second two-dimensional code data;
according to the data transmission requirement and the data transmission parameters determined in real time, sending and processing first data sent to the second network end by the first network end, the user identity information and the data transmission parameters determined in real time to obtain second two-dimensional code data, and the method comprises the following steps:
performing data framing and packaging on first data to be sent to the second network end by the first network end according to a preset interface definition format to obtain a first data packet; framing and packaging data of the data transmission parameters determined in real time and the user identity information according to a preset interface definition format to obtain a second data packet;
performing protocol adaptation on the first data packet and the second data packet according to a predetermined data frame format;
encrypting the first data packet after the protocol adaptation by utilizing a real-time determined encryption mode;
performing channel coding on the encrypted first data packet by using a channel coding mode determined in real time, and performing CRC (cyclic redundancy check) on the encrypted first data packet by using a distributed CRC mode;
converting the second data packet after the protocol adaptation and the first data after the channel coding and the CRC check into second two-dimensional code data;
wherein the determined data transmission requirements comprise a predetermined interface definition format and a predetermined data frame format; the data transmission parameters determined in real time comprise an encryption mode determined in real time, a channel coding mode determined in real time and a CRC (cyclic redundancy check) mode determined in real time.
2. The method for securely transmitting data between networks according to claim 1, wherein receiving and processing the first two-dimensional code data according to a predetermined data transmission requirement to obtain connection request data sent from the second network to the first network, comprises:
performing two-dimensional code decoding processing on the first two-dimensional code data;
performing channel decoding on the data subjected to the two-dimensional code decoding processing by using an agreed channel coding mode, and performing CRC verification on the data subjected to the two-dimensional code decoding processing by using an agreed CRC verification mode;
carrying out data splitting and protocol analysis on the data after channel decoding and CRC verification according to a preset data frame format;
analyzing and recombining the data after the data splitting and the protocol analysis according to a preset interface definition format to obtain connection request data sent to the first network end by the second network end;
wherein the predetermined data transmission requirements include a predetermined interface definition format and a predetermined data frame format.
3. The method for securely transmitting internetwork data according to claim 1, wherein the determining the data transmission parameters in real time comprises:
determining data transmission parameters in real time according to one or more of current network, security level requirements, and size of the first data.
4. The method for securely transmitting internetwork data according to claim 1, wherein the authenticating the currently accessed user of the second network according to the user identity information in the connection request data comprises:
and performing identity authentication on the current access user of the second network terminal by searching whether the user identity information in the connection request data exists locally on the first network terminal.
5. The method for securely transmitting data between networks according to claim 1, wherein the first network is the internet and the second network is a private network; or, the first network is a private network, and the second network is the internet.
6. The method for securely transmitting data between networks according to claim 1, further comprising:
monitoring whether first data to be sent to a second network end exists in a first network end or first two-dimensional code data to be received from the second network end exists in the first network end;
when the first network terminal is monitored to have the first two-dimensional code data from the second network terminal to be received, determining whether to receive the first two-dimensional code data according to the receiving and sending state of the first network terminal, and under the condition that the first two-dimensional code data is determined to be received, executing a step of scanning a two-dimensional code display area of the second network terminal by the first network terminal to obtain the first two-dimensional code data;
when the first network side is monitored to have the first data to be sent to the second network side, whether the first data are sent or not is determined according to the receiving and sending state of the first network side, and under the condition that the first data are determined to be sent, the first data to be sent to the second network side by the first network side and the user identity information are sent according to the data transmission requirements, so that second two-dimensional code data are obtained.
7. An apparatus for secure transmission of data between networks, comprising:
the scanning unit is used for scanning a two-dimensional code display area of a second network end by a first network end to obtain first two-dimensional code data; wherein the first network and the second network are physically isolated from each other;
the receiving unit is used for receiving and processing the first two-dimensional code data according to a preset data transmission requirement to obtain connection request data sent to the first network end by the second network end;
the verification unit is used for verifying the identity of the current access user of the second network terminal according to the user identity information in the connection request data;
the sending unit is used for sending and processing the first data to be sent to the second network end by the first network end and the user identity information according to the data transmission requirement under the condition that the identity authentication is passed, so as to obtain second two-dimensional code data;
the display unit is used for displaying the two-dimensional code image corresponding to the second two-dimensional code data in the display area of the first network end so that the second network end scans the display area of the first network end to obtain the second two-dimensional code data, and receiving and processing the second two-dimensional code data according to the data transmission requirement, so that a current access user of the second network end obtains the first data;
a transmitting unit comprising:
the parameter optimization module is used for determining data transmission parameters in real time under the condition that the identity authentication is passed, wherein the data transmission parameters comprise an encryption mode, a channel coding mode, a CRC (cyclic redundancy check) mode and a data distribution mechanism;
the data packing module is used for sending and processing the first data sent to the second network end by the first network end, the user identity information and the data transmission parameters determined in real time according to the data transmission requirements and the data transmission parameters determined in real time to obtain second two-dimensional code data;
a data framing and packaging module comprising:
the data framing module is used for framing and packaging data of first data to be sent to the second network end by the first network end according to a preset interface definition format to obtain a first data packet; framing and packaging data of the data transmission parameters determined in real time and the user identity information according to a preset interface definition format to obtain a second data packet;
the protocol adaptation module is used for carrying out protocol adaptation on the first data packet and the second data packet according to a preset data frame format;
the data encryption module is used for encrypting the first data packet after the protocol adaptation by utilizing an encryption mode determined in real time;
the channel coding and CRC checking module is used for carrying out channel coding on the encrypted first data packet by utilizing a channel coding mode determined in real time and carrying out CRC checking on the encrypted first data packet by utilizing an allocated CRC checking mode;
the two-dimensional code generating module is used for converting the second data packet after the protocol adaptation and the first data after the channel coding and the CRC check into second two-dimensional code data; wherein the determined data transmission requirements comprise a predetermined interface definition format and a predetermined data frame format; the data transmission parameters determined in real time comprise an encryption mode determined in real time, a channel coding mode determined in real time and a CRC (cyclic redundancy check) mode determined in real time.
8. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 6.
CN201910735855.1A 2019-08-09 2019-08-09 Method and device for safely transmitting data between networks Active CN110401673B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910735855.1A CN110401673B (en) 2019-08-09 2019-08-09 Method and device for safely transmitting data between networks

