CN116633698B

CN116633698B - Data transmission method, apparatus, computer device, storage medium, and program product

Info

Publication number: CN116633698B
Application number: CN202310913190.5A
Authority: CN
Inventors: 陈文华; 陈鸿杰; 王爱宝; 蒋春元; 李澄宇
Original assignee: China Telecom Corp Ltd
Current assignee: China Telecom Corp Ltd
Priority date: 2023-07-25
Filing date: 2023-07-25
Publication date: 2023-10-31
Anticipated expiration: 2043-07-25
Also published as: CN116633698A

Abstract

The present application relates to a data transmission method, apparatus, computer device, storage medium and program product. The method comprises the following steps: receiving a data verification rule sent by a zero trust controller and a data packet to be transmitted sent by a zero trust proxy node; the data packet to be transmitted is obtained after the zero trust proxy node adds check data into the initial data packet; performing data verification on verification data in a data packet to be transmitted according to a data verification rule to obtain a data verification result; and determining whether to transmit the data packet to be transmitted to the database according to the data verification result. By adopting the method, the safety of the data transmission process can be improved.

Description

Data transmission method, apparatus, computer device, storage medium, and program product

Technical Field

The present application relates to the field of information security technologies, and in particular, to a data transmission method, apparatus, computer device, storage medium, and program product.

Background

With the development of computer technology, zero trust networks have emerged. A zero trust network refers to a network in which there is no trust between users and data transfer is performed in an anonymous manner.

The conventional technology can transmit IP data packets based on TCP/IP protocol (Transmission Control Protocol/Internet Protocol ) in a zero trust network, thereby realizing data transmission.

However, the conventional data transmission method has a problem of low security.

Disclosure of Invention

In view of the foregoing, it is desirable to provide a data transmission method, apparatus, computer device, storage medium, and program product capable of improving data transmission security.

In a first aspect, the present application provides a data transmission method. The method is applied to the zero trust gateway in the zero trust communication network, and comprises the following steps:

receiving a data verification rule sent by a zero trust controller and a data packet to be transmitted sent by a zero trust proxy node; the data packet to be transmitted is obtained by adding check data into the initial data packet by the zero trust proxy node;

performing data verification on verification data in the data packet to be transmitted according to the data verification rule to obtain a data verification result;

and determining whether to transmit the data packet to be transmitted to a database according to the data verification result.

In one embodiment, the verification data includes user session information and user signature information, the user session information is used for indicating to send address information and session count information generated in the process of establishing session connection with the zero trust proxy node, the user signature information is used for indicating identity parameters of a user sending the initial data packet, and the data verification rule includes a user session information verification rule and a data signature verification rule; and performing data verification on the verification data in the data packet to be transmitted according to the data verification rule to obtain a data verification result, wherein the data verification result comprises:

performing data verification on the user session information in the data packet to be transmitted according to the user session information verification rule to generate a first data verification result;

performing data verification on the user signature information in the data packet to be transmitted according to the data signature verification rule to generate a second data verification result;

and generating the data verification result according to the first data verification result and the second data verification result.

In one embodiment, the performing data verification on the user session information in the data packet to be transmitted according to the user session information verification rule, to generate a first data verification result, includes:

Determining the network address type of the data packet to be transmitted according to the address information; the network address type comprises a public network address type and a private network address type;

determining whether the source network address in the data packet to be transmitted needs to be updated according to the network address type of the data packet to be transmitted, and generating a middle data packet;

and carrying out data verification on the session counting information in the intermediate data packet according to the user session information verification rule, and generating the first data verification result.

In one embodiment, the determining, according to the network address type of the to-be-transmitted data packet, whether the source network address in the to-be-transmitted data packet needs to be updated, to generate an intermediate data packet includes:

if the network address type of the data packet to be transmitted is the private network address type, the data packet to be transmitted is used as the middle data packet;

and if the network address type of the data packet to be transmitted is the public network address type, updating the source network address in the data packet to be transmitted to the public network address corresponding to the data packet to be transmitted, and generating the intermediate data packet.

In one embodiment, the performing data verification on the user signature information in the data packet to be transmitted according to the data signature verification rule, to generate a second data verification result, includes:

And carrying out data verification on the user signature information in the intermediate data packet according to the data signature verification rule, and generating the second data verification result.

In one embodiment, the method further comprises:

determining a data packet which fails to pass the verification from the data packets to be transmitted, and generating abnormal session information according to the data packet which fails to pass the verification;

the abnormal session information is sent to a zero trust controller; the abnormal session information is used for indicating the zero trust controller to analyze the abnormal session information and sending a session termination instruction to the zero trust proxy node.

In a second aspect, the application further provides a data transmission method. A zero trust controller for use in a zero trust communication network, the method comprising:

receiving user certificates and user standard session information sent by a zero trust proxy node;

generating a data verification rule according to the user certificate and the user standard session information;

sending the data verification rule to a zero trust gateway; the data verification rule is used for indicating the zero trust gateway to carry out data verification on verification data in a data packet to be transmitted according to the data verification rule, so as to obtain a data verification result; and determining whether to transmit the data packet to be transmitted to a database according to the data verification result.

In a third aspect, the present application further provides a data transmission method. The method is applied to the zero trust proxy node in the zero trust communication network, and comprises the following steps:

acquiring a user certificate, user standard session information and an initial data packet;

transmitting the user certificate and the user standard session information to a zero trust controller, so that the zero trust controller generates a data verification rule based on the user certificate and the user standard session information and transmits the data verification rule to a zero trust gateway;

adding check data into the initial data packet, generating a data packet to be transmitted, and sending the data packet to be transmitted to the zero trust gateway; the data packet to be transmitted is used for indicating the zero trust gateway to perform data verification on verification data in the data packet to be transmitted according to the data verification rule, so as to obtain a data verification result; and determining whether to transmit the data packet to be transmitted to a database according to the data verification result.

In a fourth aspect, the application further provides a data transmission device. The device is applied to a zero trust gateway in a zero trust communication network, and comprises:

the data packet to be transmitted receiving module is used for receiving a data check rule sent by the zero trust controller and a data packet to be transmitted sent by the zero trust proxy node; the data packet to be transmitted is obtained by adding check data into the initial data packet by the zero trust proxy node;

The data verification module is used for carrying out data verification on the verification data in the data packet to be transmitted according to the data verification rule to obtain a data verification result;

and the data transmission module is used for determining whether to transmit the data packet to be transmitted to a database according to the data verification result.

In a fifth aspect, the present application further provides a data transmission device. A zero trust controller for use in a zero trust communication network, the apparatus comprising:

the information receiving module is used for receiving the user certificate and the user standard session information sent by the zero trust proxy node;

the data verification rule generation module is used for generating a data verification rule according to the user certificate and the user standard session information;

the data verification rule sending module is used for sending the data verification rule to the zero trust gateway; the data verification rule is used for indicating the zero trust gateway to carry out data verification on verification data in a data packet to be transmitted according to the data verification rule, so as to obtain a data verification result; and determining whether to transmit the data packet to be transmitted to a database according to the data verification result.

In a sixth aspect, the present application further provides a data transmission device. In a zero trust proxy node for use in a zero trust communication network, the apparatus comprising:

The information acquisition module is used for acquiring the user certificate, the user standard session information and the initial data packet;

the information sending data verification module is used for sending the user certificate and the user standard session information to a zero trust controller so that the zero trust controller generates a data verification rule based on the user certificate and the user standard session information and sends the data verification rule to a zero trust gateway;

the data packet to be transmitted generating module is used for adding check data into the initial data packet, generating a data packet to be transmitted and sending the data packet to be transmitted to the zero trust gateway; the data packet to be transmitted is used for indicating the zero trust gateway to perform data verification on verification data in the data packet to be transmitted according to the data verification rule, so as to obtain a data verification result; and determining whether to transmit the data packet to be transmitted to a database according to the data verification result.

In a seventh aspect, the present application also provides a zero trust gateway comprising a transceiver, a processor and a memory, the memory storing a computer program, the processor executing the computer program for performing the steps of the method in any of the embodiments of the first aspect.

In an eighth aspect, the present application further provides a zero trust controller, including a transceiver, a processor, and a memory, where the memory stores a computer program, and the processor executes the computer program to control the transceiver to receive a user certificate and user standard session information sent by a zero trust proxy node;

the processor is used for controlling the processor to generate a data verification rule according to the user certificate and the user standard session information;

for controlling the transceiver to send the data verification rule to a zero trust gateway; the data verification rule is used for indicating the zero trust gateway to carry out data verification on verification data in a data packet to be transmitted according to the data verification rule, so as to obtain a data verification result; and determining whether to transmit the data packet to be transmitted to a database according to the data verification result.

In a ninth aspect, the present application further provides a zero trust proxy node, including a transceiver, a processor, and a memory, where the memory stores a computer program, and the processor executes the computer program to control the transceiver to obtain a user certificate, user standard session information, and an initial data packet;

The zero trust controller is used for generating a data verification rule based on the user certificate and the user standard session information and sending the data verification rule to a zero trust gateway;

the zero trust gateway is used for controlling the processor and the transceiver to add check data into the initial data packet, generating a data packet to be transmitted and sending the data packet to be transmitted to the zero trust gateway; the data packet to be transmitted is used for indicating the zero trust gateway to perform data verification on verification data in the data packet to be transmitted according to the data verification rule, so as to obtain a data verification result; and determining whether to transmit the data packet to be transmitted to a database according to the data verification result.

In a tenth aspect, the present application also provides a computer-readable storage medium. The computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the method in any of the embodiments of the first to third aspects described above.

In an eleventh aspect, the present application also provides a computer program product. The computer program product comprising a computer program which, when executed by a processor, implements the steps of the method in any of the embodiments of the first to third aspects described above.

The data transmission method, the data transmission device, the computer equipment, the storage medium and the program product are used for receiving the data verification rule sent by the zero trust controller and the data packet to be transmitted sent by the zero trust proxy node; the data packet to be transmitted is obtained after the zero trust proxy node adds check data into the initial data packet; performing data verification on verification data in a data packet to be transmitted according to a data verification rule to obtain a data verification result; and determining whether to transmit the data packet to be transmitted to the database according to the data verification result. The zero trust proxy node in the embodiment of the application can add the check data into the initial data packet to obtain the repackaged data packet to be transmitted. Therefore, the zero trust gateway can receive the data verification rule sent by the zero trust controller and the repackaged data packet to be transmitted sent by the zero trust proxy node, and perform data verification on verification data in the repackaged data packet to be transmitted according to the data verification rule to obtain a more accurate data verification result. Furthermore, whether the data packet to be transmitted is transmitted to the database can be determined according to the more accurate data verification result. The application needs to carry out data verification on the verification data in the repackaged data packet to be transmitted according to the data verification rule, and can only transmit the data packet to be transmitted which passes the data verification, thereby improving the safety of the data transmission process.

Drawings

FIG. 1 is a diagram of an application environment for a data transmission method in one embodiment;

fig. 2 is a flow chart of a data transmission method corresponding to a zero trust gateway in an embodiment;

FIG. 3 is a flow chart illustrating a data verification step in one embodiment;

FIG. 4 is a flowchart illustrating a first data verification result generation step in one embodiment;

FIG. 5 is a flowchart illustrating an abnormal session information sending step in one embodiment;

FIG. 6 is a flowchart of a data transmission method corresponding to a zero trust controller in another embodiment;

FIG. 7 is a flowchart of a data transmission method corresponding to a zero trust proxy node in another embodiment;

FIG. 8 is a schematic diagram of a structure of a data packet to be transmitted according to an embodiment;

FIG. 9 is a flow chart of a data transmission method corresponding to a zero trust gateway in an alternative embodiment;

FIG. 10 is a schematic diagram illustrating a communication system corresponding to a zero trust communication network in one embodiment;

FIG. 11 is a flow diagram of data verification and data transmission in a zero trust communication network in one embodiment;

fig. 12 is a block diagram of a data transmission device corresponding to a zero trust gateway in one embodiment;

FIG. 13 is a block diagram illustrating a data transmission device corresponding to a zero trust controller according to an embodiment;

FIG. 14 is a block diagram illustrating a data transmission device corresponding to a zero trust proxy node in one embodiment;

FIG. 15 is a schematic diagram of the internal architecture of a zero trust gateway in one embodiment;

FIG. 16 is a schematic diagram of the internal architecture of a zero trust controller in another embodiment;

FIG. 17 is a schematic diagram of the internal structure of a zero trust proxy node in yet another embodiment.

Detailed Description

The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.

However, in the conventional data transmission process, there are security problems that data is counterfeited, tampered, replay attack occurs, and the like. Therefore, the conventional data transmission method has a problem of low security.

The data transmission method provided by the embodiment of the application can be applied to an application environment shown in figure 1. The communication system 100 corresponding to the zero-trust communication network (i.e., zero-trust network) includes a zero-trust proxy node 102, a zero-trust controller 104, a zero-trust gateway 106, and a database. The zero trust proxy node 102 may obtain data from the user terminal and the zero trust proxy node 102 may send data to the zero trust gateway 106 via the communication network and the zero trust proxy node 102 may also send data to the zero trust controller 104. The communication network comprises a public network and a local area network. The zero trust controller 104 may send data to the zero trust gateway 106. The zero trust gateway 106 may transfer the data to a database or the zero trust gateway 106 may transfer the data to the zero trust controller 104. In the embodiment of the present application, the zero trust gateway 106 receives a data check rule sent by the zero trust controller 104 and a data packet to be transmitted sent by the zero trust proxy node 102; the data packet to be transmitted is obtained after the zero trust proxy node 102 adds check data into the initial data packet; the zero trust gateway 106 performs data verification on the verification data in the data packet to be transmitted according to the data verification rule to obtain a data verification result; the zero trust gateway 106 determines whether to transmit the data packet to be transmitted to the database according to the data verification result.

The user terminal may be, but not limited to, various personal computers, notebook computers, smart phones, tablet computers, internet of things devices and portable wearable devices, and the internet of things devices may be smart speakers, smart televisions, smart air conditioners, smart vehicle devices and the like. The portable wearable device may be a smart watch, smart bracelet, headset, or the like. The zero trust proxy node 102, the zero trust controller 104, and the zero trust gateway 106 may each be implemented as a stand-alone server or as a server cluster of multiple servers.

In one embodiment, as shown in fig. 2, a data transmission method is provided, which is exemplified by the application of the method to the zero trust gateway 106 in the zero trust communication network in fig. 1, and includes the following steps:

s220, receiving a data check rule sent by the zero trust controller and a data packet to be transmitted sent by the zero trust proxy node; and the data packet to be transmitted is obtained after the zero trust proxy node adds the check data into the initial data packet.

The zero-trust communication network is a zero-trust network, and the zero-trust network refers to a network which is not trusted among users and performs data transmission in an anonymous mode. The communication system corresponding to the zero-trust communication network comprises a zero-trust proxy node, a zero-trust controller, a zero-trust gateway and a database. The data verification rule is a rule generated by the zero trust proxy node and is used for carrying out data verification on data in the data packet to be transmitted. The data packet to be transmitted refers to a data packet which requires advanced data verification and can be transmitted only after the data verification passes. The data packet to be transmitted is a data packet obtained by adding check data into the initial data packet by the zero trust proxy node. The initial packet refers to a packet acquired from the user terminal. The check data refers to data used for data check in the data packet to be transmitted.

Optionally, since the zero-trust proxy node 102, the zero-trust controller 104, the zero-trust gateway 106, and the database are included in the communication system 100 corresponding to the zero-trust communication network, the zero-trust proxy node 102 and the zero-trust controller 104 may each send data to the zero-trust gateway 106. Thus, optionally, the zero trust gateway 106 may receive the data check rule sent by the zero trust controller 104 and the data packet to be transmitted sent by the zero trust proxy node 102 at the same time; alternatively, the zero trust gateway 106 may receive the data check rule sent by the zero trust controller 104 first, and then receive the data packet to be transmitted sent by the zero trust proxy node 102; alternatively, the zero trust gateway 106 may receive the data packet to be transmitted sent by the zero trust proxy node 102, and then receive the data check rule sent by the zero trust controller 104. It should be noted that, in the embodiment of the present application, the time sequence of receiving the data check rule and receiving the data packet to be transmitted by the zero trust gateway 106 is not limited.

S240, carrying out data verification on verification data in the data packet to be transmitted according to the data verification rule to obtain a data verification result.

Optionally, the zero trust gateway 106 may perform data verification on the verification data in the data packet to be transmitted according to the data verification rule, so as to obtain a data verification result. Illustratively, it is assumed that the data verification rule includes a verification data threshold, and the data verification rule is: and if the check data is smaller than or equal to the check data threshold value, the data check is passed. Then the zero trust gateway 106 may compare the verification data threshold with the verification data in the data packet to be transmitted to generate a data verification result. The data verification rule and the verification data threshold may be set according to the data packet, which is not limited in the embodiment of the present application. The data check result includes that the data check passes and the data check fails.

And S260, determining whether to transmit the data packet to be transmitted to a database according to the data verification result.

Alternatively, the zero trust gateway 106 may determine whether to transmit the data packet to be transmitted to the database according to the data check result. For example, if the data check result is that the data check is passed, the zero trust gateway 106 may transmit the data packet to be transmitted to the database. If the data check result is not passed, the zero trust gateway 106 may discard the data packet to be transmitted.

In the data transmission method, a data verification rule sent by a zero trust controller and a data packet to be transmitted sent by a zero trust proxy node are received; the data packet to be transmitted is obtained after the zero trust proxy node adds check data into the initial data packet; performing data verification on verification data in a data packet to be transmitted according to a data verification rule to obtain a data verification result; and determining whether to transmit the data packet to be transmitted to the database according to the data verification result. The zero trust proxy node in the embodiment of the application can add the check data into the initial data packet to obtain the repackaged data packet to be transmitted. Therefore, the zero trust gateway can receive the data verification rule sent by the zero trust controller and the repackaged data packet to be transmitted sent by the zero trust proxy node, and perform data verification on verification data in the repackaged data packet to be transmitted according to the data verification rule to obtain a more accurate data verification result. Furthermore, whether the data packet to be transmitted is transmitted to the database can be determined according to the more accurate data verification result. The application needs to carry out data verification on the verification data in the repackaged data packet to be transmitted according to the data verification rule, and can only transmit the data packet to be transmitted which passes the data verification, thereby improving the safety of the data transmission process.

In the above embodiments, the data verification is performed on the verification data in the data packet to be transmitted according to the data verification rule, so as to obtain the data verification result, and the specific method is described below. In one embodiment, the verification data includes user session information and user signature information, the user session information is used for indicating to send address information and session count information generated in the process of establishing session connection with the zero trust proxy node, the user signature information is used for indicating identity parameters of a user sending the initial data packet, and the data verification rule includes a user session information verification rule and a data signature verification rule; as shown in fig. 3, S240 includes:

s320, carrying out data verification on the user session information in the data packet to be transmitted according to the user session information verification rule, and generating a first data verification result.

The verification data may include, but is not limited to, user session information and user signature information, where the user session information is used to indicate address information and session count information generated during a session connection with the zero trust proxy node. The address information includes information such as a source network address, a destination network address, and a network address for transmitting a data packet to be transmitted. The session count information refers to the number of session information. The user signature information is used to indicate the identity parameters of the user that sent the initial data packet. The identity parameters may include, but are not limited to, a user name, an identification of the user, and the like. Thus, the zero trust gateway 106 may receive verification data such as address information, session count information, identity parameters of the user, and the like. The data verification rule comprises a user session information verification rule and a data signature verification rule. The user session information verification rule refers to a rule for performing data verification on user session information such as address information and session count information, and the data signature verification rule refers to a rule for performing data verification on user signature information.

Optionally, the zero trust gateway 106 may perform data verification on the user session information in the data packet to be transmitted according to the user session information verification rule, so as to generate a first data verification result. Illustratively, it is assumed that the user session information verification rule includes a session information threshold, and the user session information verification rule is: if the user session information is less than or equal to the session information threshold, the session information is verified. Then the zero trust gateway 106 may compare the session information threshold with the user session information in the data packet to be transmitted to generate a first data check result. The user session information verification rule and the session information threshold may be set according to the data packet, which is not limited in the embodiment of the present application. The first data verification result includes that the session information verification passes and the session information verification fails.

And S340, carrying out data verification on the user signature information in the data packet to be transmitted according to the data signature verification rule, and generating a second data verification result.

Optionally, the zero trust gateway 106 may perform data verification on the user signature information in the data packet to be transmitted according to the data signature verification rule, so as to generate a second data verification result. Illustratively, it is assumed that the data signature verification rule includes a data signature threshold, and the data signature verification rule is: and if the user signature information is smaller than or equal to the data signature threshold value, the data signature verification is passed. Then the zero trust gateway 106 may compare the data signature threshold with the user signature information in the data packet to be transmitted to generate a second data verification result. The data signature verification rule and the data signature threshold may be set according to the data packet, which is not limited in the embodiment of the present application. The second data verification result includes that the data signature verification passes and the data signature verification fails.

S360, generating a data verification result according to the first data verification result and the second data verification result.

Alternatively, the zero trust gateway 106 may determine whether the session information check passes and the data signature check passes according to the first data check result and the second data check result. If the first data verification result is that the session information verification passes and the second data verification result is that the data signature verification passes, namely, the session information verification and the data signature verification pass, the data verification result is determined to pass. If the first data verification result is that the session information verification fails, and/or the second data verification result is that the data signature verification fails, namely that at least one verification fails in the session information verification and the data signature verification, determining that the data verification result fails.

In this embodiment, since the verification data includes user session information and user signature information, and the data verification rule includes a user session information verification rule and a data signature verification rule. Therefore, the user session information in the data packet to be transmitted is subjected to data verification according to the user session information verification rule, and a first data verification result can be accurately generated; and carrying out data verification on the user signature information in the data packet to be transmitted according to the data signature verification rule, so that a second data verification result can be accurately generated. Therefore, the more accurate data verification result can be generated according to the more accurate first data verification result and the more accurate second data verification result.

In the above embodiments, the data verification is performed on the user session information in the data packet to be transmitted according to the user session information verification rule, so as to generate a first data verification result, and a specific method thereof is described below. In one embodiment, as shown in fig. 4, S320 includes:

s420, determining the network address type of the data packet to be transmitted according to the address information; the network address types include a public network address type and a private network address type.

Alternatively, the zero trust gateway 106 may obtain the network address for sending the data packet to be transmitted from the address information of the data packet to be transmitted, and determine the network address type of the data packet to be transmitted according to the network address for sending the data packet to be transmitted. The network address type comprises a public network address type and a private network address type. The public network address is an address directly accessible on the internet. Private network addresses refer to addresses that can be accessed directly on the private network. The private network is a local area network, which is an area network formed in a local area, and only computer equipment in a specific area can access the private network. For example, if the network address for sending the data packet to be transmitted is a private network address, the zero trust gateway 106 may determine that the network address type of the data packet to be transmitted is a private network address type; if the network address from which the data packet to be transmitted is sent is a public network address, the zero trust gateway 106 may determine that the network address type of the data packet to be transmitted is a public network address type.

S440, according to the network address type of the data packet to be transmitted, determining whether the source network address in the data packet to be transmitted needs to be updated, and generating a middle data packet.

Optionally, the zero trust gateway 106 may determine, according to the network address type of the data packet to be transmitted, whether the network address for sending the data packet to be transmitted is a public network address or a private network address, so as to determine whether the source network address in the data packet to be transmitted needs to be updated, and further generate the intermediate data packet. Wherein the intermediate data packet is a data packet generated based on the network address type of the data packet to be transmitted.

In one alternative embodiment, S440 includes:

and if the network address type of the data packet to be transmitted is the private network address type, taking the data packet to be transmitted as a middle data packet.

If the network address type of the data packet to be transmitted is the public network address type, updating the source network address in the data packet to be transmitted to the public network address corresponding to the data packet to be transmitted, and generating a middle data packet.

Optionally, if the network address type of the data packet to be transmitted is a private network address type, that is, the network address for sending the data packet to be transmitted is a private network address, it indicates that the network address translation (Network Address Translation, NAT) is not performed on the data packet to be transmitted. At this time, the source network address in the data packet to be transmitted is the same as the private network address, so the zero trust gateway 106 may not update the data packet to be transmitted, and directly take the data packet to be transmitted as the intermediate data packet.

If the network address type of the data packet to be transmitted is the public network address type, that is, the network address for transmitting the data packet to be transmitted is the public network address, it is indicated that the data packet to be transmitted is subjected to network address translation (Network Address Translation, NAT). At this time, the source network address in the data packet to be transmitted is still a private network address, but the real network address of the data packet to be transmitted is a public network address, that is, the source network address in the data packet to be transmitted is different from the real network address (that is, the public network address), so the zero trust gateway 106 may update the source network address in the data packet to be transmitted to the public network address corresponding to the data packet to be transmitted, thereby generating the intermediate data packet.

S460, data verification is carried out on the session counting information in the intermediate data packet according to the user session information verification rule, and a first data verification result is generated.

Optionally, the zero trust gateway 106 may perform data verification on the session count information in the intermediate data packet according to the user session information verification rule, to generate a first data verification result. Illustratively, it is assumed that the user session information verification rule includes a standard session count, and the user session information verification rule includes: if the session count information in the intermediate data packet is less than or equal to the standard session count, the session information is verified. Then the zero trust gateway 106 may compare the standard session count with the session count information in the intermediate data packet to generate a first data check result. The user session information checking rule and the standard session count may be set according to the data packet, which is not limited in the embodiment of the present application. It should be noted that, according to the verification process of the session count information, the zero trust gateway 106 may determine whether to receive redundant session information, and if so, indicate that replay attack occurs, where the first data verification result is that the session information is not verified, so that the replay attack can be effectively avoided.

In this embodiment, the network address type of the data packet to be transmitted is determined according to the address information, so that whether the network address type is a public network address type or a private network address type can be determined more accurately. Therefore, according to the network address type of the data packet to be transmitted, whether the source network address in the data packet to be transmitted needs to be updated or not can be accurately determined, and therefore the intermediate data packet containing the accurate source network address is generated. Furthermore, the first data verification result can be accurately generated by performing data verification on the session count information in the intermediate data packet containing the accurate source network address according to the user session information verification rule.

In the above embodiment, the data verification is performed on the user signature information in the data packet to be transmitted according to the data signature verification rule, so as to generate the second data verification result, and a specific method thereof is described below. In one embodiment, S340 includes:

and carrying out data verification on the user signature information in the intermediate data packet according to the data signature verification rule, and generating a second data verification result.

Optionally, the zero trust gateway 106 may perform data verification on the user signature information in the intermediate data packet according to the data signature verification rule, to generate a second data verification result. Illustratively, it is assumed that the user session information verification rule includes a user standard signature, and the user session information verification rule includes: and if the user signature information in the intermediate data packet is equal to the user standard signature, the session information verification is passed. Then the zero trust gateway 106 may compare the user standard signature to the user signature information in the intermediate data package to generate a second data verification result. The user session information verification rule and the user standard signature may be set according to the data packet, which is not limited in the embodiment of the present application.

In this embodiment, the data verification is performed on the user signature information in the intermediate data packet including the accurate source network address according to the data signature verification rule, so that the second data verification result can be accurately generated.

In the above embodiment, the determination of whether to transmit the data packet to be transmitted to the database according to the data check result is referred to, and a specific method in another embodiment is described below. In one embodiment, as shown in fig. 5, the data transmission method further includes:

s520, determining the data packet which is not passed by the verification from the data packets to be transmitted, and generating abnormal session information according to the data packet which is not passed by the verification.

Optionally, if the data verification result of the data packet to be transmitted fails the data verification, that is, at least one of the session information verification and the data signature verification fails, the zero trust gateway 106 may determine that the data packet to be transmitted is a data packet that fails the verification. Based on this, the zero trust gateway 106 may determine a data packet that fails to pass from the data packets to be transmitted, and generate abnormal session information corresponding to the data packet that fails to pass according to the data packet that fails to pass. The zero trust gateway 106 may then discard the data packet that failed the verification.

S540, abnormal session information is sent to a zero trust controller; the abnormal session information is used for indicating the zero trust controller to analyze the abnormal session information and sending a session termination instruction to the zero trust proxy node.

Alternatively, the zero trust gateway 106 may send the abnormal session information to the zero trust controller 104. The abnormal session information indicates that the session information corresponding to the data packet to be transmitted is abnormal, and the abnormal session information is used for indicating the zero trust controller 104 to analyze the abnormal session information and send a session termination instruction to the zero trust proxy node 102. The session termination instruction is used for indicating that the session corresponding to the abnormal session information is terminated.

In this embodiment, a data packet that fails to pass the check is determined from the data packets to be transmitted, and abnormal session information is accurately generated according to the data packet that fails to pass the check. And then, the more accurate abnormal session information is sent to the zero trust controller, so that the zero trust controller analyzes the abnormal session information and sends a session termination instruction to the zero trust proxy node, and the abnormal session can be terminated according to the abnormal session information.

In one embodiment, as shown in fig. 6, there is further provided a data transmission method, which is exemplified by the application of the method to the zero trust controller 104 in the zero trust communication network in fig. 1, and includes the following steps:

S620, receiving the user certificate and the user standard session information sent by the zero trust proxy node.

Alternatively, the zero trust controller 104 may receive the user credentials and user standard session information sent by the zero trust proxy node 102. Wherein the user certificate is a certificate issued to the user by a certificate authority (Certificate Authority, CA). The user-standard session information may include, but is not limited to, user-authentic quintuple information. The five-tuple information may generally include a source network address, a source port, a destination network address, a destination port, and a transport layer protocol.

S640, generating a data verification rule according to the user certificate and the user standard session information.

Alternatively, the zero trust controller 104 may perform a certificate verification on the user certificate, generating a certificate verification result. In the case that the certificate verification result is that the certificate verification is passed, the zero trust controller 104 may acquire user standard signature information from the user certificate. Thus, the zero trust controller 104 may generate data verification rules based on the user standard signature information and the user standard session information. Wherein the user standard signature information comprises user public key information and user standard identity information. The user public key information is used to encrypt the user standard identity information. The user standard identity information may comprise the user's actual identity parameters. The data verification rules comprise verification rules corresponding to user standard signature information and verification rules corresponding to user standard session information.

S660, sending a data verification rule to the zero trust gateway; the data verification rule is used for indicating the zero trust gateway to carry out data verification on verification data in the data packet to be transmitted according to the data verification rule, so as to obtain a data verification result; and determining whether to transmit the data packet to be transmitted to the database according to the data verification result.

Optionally, the zero trust controller 104 may send a data verification rule to the zero trust gateway 106, so that the zero trust gateway 106 performs data verification on the verification data in the data packet to be transmitted according to the data verification rule to obtain a data verification result; thus, the zero trust gateway 106 determines whether to transmit the data packet to be transmitted to the database according to the data verification result. The steps of the zero trust gateway 106 for data verification and data transmission are described in the above embodiments, and are not described herein.

In the data transmission method, the user certificate and the user standard session information sent by the zero trust proxy node are received, and the more accurate user certificate and user standard session information can be obtained. Therefore, the data verification rule can be accurately generated according to the accurate user certificate and the user standard session information, and the accurate data verification rule can be sent to the zero trust gateway. The zero trust gateway is used for transmitting the data to be checked in the data packet to be checked according to the data check rule, and the data check result is obtained; and determining whether to transmit the data packet to be transmitted to the database according to the data verification result.

In one embodiment, as shown in fig. 7, there is further provided a data transmission method, which is exemplified by the application of the method to the zero trust proxy node 102 in the zero trust communication network in fig. 1, and includes the following steps:

s720, obtaining the user certificate, the user standard session information and the initial data packet.

Alternatively, the zero trust proxy node 102 may obtain the user credentials from the user terminal. The zero trust proxy node 102 may also establish a session connection with the zero trust gateway 106 to generate user standard session information. The zero trust proxy node 102 may also obtain an initial data packet from the user terminal. The initial data packet refers to a data packet to which no check data is added.

And S740, the user certificate and the user standard session information are sent to the zero trust controller, so that the zero trust controller generates a data check rule based on the user certificate and the user standard session information and sends the data check rule to the zero trust gateway.

Alternatively, the zero trust proxy node 102 may register a user with the zero trust controller 104 to send a user credential to the zero trust controller 104. In addition, because the zero trust proxy node 102 can establish a session connection with the zero trust gateway 106, the zero trust proxy node 102 can perform standard session information verification on the user standard session information through the zero trust gateway 106, and a standard session information verification result is generated. In the case that the standard session information verification result is that the standard session information is verified, the zero trust proxy node 102 may send the verified standard session information to the zero trust controller 104 through the zero trust gateway 106, so that the zero trust controller 104 generates a data verification rule based on the user certificate and the user standard session information, and sends the data verification rule to the zero trust gateway 106.

S760, adding check data into the initial data packet, generating a data packet to be transmitted, and sending the data packet to be transmitted to a zero trust gateway; the data packet to be transmitted is used for indicating the zero trust gateway to perform data verification on verification data in the data packet to be transmitted according to a data verification rule, so as to obtain a data verification result; and determining whether to transmit the data packet to be transmitted to the database according to the data verification result.

Optionally, as shown in fig. 8, fig. 8 is a schematic structural diagram of a data packet to be transmitted in one embodiment. The initial packet includes a version (typically 4 bits), a header length (typically 4 bits), a service type (typically 8 bits), a total length (typically 16 bits), an identifier (typically 16 bits), a flag (typically 3 bits), an offset (typically 13 bits), a Time-To-Live TTL (Time To Live) for indicating a maximum number of segments allowed To pass before the initial packet is discarded, typically 8 bits), a protocol (typically 8 bits), a check bit (typically 16 bits), a source network address (typically 32 bits), a destination network address (typically 32 bits), options, data, and the like. The zero trust proxy node 102 may add check data in the end of the initial data packet to generate the data packet to be transmitted. Wherein the verification data includes user session information and user signature information. For example, the user session information may include a session counter field for counting the number of session information. The user signature information may include a data signature information field, which may typically be a 32-bit field. In addition, the total length of the initial packet needs to be updated to the total length of the packet after the check data is added.

The zero trust proxy node 102 may then send the data packet to be transmitted to the zero trust gateway 106. The data packet to be transmitted is used for indicating the zero trust gateway 106 to perform data verification on the verification data in the data packet to be transmitted according to the data verification rule, so as to obtain a data verification result; the zero trust gateway 106 determines whether to transmit the data packet to be transmitted to the database according to the data verification result. The steps of the zero trust gateway 106 for data verification and data transmission are described in the above embodiments, and are not described herein.

In the data transmission method, more accurate user certificates, user standard session information and initial data packets can be acquired; and sending the more accurate user certificate and user standard session information to the zero trust controller so that the zero trust controller generates a data verification rule based on the more accurate user certificate and user standard session information and sends the data verification rule to the zero trust gateway. And more accurate verification data can be added into the initial data packet to generate a more accurate data packet to be transmitted, and the more accurate data packet to be transmitted is sent to the zero trust gateway. The data transmission method comprises the steps that a more accurate data packet to be transmitted is used for indicating a zero trust gateway to perform data verification on verification data in the data packet to be transmitted according to a data verification rule, and a data verification result is obtained; and determining whether to transmit the data packet to be transmitted to the database according to the data verification result.

In an alternative embodiment, as shown in fig. 9, a data transmission method is provided, which is applied to a zero trust gateway 106 in a zero trust communication network, and the data transmission method includes:

s902, receiving a data check rule sent by a zero trust controller and a data packet to be transmitted sent by a zero trust proxy node; the data packet to be transmitted is obtained after the zero trust proxy node adds check data into the initial data packet;

s904, determining the network address type of the data packet to be transmitted according to the address information; the network address type comprises a public network address type and a private network address type;

s906, if the network address type of the data packet to be transmitted is the private network address type, the data packet to be transmitted is used as a middle data packet;

s908, if the network address type of the data packet to be transmitted is the public network address type, updating the source network address in the data packet to be transmitted to the public network address corresponding to the data packet to be transmitted, and generating a middle data packet;

s910, performing data verification on session counting information in the intermediate data packet according to a user session information verification rule to generate a first data verification result;

s912, carrying out data verification on user signature information in the intermediate data packet according to the data signature verification rule to generate a second data verification result;

S914, generating a data verification result according to the first data verification result and the second data verification result;

s916, determining whether to transmit the data packet to be transmitted to the database according to the data verification result;

s918, determining a data packet which is not passed by verification from the data packets to be transmitted, and generating abnormal session information according to the data packet which is not passed by verification;

s920, abnormal session information is sent to a zero trust controller; the abnormal session information is used for indicating the zero trust controller to analyze the abnormal session information and sending a session termination instruction to the zero trust proxy node.

Optionally, as shown in fig. 10, fig. 10 is a schematic structural diagram of a communication system corresponding to the zero trust communication network in an embodiment. The zero-trust communication network (i.e., zero-trust network) corresponds to a communication system 100 that includes a zero-trust proxy node 102, a zero-trust controller 104, a zero-trust gateway 106, and a database. Wherein control flow message data or traffic flow message data may be transmitted between the zero trust proxy node 102 and the zero trust gateway 106 over a communication network; control flow message data may be transferred between the zero trust controller 104 and the zero trust gateway 106; traffic flow message data may be transferred between the zero trust gateway 106 and the database. The control flow message data refers to messages containing a certain order, and the traffic flow message data refers to messages containing a certain action or transaction. The zero trust proxy node 102 may perform data signing (i.e., adding verification information) on the initial data packet, generate a data packet to be transmitted, and may send the data packet to be transmitted to the zero trust gateway 106. The process of data signing may include a PKI (public key infrastructure ) digital signing process, among others. The zero trust gateway 106 may perform data verification on the data packet to be transmitted to generate a data verification result.

Optionally, as shown in fig. 11, fig. 11 is a schematic flow chart of data verification and data transmission in the zero trust communication network in one embodiment. S1102, the zero trust proxy node 102 may obtain the user credentials and may perform user registration with the zero trust controller 104 to send the user credentials to the zero trust controller 104. S1104, the zero trust controller 104 may receive the user certificate sent by the zero trust proxy node 102, and perform certificate verification on the user certificate, to generate a certificate verification result. In the case that the certificate verification result is that the certificate verification is passed, the zero trust controller 104 may acquire user standard signature information from the user certificate. The zero trust proxy node 102 may also establish a session connection with the zero trust gateway 106 to generate user standard session information S1106. The zero trust proxy node 102 may then perform standard session information verification on the user standard session information through the zero trust gateway 106, and generate a standard session information verification result. S1108, in the case that the standard session information verification result is that the standard session information verification is passed, the zero trust proxy node 102 may send the verified standard session information to the zero trust controller 104 through the zero trust gateway 106. S1110, the zero trust controller 104 may generate a data verification rule according to the user standard signature information and the user standard session information. S1112, the zero trust controller 104 may send the data check rule to the zero trust gateway 106.

In connection with fig. 11, S1114, the zero trust proxy node 102 may further obtain an initial data packet from the user terminal, and may add check data to the end of the initial data packet to generate a data packet to be transmitted. After that, the zero trust proxy node 102 may send the data packet to be transmitted to the zero trust gateway 106S 1116. The zero trust gateway 106 receives the data verification rule sent by the zero trust controller 104 and the data packet to be transmitted sent by the zero trust proxy node 102, and determines the network address type of the data packet to be transmitted according to the address information in the verification data; the network address types include a public network address type and a private network address type. S1118, if the network address type of the data packet to be transmitted is the private network address type, the data packet to be transmitted is used as a middle data packet, and the session counting information in the middle data packet is subjected to data verification according to the user session information verification rule, so as to generate a first data verification result; performing data verification on the user signature information in the intermediate data packet according to the data signature verification rule to generate a second data verification result; and generating a data verification result according to the first data verification result and the second data verification result.

Referring to fig. 11, S1120, if the network address type of the data packet to be transmitted is a public network address type, updating the source network address in the data packet to be transmitted to the public network address corresponding to the data packet to be transmitted, and generating a middle data packet; performing data verification on session counting information in the intermediate data packet according to a user session information verification rule to generate a first data verification result; performing data verification on the user signature information in the intermediate data packet according to the data signature verification rule to generate a second data verification result; and generating a data verification result according to the first data verification result and the second data verification result. In S1122, in the case that the data check result is that the check is passed, the zero trust gateway 106 may transmit the data packet to be transmitted that passes the check to the database. In S1124, when the data check result is that the check is passed, the zero trust gateway 106 may determine a data packet that fails the check from the data packets to be transmitted, generate abnormal session information according to the data packet that fails the check, and send the abnormal session information to the zero trust controller 104. The zero trust gateway 106 may also discard packets that fail the check. S1126, the zero trust controller 104 may analyze the abnormal session information and send a session termination instruction to the zero trust proxy node 102, so that the zero trust proxy node 102 terminates the session according to the session termination instruction.

In the data transmission method, the zero trust proxy node in the embodiment of the application can perform data signature on the initial data packet, namely, user session information and user signature information can be added in the initial data packet to obtain the repackaged data packet to be transmitted. And the zero trust controller in the embodiment of the application can generate more accurate data verification rules. Therefore, the zero trust gateway can receive the more accurate data verification rule sent by the zero trust controller and the repackaged data packet to be transmitted sent by the zero trust proxy node, and perform data verification on the user session information and the user signature information in the repackaged data packet to be transmitted according to the more accurate data verification rule to obtain more accurate data verification results. Furthermore, whether the data packet to be transmitted is transmitted to the database can be determined according to the more accurate data verification result. The application needs to carry out data verification on the verification data in the repackaged data packet to be transmitted according to the more accurate data verification rule, and can only transmit the data packet to be transmitted which passes the data verification, thereby improving the safety of the data transmission process.

It should be understood that, although the steps in the flowcharts related to the above embodiments are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described in the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily performed sequentially, but may be performed alternately or alternately with at least some of the other steps or stages.

Based on the same inventive concept, the embodiment of the application also provides a data transmission device for realizing the above related data transmission method. The implementation of the solution provided by the device is similar to the implementation described in the above method, so the specific limitation in one or more embodiments of the data transmission device provided below may refer to the limitation of the data transmission method hereinabove, and will not be repeated herein.

In one embodiment, as shown in fig. 12, there is provided a data transmission apparatus 1200 applied to a zero trust gateway in a zero trust communication network, including: a data packet to be transmitted receiving module 1220, a data checking module 1240 and a data transmitting module 1260, wherein:

the to-be-transmitted data packet receiving module 1220 is configured to receive a data check rule sent by the zero trust controller and a to-be-transmitted data packet sent by the zero trust proxy node; and the data packet to be transmitted is obtained after the zero trust proxy node adds the check data into the initial data packet.

The data verification module 1240 is configured to perform data verification on the verification data in the data packet to be transmitted according to the data verification rule, so as to obtain a data verification result.

The data transmission module 1260 is configured to determine whether to transmit the data packet to be transmitted to the database according to the data verification result.

In one embodiment, the verification data includes user session information and user signature information, the user session information is used for indicating to send address information and session counting information generated in the process of establishing session connection with the zero trust proxy node, the user signature information is used for indicating identity parameters of a user sending the initial data packet, and the data verification rule includes a user session information verification rule and a data signature verification rule; the data verification module 1240 includes:

The first data verification result generation unit is used for carrying out data verification on the user session information in the data packet to be transmitted according to the user session information verification rule to generate a first data verification result;

the second data verification result generation unit is used for carrying out data verification on the user signature information in the data packet to be transmitted according to the data signature verification rule to generate a second data verification result;

the data verification unit is used for generating a data verification result according to the first data verification result and the second data verification result.

In one embodiment, the first data check result generating unit includes:

a network address type determining subunit, configured to determine a network address type of a data packet to be transmitted according to the address information; the network address type comprises a public network address type and a private network address type;

the intermediate data packet generation subunit is used for determining whether the source network address in the data packet to be transmitted needs to be updated according to the network address type of the data packet to be transmitted, and generating an intermediate data packet;

and the first data verification result generation subunit is used for carrying out data verification on the session counting information in the intermediate data packet according to the user session information verification rule to generate a first data verification result.

In one embodiment, the intermediate data packet generation subunit comprises:

the first intermediate data packet generation subunit is configured to take the data packet to be transmitted as an intermediate data packet when the network address type of the data packet to be transmitted is a private network address type;

and the second intermediate data packet generation subunit is used for updating the source network address in the data packet to be transmitted to the public network address corresponding to the data packet to be transmitted under the condition that the network address type of the data packet to be transmitted is the public network address type, so as to generate the intermediate data packet.

In one embodiment, the second data check result generation unit includes:

and the second data verification result generation subunit is used for carrying out data verification on the user signature information in the intermediate data packet according to the data signature verification rule to generate a second data verification result.

In one embodiment, the data transmission apparatus 1200 further includes:

the abnormal session information generation module is used for determining a data packet which fails to pass the verification from the data packets to be transmitted and generating abnormal session information according to the data packet which fails to pass the verification;

the abnormal session information sending module is used for sending the abnormal session information to the zero trust controller; the abnormal session information is used for indicating the zero trust controller to analyze the abnormal session information and sending a session termination instruction to the zero trust proxy node.

In one embodiment, as shown in fig. 13, there is further provided a data transmission apparatus 1300, applied to a zero-trust controller in a zero-trust communication network, including: an information receiving module 1320, a data check rule generating module 1340, and a data check rule transmitting module 1360, wherein:

the information receiving module 1320 is configured to receive a user certificate and user standard session information sent by the zero trust proxy node.

The data verification rule generating module 1340 is configured to generate a data verification rule according to the user certificate and the user standard session information.

A data check rule sending module 1360, configured to send a data check rule to the zero trust gateway; the data verification rule is used for indicating the zero trust gateway to carry out data verification on verification data in the data packet to be transmitted according to the data verification rule, so as to obtain a data verification result; and determining whether to transmit the data packet to be transmitted to the database according to the data verification result.

In one embodiment, as shown in fig. 14, there is further provided a data transmission apparatus 1400, applied in a zero-trust proxy node in a zero-trust communication network, comprising: an information acquisition module 1420, an information transmission data verification module 1440, and a data packet to be transmitted generation module 1460, wherein:

And the information acquisition module is used for acquiring the user certificate, the user standard session information and the initial data packet.

And the information sending data verification module is used for sending the user certificate and the user standard session information to the zero trust controller so that the zero trust controller generates a data verification rule based on the user certificate and the user standard session information and sends the data verification rule to the zero trust gateway.

The data packet to be transmitted generating module is used for adding check data into the initial data packet, generating the data packet to be transmitted and sending the data packet to be transmitted to the zero trust gateway; the data packet to be transmitted is used for indicating the zero trust gateway to perform data verification on verification data in the data packet to be transmitted according to a data verification rule, so as to obtain a data verification result; and determining whether to transmit the data packet to be transmitted to the database according to the data verification result.

The respective modules in the above-described data transmission apparatus may be implemented in whole or in part by software, hardware, and combinations thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.

Fig. 15 is a schematic structural diagram of a zero trust gateway according to an embodiment of the present invention. The zero trust gateway 1500 shown in fig. 15 includes: at least one processor 1501, memory 1502, at least one network interface 1504. The various components in the zero trust gateway 1500 are coupled together by a bus system 1505. It is appreciated that bus system 1505 is used to implement the connected communication between these components. Bus system 1505 includes a power bus, a control bus, and a status signal bus in addition to the data bus. For clarity of illustration, however, the various buses are labeled as bus system 1505 in FIG. 15. In addition, in embodiments of the present invention, a transceiver 1506 is also included, which may be a plurality of elements, including a transmitter and a receiver, providing a means for communicating with various other apparatus over a transmission medium.

It will be appreciated that the memory 1502 in embodiments of the invention can be either volatile memory or nonvolatile memory, or can include both volatile and nonvolatile memory. The non-volatile memory may be a Read-only memory (ROM), a programmable Read-only memory (ProgrammableROM, PROM), an erasable programmable Read-only memory (ErasablePROM, EPROM), an electrically erasable programmable Read-only memory (ElectricallyEPROM, EEPROM), or a flash memory, among others. The volatile memory may be a random access memory (RandomAccessMemory, RAM) that acts as an external cache. By way of example, and not limitation, many forms of RAM are available, such as Static RAM (SRAM), dynamic random access memory (DynamicRAM, DRAM), synchronous dynamic random access memory (SynchronousDRAM, SDRAM), double data rate synchronous dynamic random access memory (double data rate SDRAM, ddr SDRAM), enhanced synchronous dynamic random access memory (EnhancedSDRAM, ESDRAM), synchronous link dynamic random access memory (SynchlinkDRAM, SLDRAM), and direct memory bus random access memory (DirectRambusRAM, DRRAM). The memory 1502 of the systems and methods described in embodiments of the present invention is intended to comprise, without being limited to, these and any other suitable types of memory.

In some implementations, the memory 1502 stores the following elements, executable modules or data structures, or a subset thereof, or an extended set thereof: operating system 1502a. The operating system 1502a includes various system programs, such as a framework layer, a core library layer, a driver layer, and the like, for implementing various basic services and processing hardware-based tasks.

In the embodiment of the present invention, by calling a program or an instruction stored in the memory 1502, the receiver is enabled to receive a data check rule sent by the zero trust controller and a data packet to be transmitted sent by the zero trust proxy node; the data packet to be transmitted is obtained after the zero trust proxy node adds check data into the initial data packet; a processor 1501, configured to perform data verification on verification data in a data packet to be transmitted according to a data verification rule, to obtain a data verification result; and the transmitter is used for determining whether to transmit the data packet to be transmitted to the database according to the data verification result.

Some or all of the methods disclosed in the embodiments of the present invention may also be applied to the processor 1501, or implemented by the processor 1501 in conjunction with other elements (e.g., transceivers). The processor 1501 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuitry in hardware in the processor 1501 or by instructions in software. The processor 1501 may be a general purpose processor, a digital signal processor (DigitalSignalProcessor, DSP), an application specific integrated circuit (application specific IntegratedCircuit, ASIC), an off-the-shelf programmable gate array (FieldProgrammableGateArray, FPGA) or other programmable logic device, a discrete gate or transistor logic device, or a discrete hardware component. The disclosed methods, steps, and logic blocks in the embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present invention may be embodied directly in the execution of a hardware decoding processor, or in the execution of a combination of hardware and software modules in a decoding processor. The software modules may be located in a random access memory, flash memory, read only memory, programmable read only memory, or electrically erasable programmable memory, registers, etc. as well known in the art. The storage medium is located in the memory 1502 and the processor 1501 reads the information in the memory 1502 and, in combination with its hardware, performs the steps of the method described above.

It is to be understood that the embodiments of the application described herein may be implemented in hardware, software, firmware, middleware, microcode, or a combination thereof. For a hardware implementation, the processing units may be implemented within one or more application specific integrated circuits (ApplicationSpecificIntegratedCircuits, ASIC), digital signal processors (DigitalSignalProcessing, DSP), digital signal processing devices (dspev), programmable logic devices (ProgrammableLogicDevice, PLD), field programmable gate arrays (Field-ProgrammableGateArray, FPGA), general purpose processors, controllers, microcontrollers, microprocessors, other electronic units for performing the functions of the application, or a combination thereof.

For a software implementation, the techniques of embodiments of the present application may be implemented with modules (e.g., procedures, functions, and so on) that perform the functions of embodiments of the present application. The software codes may be stored in memory and executed by the processor 1501. The memory may be implemented within the processor 1501 or external to the processor 1501.

In one embodiment, the verification data includes user session information and user signature information, the user session information is used for indicating to send address information and session count information generated in the process of establishing session connection with the zero trust proxy node, the user signature information is used for indicating identity parameters of a user sending the initial data packet, and the data verification rule includes a user session information verification rule and a data signature verification rule; the processor is specifically used for carrying out data verification on the user session information in the data packet to be transmitted according to the user session information verification rule to generate a first data verification result; performing data verification on user signature information in a data packet to be transmitted according to a data signature verification rule to generate a second data verification result; and generating a data verification result according to the first data verification result and the second data verification result.

In one embodiment, the processor is further configured to determine a network address type of the data packet to be transmitted according to the address information; the network address type comprises a public network address type and a private network address type; determining whether the source network address in the data packet to be transmitted needs to be updated according to the network address type of the data packet to be transmitted, and generating a middle data packet; and carrying out data verification on the session counting information in the intermediate data packet according to the user session information verification rule, and generating a first data verification result.

In one embodiment, the processor is further configured to use the data packet to be transmitted as a middle data packet if the network address type of the data packet to be transmitted is a private network address type; if the network address type of the data packet to be transmitted is the public network address type, updating the source network address in the data packet to be transmitted to the public network address corresponding to the data packet to be transmitted, and generating a middle data packet.

In one embodiment, the processor is further configured to perform data verification on the user signature information in the intermediate data packet according to the data signature verification rule, and generate a second data verification result.

In one embodiment, the processor is further configured to determine a packet that fails to pass the check from the packets to be transmitted, and generate abnormal session information according to the packet that fails to pass the check; the transmitter is also used for transmitting the abnormal session information to the zero trust controller; the abnormal session information is used for indicating the zero trust controller to analyze the abnormal session information and sending a session termination instruction to the zero trust proxy node.

Fig. 16 is a schematic structural diagram of a zero trust controller according to an embodiment of the present invention. The zero trust controller 1600 shown in fig. 16 includes: at least one processor 1601, memory 1602, at least one network interface 1604. The various components in the zero trust controller 1600 are coupled together by a bus system 1605. It is appreciated that the bus system 1605 is used to enable connected communications between these components. The bus system 1605 includes a power bus, a control bus, and a status signal bus in addition to a data bus. But for clarity of illustration, the various buses are labeled as bus system 1605 in fig. 16. In addition, in embodiments of the present invention, a transceiver 1606 is also included, which may be a plurality of elements, i.e., including a transmitter and a receiver, providing a means for communicating with various other apparatus over a transmission medium.

It is to be appreciated that memory 1602 in embodiments of the present invention may be either volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory. The non-volatile memory may be a Read-only memory (ROM), a programmable Read-only memory (ProgrammableROM, PROM), an erasable programmable Read-only memory (ErasablePROM, EPROM), an electrically erasable programmable Read-only memory (ElectricallyEPROM, EEPROM), or a flash memory, among others. The volatile memory may be a random access memory (RandomAccessMemory, RAM) that acts as an external cache. By way of example, and not limitation, many forms of RAM are available, such as Static RAM (SRAM), dynamic random access memory (DynamicRAM, DRAM), synchronous dynamic random access memory (SynchronousDRAM, SDRAM), double data rate synchronous dynamic random access memory (double data rate SDRAM, ddr SDRAM), enhanced synchronous dynamic random access memory (EnhancedSDRAM, ESDRAM), synchronous link dynamic random access memory (SynchlinkDRAM, SLDRAM), and direct memory bus random access memory (DirectRambusRAM, DRRAM). The memory 1602 of the systems and methods described by embodiments of the present invention is intended to comprise, without being limited to, these and any other suitable types of memory.

In some implementations, the memory 1602 stores the following elements, executable modules or data structures, or a subset thereof, or an extended set thereof: operating system 1602a. The operating system 1602a includes various system programs, such as a framework layer, a core library layer, a driver layer, etc., for implementing various basic services and processing hardware-based tasks.

In the embodiment of the present invention, the receiver is enabled to receive the user certificate and the user standard session information sent by the zero trust proxy node by calling the program or the instruction stored in the memory 1602; a processor 1601, configured to generate a data verification rule according to the user certificate and the user standard session information; the transmitter is used for transmitting the data verification rule to the zero trust gateway; the data verification rule is used for indicating the zero trust gateway to carry out data verification on verification data in the data packet to be transmitted according to the data verification rule, so as to obtain a data verification result; and determining whether to transmit the data packet to be transmitted to the database according to the data verification result.

Some or all of the methods disclosed in the embodiments of the present invention described above may also be implemented in the processor 1601, or by the processor 1601 in conjunction with other elements (e.g., a transceiver). The processor 1601 may be an integrated circuit chip with signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuitry of hardware in the processor 1601 or instructions in the form of software. The processor 1601 may be a general purpose processor, a digital signal processor (DigitalSignalProcessor, DSP), an application specific integrated circuit (application specific IntegratedCircuit, ASIC), an off-the-shelf programmable gate array (FieldProgrammableGateArray, FPGA) or other programmable logic device, a discrete gate or transistor logic device, or a discrete hardware component. The disclosed methods, steps, and logic blocks in the embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present invention may be embodied directly in the execution of a hardware decoding processor, or in the execution of a combination of hardware and software modules in a decoding processor. The software modules may be located in a random access memory, flash memory, read only memory, programmable read only memory, or electrically erasable programmable memory, registers, etc. as well known in the art. The storage medium is located in the memory 1602, and the processor 1601 reads information in the memory 1602 and performs the steps of the method described above in connection with its hardware.

It is to be understood that the embodiments of the application described herein may be implemented in hardware, software, firmware, middleware, microcode, or a combination thereof. For a hardware implementation, the processing units may be implemented within one or more application specific integrated circuits (ApplicationSpecificIntegratedCircuits, ASIC), digital signal processors (DigitalSignalProcessing, DSP), digital signal processing devices (dspduevice, DSPD), programmable logic devices (ProgrammableLogicDevice, PLD), field programmable gate arrays (Field-ProgrammableGateArray, FPGA), general purpose processors, controllers, micro-controllers, microprocessors, other electronic units for performing the functions of the application, or a combination thereof.

For a software implementation, the techniques of embodiments of the present application may be implemented with modules (e.g., procedures, functions, and so on) that perform the functions of embodiments of the present application. The software codes may be stored in memory and executed by the processor 1601. The memory may be implemented within the processor 1601 or external to the processor 1601.

Fig. 17 is a schematic structural diagram of a zero trust proxy node according to an embodiment of the present application. Zero trust proxy node 1700 shown in fig. 17 comprises: at least one processor 1701, memory 1702, at least one network interface 1704. The various components in zero trust proxy node 1700 are coupled together via bus system 1705. It is appreciated that the bus system 1705 is used to facilitate connected communications between these components. The bus system 1705 includes a power bus, a control bus, and a status signal bus in addition to the data bus. But for clarity of illustration, the various buses are labeled as bus system 1705 in fig. 17. In addition, in embodiments of the present application, a transceiver 1706 is also included, which may be a plurality of elements, i.e., including a transmitter and a receiver, providing a means for communicating with various other apparatus over a transmission medium.

It is to be appreciated that the memory 1702 in embodiments of the present invention can be either volatile memory or nonvolatile memory, or can include both volatile and nonvolatile memory. The non-volatile memory may be a Read-only memory (ROM), a programmable Read-only memory (ProgrammableROM, PROM), an erasable programmable Read-only memory (ErasablePROM, EPROM), an electrically erasable programmable Read-only memory (ElectricallyEPROM, EEPROM), or a flash memory, among others. The volatile memory may be a random access memory (RandomAccessMemory, RAM) that acts as an external cache. By way of example, and not limitation, many forms of RAM are available, such as Static RAM (SRAM), dynamic random access memory (DynamicRAM, DRAM), synchronous dynamic random access memory (SynchronousDRAM, SDRAM), double data rate synchronous dynamic random access memory (double data rate SDRAM, ddr SDRAM), enhanced synchronous dynamic random access memory (EnhancedSDRAM, ESDRAM), synchronous link dynamic random access memory (SynchlinkDRAM, SLDRAM), and direct memory bus random access memory (DirectRambusRAM, DRRAM). The memory 1702 of the systems and methods described in embodiments of the present invention is intended to comprise, without being limited to, these and any other suitable types of memory.

In some implementations, the memory 1702 stores the following elements, executable modules or data structures, or a subset thereof, or an extended set thereof: operating system 1702a. The operating system 1702a includes various system programs, such as a framework layer, a core library layer, a driver layer, etc., for implementing various basic services and processing hardware-based tasks.

In the embodiment of the present invention, the receiver is enabled to acquire the user certificate, the user standard session information and the initial data packet by calling the program or the instruction stored in the memory 1702; the transmitter is used for transmitting the user certificate and the user standard session information to the zero trust controller so that the zero trust controller generates a data check rule based on the user certificate and the user standard session information and transmits the data check rule to the zero trust gateway; the processor 1701 and the transmitter are used for adding check data to the initial data packet, generating a data packet to be transmitted, and transmitting the data packet to be transmitted to the zero trust gateway; the data packet to be transmitted is used for indicating the zero trust gateway to perform data verification on verification data in the data packet to be transmitted according to a data verification rule, so as to obtain a data verification result; and determining whether to transmit the data packet to be transmitted to the database according to the data verification result.

Some or all of the methods disclosed in the embodiments of the present invention described above may also be applied to the processor 1701, or implemented by the processor 1701 in conjunction with other elements (e.g., a transceiver). The processor 1701 may be an integrated circuit chip with signal processing capabilities. In implementation, the steps of the methods described above may be performed by integrated logic circuitry in hardware or instructions in software in the processor 1701. The processor 1701 may be a general purpose processor, a digital signal processor (DigitalSignalProcessor, DSP), an application specific integrated circuit (application specific IntegratedCircuit, ASIC), an off-the-shelf programmable gate array (FieldProgrammableGateArray, FPGA) or other programmable logic device, a discrete gate or transistor logic device, or a discrete hardware component. The disclosed methods, steps, and logic blocks in the embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present invention may be embodied directly in the execution of a hardware decoding processor, or in the execution of a combination of hardware and software modules in a decoding processor. The software modules may be located in a random access memory, flash memory, read only memory, programmable read only memory, or electrically erasable programmable memory, registers, etc. as well known in the art. The storage medium is located in the memory 1702 and the processor 1701 reads information in the memory 1702 and performs the steps of the method described above in conjunction with its hardware.

For a software implementation, the techniques of embodiments of the present application may be implemented with modules (e.g., procedures, functions, and so on) that perform the functions of embodiments of the present application. The software codes may be stored in memory and executed by the processor 1701. The memory may be implemented within the processor 1701 or external to the processor 1701.

In one embodiment, a computer-readable storage medium is provided, on which a computer program is stored which, when executed by a processor, carries out the steps of the method embodiments described above.

In an embodiment, a computer program product is provided, comprising a computer program which, when executed by a processor, implements the steps of the method embodiments described above.

It should be noted that, the user information (including but not limited to user equipment information, user personal information, etc.) and the data (including but not limited to data for analysis, stored data, presented data, etc.) related to the present application are information and data authorized by the user or sufficiently authorized by each party, and the collection, use and processing of the related data need to comply with the related laws and regulations and standards of the related country and region.

Those skilled in the art will appreciate that implementing all or part of the above-described methods in accordance with the embodiments may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high density embedded nonvolatile Memory, resistive random access Memory (ReRAM), magnetic random access Memory (Magnetoresistive Random Access Memory, MRAM), ferroelectric Memory (FerroelectricRandom Access Memory, FRAM), phase change Memory (Phase Change Memory, PCM), graphene Memory, and the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory, and the like. By way of illustration, and not limitation, RAM can take many forms, such as static Random access memory (Static Random Access Memory, SRAM) or Dynamic Random access memory (Dynamic Random AccessMemory, DRAM), among others. The databases referred to in the embodiments provided herein may include at least one of a relational database and a non-relational database. The non-relational database may include, but is not limited to, a blockchain-based distributed database, and the like. The processor referred to in the embodiments provided in the present application may be a general-purpose processor, a central processing unit, a graphics processor, a digital signal processor, a programmable logic unit, a data processing logic unit based on quantum computing, or the like, but is not limited thereto.

The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.

The foregoing examples illustrate only a few embodiments of the application, which are described in detail and are not to be construed as limiting the scope of the application. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the application, which are all within the scope of the application. Accordingly, the scope of the application should be assessed as that of the appended claims.

Claims

1. A data transmission method, applied to a zero-trust gateway in a zero-trust communication network, the method comprising:

receiving a data verification rule sent by a zero trust controller and a data packet to be transmitted sent by a zero trust proxy node; the data verification rule is generated according to user public key information, user standard identity information and user standard session information; the data packet to be transmitted is obtained by adding check data into the initial data packet by the zero trust proxy node; the verification data comprises user session information and user signature information;

2. The method according to claim 1, wherein the user session information is used for indicating to send address information and session count information generated in the process of establishing a session connection with the zero trust proxy node, the user signature information is used for indicating identity parameters of a user sending the initial data packet, and the data verification rules include a user session information verification rule and a data signature verification rule; and performing data verification on the verification data in the data packet to be transmitted according to the data verification rule to obtain a data verification result, wherein the data verification result comprises:

3. The method of claim 2, wherein the performing data verification on the user session information in the data packet to be transmitted according to the user session information verification rule, to generate a first data verification result, includes:

4. A method according to claim 3, wherein the determining whether the source network address in the data packet to be transmitted needs to be updated according to the network address type of the data packet to be transmitted, and generating the intermediate data packet includes:

5. The method according to claim 3 or 4, wherein the performing data verification on the user signature information in the data packet to be transmitted according to the data signature verification rule, to generate a second data verification result, includes:

6. The method according to any one of claims 1-4, further comprising:

sending the abnormal session information to the zero trust controller; the abnormal session information is used for indicating the zero trust controller to analyze the abnormal session information and sending a session termination instruction to the zero trust proxy node.

7. A data transmission method for use in a zero-trust controller in a zero-trust communication network, the method comprising:

under the condition that the user certificate passes verification, user standard signature information is obtained from the user certificate; the user standard signature information comprises user public key information and user standard identity information;

generating a data verification rule according to the user public key information, the user standard identity information and the user standard session information;

8. A data transmission method, applied to a zero trust proxy node in a zero trust communication network, the method comprising:

Transmitting the user certificate and the user standard session information to a zero trust controller, so that the zero trust controller obtains user standard signature information from the user certificate under the condition that the user certificate passes verification; the user standard signature information comprises user public key information and user standard identity information; generating a data verification rule according to the user public key information, the user standard identity information and the user standard session information, and sending the data verification rule to a zero trust gateway;

adding check data into the initial data packet, generating a data packet to be transmitted, and sending the data packet to be transmitted to the zero trust gateway; the data packet to be transmitted is used for indicating the zero trust gateway to perform data verification on verification data in the data packet to be transmitted according to the data verification rule, so as to obtain a data verification result; determining whether to transmit the data packet to be transmitted to a database according to the data verification result; the verification data includes user session information and user signature information.

9. A data transmission apparatus for use in a zero trust gateway in a zero trust communication network, the apparatus comprising:

The data packet to be transmitted receiving module is used for receiving a data check rule sent by the zero trust controller and a data packet to be transmitted sent by the zero trust proxy node; the data verification rule is generated according to user public key information, user standard identity information and user standard session information; the data packet to be transmitted is obtained by adding check data into the initial data packet by the zero trust proxy node; the verification data comprises user session information and user signature information;

10. A data transmission apparatus for use in a zero trust controller in a zero trust communication network, the apparatus comprising:

The data verification rule generation module is used for generating a data verification rule according to the user public key information, the user standard identity information and the user standard session information;

11. A data transmission apparatus for use in a zero trust proxy node in a zero trust communication network, the apparatus comprising:

the information sending data verification module is used for sending the user certificate and the user standard session information to a zero trust controller so that the zero trust controller can acquire the user standard signature information from the user certificate under the condition that the user certificate passes verification; the user standard signature information comprises user public key information and user standard identity information; generating a data verification rule according to the user public key information, the user standard identity information and the user standard session information, and sending the data verification rule to a zero trust gateway;

The data packet to be transmitted generating module is used for adding check data into the initial data packet, generating a data packet to be transmitted and sending the data packet to be transmitted to the zero trust gateway; the data packet to be transmitted is used for indicating the zero trust gateway to perform data verification on verification data in the data packet to be transmitted according to the data verification rule, so as to obtain a data verification result; determining whether to transmit the data packet to be transmitted to a database according to the data verification result; the verification data includes user session information and user signature information.

12. A zero trust gateway comprising a transceiver, a processor and a memory, the memory storing a computer program, characterized in that the processor executes the computer program for performing the steps of the method according to any of claims 1 to 6.

13. A zero trust controller comprising a transceiver, a processor and a memory, said memory storing a computer program, wherein said processor executes said computer program for controlling said transceiver to receive user credentials and user standard session information sent by a zero trust proxy node;

The user standard signature information is used for acquiring user standard signature information from the user certificate under the condition that the user certificate passes verification; the user standard signature information comprises user public key information and user standard identity information;

the processor is used for controlling the processor to generate a data verification rule according to the user public key information, the user standard identity information and the user standard session information;

14. A zero trust proxy node comprising a transceiver, a processor and a memory, said memory storing a computer program, wherein said processor executes said computer program for controlling said transceiver to obtain a user certificate, user standard session information and an initial data packet;

the user authentication system comprises a transceiver, a zero trust controller and a user authentication module, wherein the transceiver is used for controlling the transceiver to send the user authentication and the user standard session information to the zero trust controller, so that the zero trust controller obtains user standard signature information from the user authentication under the condition that the user authentication passes; the user standard signature information comprises user public key information and user standard identity information; generating a data verification rule according to the user public key information, the user standard identity information and the user standard session information, and sending the data verification rule to a zero trust gateway;

The zero trust gateway is used for controlling the processor and the transceiver to add check data into the initial data packet, generating a data packet to be transmitted and sending the data packet to be transmitted to the zero trust gateway; the data packet to be transmitted is used for indicating the zero trust gateway to perform data verification on verification data in the data packet to be transmitted according to the data verification rule, so as to obtain a data verification result; determining whether to transmit the data packet to be transmitted to a database according to the data verification result; the verification data includes user session information and user signature information.

15. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 8.