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910735855.1A CN110401673B (en) 2019-08-09 2019-08-09 Method and device for safely transmitting data between networks

Publications (2)

Publication Number Publication Date
CN110401673A CN110401673A (en) 2019-11-01
CN110401673B true CN110401673B (en) 2022-01-21

Family

ID=68327941

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910735855.1A Active CN110401673B (en) 2019-08-09 2019-08-09 Method and device for safely transmitting data between networks

Country Status (1)

Country Link
CN (1) CN110401673B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114650124B (en) * 2020-12-18 2023-10-03 中国联合网络通信集团有限公司 Synchronization method and device for data transmission
CN113890754A (en) * 2021-09-26 2022-01-04 中国联合网络通信集团有限公司 Data transmission method, terminal, system and readable storage medium
CN115589334A (en) * 2022-11-25 2023-01-10 国网山东省电力公司诸城市供电公司 Data transmission device, method and system
CN117675418B (en) * 2024-02-02 2024-05-10 吉林省建兴智能科技有限公司 Data transmission system and method based on non-physical medium intrusion prevention

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103731589A (en) * 2013-12-20 2014-04-16 南威软件股份有限公司 Method for transmitting large data flow through two-dimension code
CN105516179A (en) * 2015-12-30 2016-04-20 绿网天下(福建)网络科技股份有限公司 Network invasion preventing safe data transmission system and network invasion preventing safe data transmission method
CN109379368A (en) * 2018-11-06 2019-02-22 国电电力发展股份有限公司 Switch and method between the physically-isolated double nets of one kind

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101312293B1 (en) * 2011-10-31 2013-09-27 삼성에스디에스 주식회사 IC chip and method for verifying data therein
US20170193525A1 (en) * 2015-12-31 2017-07-06 Salim Shah System and Method for Detecting Counterfeit Products

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103731589A (en) * 2013-12-20 2014-04-16 南威软件股份有限公司 Method for transmitting large data flow through two-dimension code
CN105516179A (en) * 2015-12-30 2016-04-20 绿网天下(福建)网络科技股份有限公司 Network invasion preventing safe data transmission system and network invasion preventing safe data transmission method
CN109379368A (en) * 2018-11-06 2019-02-22 国电电力发展股份有限公司 Switch and method between the physically-isolated double nets of one kind

Also Published As

Publication number Publication date
CN110401673A (en) 2019-11-01

Similar Documents

Publication Publication Date Title
CN110351305B (en) Method and device for bidirectional transmission of internetwork data
CN110401673B (en) Method and device for safely transmitting data between networks
Zhou et al. Joint physical-application layer security for wireless multimedia delivery
CN109243045B (en) Voting method, voting device, computer equipment and computer readable storage medium
CN105553648B (en) Quantum key distribution, privacy amplification and data transmission method, apparatus and system
Wang et al. Dependable and secure sensor data storage with dynamic integrity assurance
CN105099692B (en) Security verification method and device, server and terminal
CN103428221B (en) Safe login method, system and device to Mobile solution
CN112073375A (en) Isolation device and isolation method suitable for power Internet of things client side
CN110011958B (en) Information encryption method and device, computer equipment and storage medium
KR100451012B1 (en) Information equipment used by selecting one of several cryptographic technology-enabled protocols for copyright protection of digital works
US20100058052A1 (en) Methods, systems and devices for securing supervisory control and data acquisition (scada) communications
EA009997B1 (en) A method of encrypting and transferring data between a sender and a receiver using a network
CN102638459A (en) Authentication information transmission system, authentication information transmission service platform and authentication information transmission method
CN107181770A (en) Method of data synchronization and system
CN102006303A (en) Method and terminal for increasing data transmission safety by using multi-encryption method
CN111164933A (en) Method for ensuring communication safety without state management
CN112688945A (en) Transmission method and transmission system for terminal data of Internet of things
CN113114589A (en) Cross-network data secure transmission system and method
CN116992458A (en) Programmable data processing method and system based on trusted execution environment
CN107679372A (en) Access control method, terminal and the storage medium of application program
WO2024017255A1 (en) Vehicle communication method, terminal, vehicle and computer-readable storage medium
CN109862027A (en) Data transmission method for uplink, data receiver method and equipment, data transmission system
CN113672955B (en) Data processing method, system and device
CN114844717A (en) File secure exchange method and system based on file package

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant