CN104486289A - Data one-way transmission method and system - Google Patents
Data one-way transmission method and system Download PDFInfo
- Publication number
- CN104486289A CN104486289A CN201410601381.9A CN201410601381A CN104486289A CN 104486289 A CN104486289 A CN 104486289A CN 201410601381 A CN201410601381 A CN 201410601381A CN 104486289 A CN104486289 A CN 104486289A
- Authority
- CN
- China
- Prior art keywords
- data
- packet
- intranet
- middle machine
- outer net
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 85
- 230000005540 biological transmission Effects 0.000 title claims abstract description 72
- 230000008569 process Effects 0.000 claims description 50
- 238000006243 chemical reaction Methods 0.000 claims description 18
- 230000009466 transformation Effects 0.000 abstract description 3
- 230000006870 function Effects 0.000 description 33
- RTZKZFJDLAIYFH-UHFFFAOYSA-N Diethyl ether Chemical compound CCOCC RTZKZFJDLAIYFH-UHFFFAOYSA-N 0.000 description 6
- 238000013475 authorization Methods 0.000 description 6
- 238000004891 communication Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 230000004044 response Effects 0.000 description 4
- 241000700605 Viruses Species 0.000 description 3
- 230000003139 buffering effect Effects 0.000 description 3
- 238000002955 isolation Methods 0.000 description 3
- 230000011218 segmentation Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000015572 biosynthetic process Effects 0.000 description 1
- 230000000739 chaotic effect Effects 0.000 description 1
- 238000013524 data verification Methods 0.000 description 1
- 238000000151 deposition Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000003032 molecular docking Methods 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides a data one-way transmission method and a system. The method comprises steps that, a to-be-transmitted data packet is downloaded by an external network terminal from an external network, encryption transformation of the to-be-transmitted data packet is carried out at a data link layer through an intermediate driver to acquire a first data packet, the first data packet is sent to an intermediate machine through external network connection, after the first data packet is received by the intermediate machine, network connection is switched from external network connection to internal network connection, decryption of the first data packet is carried out by employing the intermediate driver to acquire a to-be-transmitted data packet, and the to-be-transmitted data packet is transmitted to an inner internal network server through internal network connection. According to the method, after the first data packet is received by the intermediate machine, network connection is switched from external network connection to internal network connection, data transmission from the external network to the internal network is realized, the external network terminal and the intermediate machine are respectively equipped with the intermediate driver, no intermediate driver is mounted in the internal network server, so data sent by the internal network server to the intermediate machine can not be identified, transmission unipolarity of the data from the external network to the internal network is guaranteed, and the intermediate drivers are employed to realize encryption of the data to guarantee data security.
Description
Technical field
The present invention relates to information security technology, particularly relate to a kind of data unidirectional transmission method and system.
Background technology
Along with developing rapidly of network, it is convenient very greatly to bring to the life of people.Network has become that people realize information management, the important means of strengthen communication, improve Working Life efficiency and quality.Because the formation of the Internet and the form of expression have more opening and freedom than the computer network of other form, and due to its have international, the new business such as such as ecommerce, electronic cash, digital cash, the Internet bank can be achieved by it.
Meanwhile, in the universal and network of information network, various potential leak brings new security threat to us, and as hacker's invasion and attack, virus harassing and wrecking and internal system are divulged a secret, the data security in network in the frequent attack serious threat occurred.And important information is once leak, great loss will be caused.Therefore in order to resist security threat, government, army, incorporated business all establish respective internal network for office and transmission inside information, and by itself and external network physical isolation.Secondly, find according to the study, now many accidents of divulging a secret are all because the mismanagement of internal staff causes the secret leaking of information, because internal staff has an opportunity to touch the sensitive information of some cores, cause the hidden danger that sensitive information is stolen.So the unidirectional transmission system of research based on transparent encryption and decryption is necessary, directly encryption and decryption process is carried out to data at the low layer of information system, make user cannot the content of perception intercepting message by complicated technological means, ensure that the fail safe of information.
Although physical isolation ensure that the fail safe of Intranet, outer network data can not by Internet Transmission in Intranet.Concerning Intranet user, user does not just get data by network from outer net, can only rely on the move medias such as CD, makes the convenience transmitting data from outer net to Intranet poor.
Summary of the invention
The invention provides a kind of data unidirectional transmission method and system, data are not got by network from outer net for solving Intranet user in prior art, can only the move medias such as CD be relied on, make the problem that the convenience of the transmission data from outer net to Intranet is poor.
To achieve these goals, a kind of data unidirectional transmission method provided by the invention, comprising:
Outer network termination downloads data to be transferred bag from outer net, is encrypted conversion obtains the first packet by intermediate drivers in data link layer to described data to be transmitted bag, and is connected described first Packet Generation to middle machine by outer net;
Described middle machine is after receiving described first packet, network is connected and switches to Intranet connection from outer net connection, and adopt described intermediate drivers to be decrypted described first packet to obtain described data to be transferred bag, connected described data to be transferred Packet forwarding to intranet server by described Intranet.
To achieve these goals, a kind of data unidirectional transmission system provided by the invention, comprising:
Outer network termination, for downloading data to be transferred bag from outer net, being encrypted conversion in data link layer to described data to be transmitted bag by intermediate drivers and obtaining the first packet, and is connected described first Packet Generation to middle machine by outer net;
Described middle machine, for receiving described first packet, after receiving described first packet, network is connected and switches to Intranet connection from outer net connection, and adopt described intermediate drivers to be decrypted described first packet to obtain described data to be transferred bag, connected described data to be transferred Packet forwarding to intranet server by described Intranet;
Described intranet server, connects for receiving described middle machine the described data to be transferred bag sent by described Intranet.
Data unidirectional transmission method provided by the invention and system, outer network termination downloads data to be transferred bag from outer net, in data link layer, conversion is encrypted to described data to be transmitted bag by intermediate drivers and obtains the first packet, and connected described first Packet Generation to middle machine by outer net; Described middle machine is after receiving described first packet, network is connected and switches to Intranet connection from outer net connection, and adopt described intermediate drivers to be decrypted described first packet to obtain described data to be transferred bag, connected by described Intranet and described data to be transferred bag is issued intranet server.After middle machine receives outer net packet, network is switched to Intranet from outer net in the present invention, make to achieve and transmit data from outer net to Intranet, and respectively intermediate drivers is housed in network termination and middle machine outside, and intermediate drivers is not installed in intranet server, the data that intranet server is sent to middle machine can not be transmitted, thus ensure that the one-way that data are transmitted from outer net to Intranet, and by intermediate drivers, symmetric cryptography is carried out to packet in this one-way transmission process, ensure that the fail safe of data.
Accompanying drawing explanation
The schematic flow sheet of a kind of data unidirectional transmission method that Fig. 1 provides for the embodiment of the present invention one;
The schematic flow sheet of a kind of data unidirectional transmission method that Fig. 2 provides for the embodiment of the present invention two;
The schematic flow sheet of a kind of data unidirectional transmission method that Fig. 3 provides for the embodiment of the present invention three;
The schematic flow sheet of a kind of data unidirectional transmission method that Fig. 4 provides for the embodiment of the present invention four;
The detailed process schematic diagram of a kind of outer net terminal authentication its operating conditions fail safe that Fig. 5 provides for the embodiment of the present invention four;
The schematic flow sheet of a kind of data unidirectional transmission method that Fig. 6 provides for the embodiment of the present invention five;
The schematic flow sheet of a kind of data unidirectional transmission method that Fig. 7 provides for the embodiment of the present invention six;
The implementation structure of a kind of netting twine switch that Fig. 8 provides for the present embodiment six;
The schematic diagram of netting twine switch of Fig. 9 for providing in the present embodiment six;
The schematic flow sheet of a kind of data unidirectional transmission method that Figure 10 provides for the embodiment of the present invention seven;
The structural representation of a kind of data unidirectional transmission system that Figure 11 provides for the embodiment of the present invention eight;
The structural representation of a kind of data unidirectional transmission system that Figure 12 provides for the embodiment of the present invention nine;
The structural representation of a kind of data unidirectional transmission system that Figure 13 provides for the embodiment of the present invention ten.
Embodiment
For making the object of the embodiment of the present invention, technical scheme and advantage clearly, below in conjunction with the accompanying drawing in the embodiment of the present invention, technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, instead of whole embodiments.
Embodiment one
The schematic flow sheet of a kind of data unidirectional transmission method that Fig. 1 provides for the embodiment of the present invention one, as shown in Figure 1, this data unidirectional transmission method comprises the following steps:
101, outer network termination downloads data to be transferred bag from outer net, is encrypted conversion obtains the first packet by intermediate drivers in data link layer to described data to be transmitted bag, and is connected described first Packet Generation to middle machine by outer net.
Particularly, in the present embodiment, be provided with intermediate drivers in outer network termination, wherein, this intermediate drivers can be Network Driver Interface specification (Network Driver Interface Specification is called for short NDIS).
Outer network termination can download data to be transferred bag from outer net, and data to be transferred bag is submitted to NDIS intermediate drivers, is encrypted conversion obtains the first packet by this NDIS intermediate drivers in data link layer to this data to be transferred bag.In the present embodiment, outer network termination is now connected by outer net with middle machine.After getting the first packet, outer network termination is connected the first Packet Generation to middle machine by outer net.
Wherein, data to be transferred bag is transmitted by Ether frame, and NDIS intermediate drivers is encrypted conversion to the data in Ether frame beyond frame head, postamble and Internet protocol (Internet Protocol is called for short IP) head.After this NDIS intermediate drivers enciphering transformation, just destroy original normal protocol in frame, Ether frame is now transferred to middle machine by router or network interface card, if but the operating system of middle machine does not now continue symmetrical deciphering to the first packet, directly the first packet is operated, will be abandoned as misdata bag by operating system.
102, described middle machine is after receiving described first packet, network is connected and switches to Intranet connection from outer net connection, and adopt described intermediate drivers to be decrypted described first packet to obtain described data to be transferred bag, connected by described Intranet and described data to be transferred bag is issued intranet server.
Particularly, network termination is encrypted after conversion obtains the first packet to packet to be passed outside, gives middle machine by outer net netting twine by the first Packet Generation.Wherein, outer network termination sends the first packet by User Datagram Protoco (UDP) (User Datagram Protocol, UDP) to middle machine.Because UDP is connectionless host-host protocol, limit the maximum length of the first packet, outer network termination needs to split the first packet and number, and then the first packet after segmentation is sent to middle machine according to number order.Middle machine after all groupings receiving the first packet, then carries out combination according to numbering and obtains the first packet.
Further, after receiving the first packet, middle machine, in order to send data to be transferred bag to Intranet, needs to control that network connection is switched to Intranet from outer net connection and connects.In the present embodiment, a netting twine switch is set between netting twine and interior netting twine outside, when middle machine is after determining to receive the first packet, send a control command to netting twine switch, be switched to Intranet by this control command instruction netting twine switch from outer net connection and connect.Such as, current network connect for outer net connects time, now the switch of netting twine switch is connected with outer net netting twine, and at middle machine after netting twine switch sending controling instruction, switch is connected with Intranet netting twine by netting twine switch, and the connection of such network is just switched to Intranet connection.And current network connect for Intranet connects time, now the switch of netting twine switch is connected with Intranet netting twine, and at middle machine after netting twine switch sending controling instruction, switch is connected with outer net netting twine by netting twine switch, and the connection of such network is just switched to outer net connection.
General before not receiving the first packet, if middle machine is just given out a contract for a project directly to intranet server, the generation of packet loss phenomenon can be caused.In order to avoid there is packet loss phenomenon, and realize the automatic forwarding capability of middle machine, increase the function that fixed response time forwards in the present embodiment, after middle machine receives the first packet imported into, middle machine will start timing.If do not receive data from outer network termination in preset duration, middle machine is just to netting twine switch sending controling instruction, make the switch of netting twine switch be allocated to Intranet netting twine place from outer net netting twine, this netting twine switch is connected with Intranet netting twine, network is connected and is switched to Intranet connection.Now, machine is just connected with Intranet, is connected Packet Generation to intranet server by Intranet.If have data to import at waiting time, stop timing.After receiving data, start timing again, and repeat process above.
The first packet received due to machine in the middle of the present embodiment is obtained by NDIS intermediate drivers enciphering transformation by outer network termination, and in order to send data to be transferred bag to intranet server, middle machine needs to be decrypted the first packet.Particularly, NDIS intermediate drivers is installed in middle machine, by this NDIS intermediate drivers, symmetry deciphering is carried out to the first packet and obtain data to be transferred bag.
Further, after being decrypted the first packet, middle machine can send to intranet server by sending the data to be transferred bag of coming in by outer network termination.After middle machine is sent data to be transferred bag, a control command can be sent to netting twine switch again, by netting twine switch switchback on outer net netting twine.In order to reduce packet loss, consider the performance of transmission delay and internal receipt module, in the present embodiment, the speed that middle machine sends data to intranet server is set to 300k/s.
After netting twine switching over to Intranet, middle machine just can be connected to intranet server transmission data to be transferred bag by Intranet.In the present embodiment, in intranet server, intermediate drivers is not installed, as NDIS intermediate drivers, when intranet server sends packet to middle machine, because intranet server does not carry out the encryption of intermediate drivers to packet, after machine in the middle of packet arrives, middle machine adopts intermediate drivers to be decrypted packet, cause the packet confusion received from intranet server, middle machine just outwards can not transmit the data of Intranet by network termination, ensure that one-way and the fail safe of data.
The data unidirectional transmission method that the present embodiment provides, data to be transferred bag is downloaded from outer net by outer network termination, in data link layer, the first packet is obtained to described data to be transmitted packet encryption conversion by intermediate drivers, and give middle machine by described first Packet Generation, after receiving described first packet, described middle machine controls network to connect to switch to Intranet connection from outer net connection, and adopt described intermediate drivers to be decrypted described first packet to obtain described data to be transferred bag, connected by described Intranet and described data to be transferred is issued intranet server.After middle machine receives outer net packet, network is switched to Intranet from outer net in the present embodiment, make to achieve and transmit data from outer net to Intranet, and respectively intermediate drivers is housed in network termination and middle machine outside, and intermediate drivers is not installed in intranet server, the data that intranet server is sent to middle machine can not be transmitted, thus ensure that the one-way that data are transmitted from outer net to Intranet, and by intermediate drivers, symmetric cryptography is carried out to packet in this one-way transmission process, ensure that the fail safe of data.
Embodiment two
The schematic flow sheet of a kind of data unidirectional transmission method that Fig. 2 provides for the embodiment of the present invention two.On the basis of above-described embodiment one, outer network termination comprises the following steps to the process of middle machine transmission packet:
101a, outer network termination obtain data to be transferred bag.
101b, outer net terminal distribution bag descriptor mypacket.
101c, outer net terminal distribution internal memory pPacketContent.
101d, outer network termination by data to be transferred bag stored in pPacketContent.
101e, outer network termination detect whether data to be transferred bag is ARP bag.
If judged result is yes, perform step 101i, otherwise, perform step 101f.
Whether 101f, outer network termination detect data to be transferred bag is IP bag.
If judged result is yes, perform step 101g, otherwise, perform step 101a.
101g, outer net terminal judges carry out NDIS encryption the need of to packet to be passed.
If judged result is yes, perform step 101h, otherwise, perform step 101i.
101h, outer network termination adopt NDIS to obtain the first packet to Data Packet Encryption to be passed.
101i, outer net terminal distribution buffering area myBuffer.
Mypacket chain is entered the first packet by 101i, outer network termination.
First Packet Generation is given middle machine by 101k, outer network termination.
Particularly, Microsoft provides an intermediate drivers source code example Passthru in fully-integrated Driver Development system (Windows Driver Kit is called for short WDK).Passthru provides the overall framework of intermediate driver.It is operated between network layer and media access control layer, achieve and intercept and capture the bottom of network packet, but it is just inserted in the middle of network interface card and upper-layer protocol, do not do any work.In the present embodiment, Passthru basis is revised, the mode taking packet capturing to reconstruct to make is to realize the transmission encryption of packet.
In DriverEntry initialization function, be initialized the Miniport equipment being positioned at intermediate drivers coboundary, and have registered one group of MiniportXxx function pointer to NDIS storehouse.MPSendPackets function is registered in driving.Before data to be transferred wraps in and enters network interface card, directly can be intercepted and captured by MPSendPackets, by this function, packet to be passed is reconstructed.
First call NdisDprAllocatePacket function and distribute bag descriptor MyPacket.If be allocated successfully, then call the content that NdisAllocateMemoryWithTag storage allocation pPacketContent is used for depositing former data to be transferred bag.Call NdisZeroMemory the memory headroom distributed is reset.Then the information of former data to be transferred bag is inquired about with NdisQueryPacket: Packe is the physical block number in internal memory, BufferCount is for there being how many NDIS_BUFFER bags, NdisBuffer is first bag returned, and TotalPacketLength is the length of bag data altogether.Recirculation call NdisQueryBufferSafe function and NdisMoveMemory function traversal bag buffering area simultaneously by bag in data Replica in pPacketContent.After the total data obtaining former data to be transferred bag, data in bag are detected, if pPacketContent [12]==8 & & pPacketContent [13]==6, data to be transferred bag is, is directly sent in the buffering area myBuffer of outer net terminal distribution by this ARP bag.After judging that data to be transferred bag is not ARP bag, if pPacketContent [12]==8 & & pPacketContent [13]==0, then outer network termination can judge that data to be transferred bag is IP bag.Further, whether outer net terminal judges upper level applications is set to encryption, if encryption, performs following code.Wherein following code adopts C# language to write, and those skilled in the art it will be appreciated that and are only example herein, and programming language can not as restriction condition of the present invention.
Its all data except frame head, postamble and IP head are encrypted.If pPacketContent [12] and pPacket Content [13] is other values, then dispensable packet or invalid data bag, execution returns and is maybe directly abandoned by bag.If do not abandon, newly distribute a Buffer descriptor MyBuffer and pPacketContent with NdisAllocateBuffer and associate.Call NdisChainBufferAtFront and MyBuffer chain is entered newly assigned bag descriptor MyPacket, call NdisSend function afterwards and send us and reconstruct the first packet made.Idiographic flow is as follows:
Adopt the I/O Principle of Communication of WDM Driver Design, at first self-defined two the IOCTL:#define IO_PASS_ALL of kernel driver part
CTL_CODE (FILE_DEVICE_UNKNOWN, 0x928, METHOD_NEITHER, FILE_ANY_ACCESS) notice drives does not encrypt
#define IO_DENY_ALL
CTL_CODE (FILE_DEVICE_UNKNOWN, 0x929, METHOD_NEITHER, FILE_ANY_ACCESS) notice drives encryption
In driving, write the response routines of IOCTL, define a global variable AllowEncrypt, be initially set to 0, represent and do not encrypt.The response routines of IO_PASS_ALL is AllowEncrypt=0, does not encrypt; The response routines of IO_DENY_ALL is AllowEncrypt=1, encryption.
Application program part is called DeviceIoControl and is controlled driving encryption to transmit IOCTL after calling CreateFile establishment handle.
The operation carried out after receiving the first packet about middle machine, see the record of step 102 in above-described embodiment one, can repeat no more herein.
Embodiment three
The schematic flow sheet of a kind of data unidirectional transmission method that Fig. 3 provides for the embodiment of the present invention three.On the basis of above-described embodiment one, outer network termination comprises the following steps to another process of middle machine transmission packet:
201, outer network termination downloads data to be transferred bag from outer net.
202, whether outer net terminal judges is transferred to data to be transferred bag in Intranet.
If judged result is yes, perform step 203; Otherwise, perform step 206.
203, outer network termination treat pass packet carry out AES encryption.
In order to improve the fail safe of data to be transferred, outer network termination carries out Advanced Encryption Standard (Advanced Encryption Standard is called for short AES) encryption to the data to be transferred bag downloaded.
AES encryption function has been carried in C#.After downloading to data from outer net, outer network termination first calls to the data to be transferred bag read in the middle of internal memory the function Aes.CreateEncryptor () that C# carries.Following code adopts C# language to write, and those skilled in the art it will be appreciated that and are only example herein, and programming language can not as restriction condition of the present invention.
Data in the middle of internal memory are encrypted, after again by encryption after data to be transferred bag, be sent to middle machine after obtaining the first packet after being encrypted by NDIS.Wherein, encryption key and initial vector leave in the program of outer net terminal inner, thus the encryption achieving data to be transferred bag is chaotic.
If network termination to be encrypted before conversion obtains the first packet described data to be transferred bag in data link layer by intermediate drivers and to carry out AES encryption to packet to be passed outside.Correspondingly, after the data to be transferred bag by AES encryption is sent to intranet server by middle machine, intranet server wants to get original data to be transferred bag just to be needed to adopt AES deciphering.
Data to be transferred bag after the employing AES encryption received generally is carried out buffer memory by intranet server, when being decrypted the data to be transferred bag after this encryption, first from read data packet in the middle of buffer memory, by the decruption key being stored in intranet server inside, its call function Aes.CreateEncryptor () is decrypted.
Following code adopts C# language to write, and those skilled in the art it will be appreciated that and are only example herein, and programming language can not as restriction condition of the present invention.
Form corresponding data to be transferred bag by original again, recover the function of himself, former like this data to be transferred is bundled into merit and reaches in Intranet.
204, outer network termination is encrypted conversion in data link layer to described data to be transferred bag by intermediate drivers and obtains the first packet.
Detailed process see the record of related content in above-described embodiment one step 101, can repeat no more herein.
205, outer network termination is connected described first Packet Generation to middle machine by outer net.
The operation carried out after receiving the first packet about middle machine, see the record of step 102 in above-described embodiment one, can repeat no more herein.
206, outer network termination process ends.
In the present embodiment, outer network termination carries out twice encryption by aes algorithm and intermediate drivers to packet to be passed, data to be transferred bag after encryption is sent to middle machine, effectively contain the phenomenon that the incidental virus of the packet importing Intranet into or rogue program enter exchange area and carry out attacking, stop the attack of the various hacker based on program operation, virus, wooden horse, improve the fail safe of packet in transmitting procedure.
Embodiment four
The schematic flow sheet of a kind of data unidirectional transmission method that Fig. 4 provides for the embodiment of the present invention four.On the basis of above-described embodiment, network termination is from after outer net downloads data to be transferred bag outside, and outer network termination also needs to judge the fail safe of its operating conditions, and this deterministic process comprises the following steps:
301, outer network termination obtains the sequence number of the hard disk of current operation.
302, outer network termination judges the running environment whether safety of self by described sequence number.
Particularly, the sequence number of the sequence number of acquisition with the mandate hard disk be pre-stored in outer network termination compares by outer network termination, if the sequence number obtained and the sequence number of all mandate hard disks inconsistent, illustrate that the hard disk corresponding to sequence number of this acquisition is illegal, i.e. the current running environment of outer network termination self dangerous.If judge that the running environment of self is dangerous, outer network termination will perform step 303; If judge the running environment safety of self, outer network termination will perform step 304.
The detailed process schematic diagram of a kind of outer net terminal authentication its operating conditions fail safe that Fig. 5 provides for the present embodiment four.As shown in Figure 5, this process comprises:
302a, outer network termination obtain the MD5 value of the sequence number of the hard disk of current operation.
The MD5 value of described MD5 value with the hard disk serial number of the mandate prestored compares by 302b, outer network termination.
If 302c described MD5 value is all not identical with the MD5 value of the hard disk serial number of all mandates, described outer network termination judges that the running environment of self is dangerous.
Particularly, 5th edition Message Digest 5 (Message Digest Algorithm of the program internal storage mandate hard disk serial number of network termination outside, be called for short MD5) value, self-defining GetHardId () function is called when program starts, use corresponding application programs DLL (dynamic link library) (Application Programming Interface open in outer net terminal operating system kerne132.dll, be called for short API) function, obtain the sequence number of the hard disk of current operation, after MD5 algorithm, obtain the MD5 value corresponding to sequence number of the hard disk of this current operation.Further, the MD5 value of the hard disk serial number of the mandate of this MD5 value and program internal storage is compared.If described MD5 value is all not identical with the MD5 value of the hard disk serial number of all mandates, outer network termination judges that the running environment of self is insincere, and program stopped runs.
Carried out the mode verified by MD5 value, because outer net terminal inner does not deposit the original sequence number of having authorized hard disk, add the one-way of MD5, the true hard disk serial number allowed cannot be learnt in outside.For the proof procedure preventing disabled user from skipping startup after software is reverse, outside in network termination running, establish a background loop checking thread, within every 5 seconds, verify the hard disk serial number of once current operation, thus ensure that the reliability of outer net terminal operating environment.
303, outer network termination treat pass packet carry out AES encryption.
After judging the running environment safety of self, outer network termination can carry out AES encryption, to improve the fail safe of data further to the data to be transferred bag downloaded.The detailed process of AES encryption see the record in step in above-described embodiment three outer 203, can repeat no more herein.
304, outer network termination is out of service.
After judging that the running environment of self is dangerous, outer network termination is by out of service.
In the present embodiment, outer network termination, before the transmission carrying out packet, is verified the fail safe of its operating conditions, can ensure that packet can transmit under the environment of safety.
Embodiment five
The schematic flow sheet of a kind of data unidirectional transmission method that Fig. 6 provides for the embodiment of the present invention five.On the basis of above-described embodiment, described first Packet Generation specifically comprises the following steps to the process of middle machine by described outer network termination:
401, outer network termination divides into groups to described first packet and numbers;
402, described first packet is sent to described middle machine according to the order of described numbering by outer net connection by outer network termination.
Outer network termination sends the first packet by user UDP to middle machine.Because UDP is connectionless host-host protocol, limit the maximum length of the first packet, outer network termination needs to split the first packet and number, and then the first packet after segmentation is sent to middle machine according to number order.
403, grouping is carried out combination according to described numbering and is obtained described first packet by middle machine after receiving all groupings.
For C# language, before the first Packet Generation, the destination host i.e. IP address of middle machine need be bound with the port used and the first packet.Invoke code UdpClient sender=new UdpClient () carries out instantiation operation to a UDP class, the IP address of destination host is bound with the port of use by invoke code endPoint=new IPEndPoint (remoteIPAddress, remotePort) mutually.After aforesaid operations before completing transmission, just can carry out transmission and the reception of packet.
First, user is selected needs data to be transferred bag, uses FileStream class read packet to be passed and be stored in the middle of buffer memory, waits to be sent.The data received due to middle machine need to carry out driving encryption to it, and outside machine drives as not affect its normal communication, that acquiescence is closed, therefore before transmission data, first call CRYPT (1) function in CRYPT.DLL, open the encryption function that NDIS drives, return successfully, then reading transmission is carried out to the first packet obtained after encryption.After being sent, call CRYPT (0) function, close the encryption function that NDIS drives, make it can not affect other communication functions of user.
Because UDP limits the maximum length of packet, need to carry out piecemeal and numbering to the first packet when sending.And recipient needs to know the type of data when assembling, therefore first used self-defining function SendFileInfo () first to read the type that will send packet before transmission packet, pass in structure FileDetail.
Following code adopts C# language to write, and those skilled in the art it will be appreciated that and are only example herein, and programming language can not as restriction condition of the present invention.
Again structure is sent.
Then, re-use Sending () function to send data.In Sending () function, use the data in the middle of FileStream.Read segmentation reading buffer memory, make its length in the allowed band that a UDP wraps,
And use UdpClient.Send to send the data cached of reading.After being sent, then sending an end mark and tell that destination host is sent,
Bytes=System.Text.Encoding.Unicode.GetBytes (endTag); // end mark
Sender.Send (bytes, bytes.Length, endPoint); // send end mark
RichTextBoxl.AppendText (" be sent completely n "); // show to terminate
Further, middle machine just can be assembled all data blocks received according to numbering, obtains the first complete packet.
Embodiment six
The schematic flow sheet of a kind of data unidirectional transmission method that Fig. 7 provides for the embodiment of the present invention six.On the basis of above-described embodiment, middle machine specifically comprises the following steps to the process of intranet server transmission packet:
501, middle machine receives the first packet.
Middle machine is connected by outer net with between outer network termination, can receive the first packet from outer net end.Wherein, the first packet is obtained after having outer network termination to be encrypted packet to be passed by intermediate drivers.
Need to illustrate herein, if outer network termination adopts, the first packet is carried out dividing into groups and numbering, then when sending to middle machine, the grouping of the first packet received is carried out combination according to numbering and obtained the first packet by middle machine needs.Detailed process repeats no more herein, see the record of related content in above-described embodiment five, can repeat no more herein.
502, middle machine adopts intermediate drivers to be decrypted to the first packet, obtains data to be transferred bag.
Because the first packet is encrypted by intermediate drivers, middle machine needs to adopt intermediate drivers to be decrypted to the first packet, thus can get data to be transferred bag.
Whether the outer network termination that 503, middle machine checking sends data to be transferred bag is authorization terminal.
After middle machine gets data to be transferred, the identification information of the outer network termination sending this data to be transferred bag can be got, then verify whether this outer network termination is authorization terminal according to this identification information.Such as, the identification information of authorization terminal is previously stored with in middle machine, the identification information of the identification information of the outer network termination got with the authorization terminal prestored is compared, if the identification information of this outer network termination is present in the flag information of the authorization terminal prestored, then illustrate that this outer network termination is legal authorization terminal, otherwise outer net terminal is illegal, when outer network termination is illegal, middle machine will be discarded into the data to be transferred bag received from illegal network termination.
504, the integrality of middle machine checking data to be transferred bag.
In the middle of generally within the time of presetting, machine does not receive new data from outer network termination again, and in the middle of illustrating, machine receives complete data to be transferred bag.
505, middle machine sends to netting twine switch and controls instruction after being verified, and network connection is switched to Intranet from outer net connection and connects.
After the integrity verification of data to be transferred bag passes through, middle machine is now connected with outer network termination, and middle machine sends to netting twine switch and controls instruction, and netting twine connection is switched to Intranet from outer net connection and connects, now, machine is connected with intranet server.
Wherein, a kind of implementation structure of netting twine switch that provides for the present embodiment six of Fig. 8.As shown in Figure 8, four ports outwards drawn by netting twine switch, Intranet cable interface, outer net cable interface, control computer interface and control port respectively, adopt the physical switch that single-pole double-throw relay switches as intranet and extranet, by receiving the control command of serial ports, realize the docking of cable interface.When Intranet cable interface Intranet netting twine is connected by netting twine switch, then network connects for Intranet connects, and when outer net cable interface outer net netting twine is connected by netting twine switch, then network connects for outer net connects.Netting twine switch is electronic switch, adopts+5V the Power supply of USB (Universal Serial Bus is called for short USB) interface, controls the action simultaneously of four relays by a triode.Middle machine is by control interface to control computer sending controling instruction, and control computer and send instant request (Request To Send is called for short RTS) signal by controlling computer interface to triode, this RTS signal is the control signal of triode.Wherein, control computer interface is proposed standard (Recommended Standard is called for short RS232) interface.
The schematic diagram of netting twine switch of Fig. 9 for providing in the present embodiment six.As shown in Figure 9, when serial ports is not opened and RTS control signal is low level, single-pole double-throw relay makes middle machine be communicated with outer net, and netting twine switch is connected with outer net netting twine, and network connection is in outer net connection status.Open serial ports when middle machine by program and RTS control signal be placed in a high position, triode ON relay power, now, machine is communicated with Intranet.When data packet transmission terminates, middle office closes serial ports and RTS control signal is resetted, and the power-off of triode cutoff relay, netting twine switching over is to the state be connected with outer net.In the present embodiment, middle machine just can realize timesharing by Controling network wiretap and switch internal-external network, thus ensure that Intranet and outer net at any time can not the controllabilitys that switch of connected sum network, realizes timesharing connected sum physical isolation.
In the present embodiment, do not need to arrange serial ports, reading and writing operation, only need the opening and closing of programming realization serial ports.Detailed process is as follows:
Write the DLL opening, close serial ports with Visual C++, call for data transmission program; Serial ports is opened function in DLL and is called open_usb, and its concrete function CreateFile function in " windows.h " realizes, and serial ports is closed function in DLL and is called close_usb, and its concrete function CloseHandle function in " windows.h " realizes.
506, data to be transferred bag is sent to intranet server by Intranet connection by middle machine.
Such as, after receiving data to be transferred bag, middle machine can use System.Timers.Timer t=new System.Timers.Timer () instantiation to carry out timing.After timing was by 15 seconds, if middle machine is in idle countless certificate and enters, whether then Automatically invoked self-defining Check () function, exist data to be transferred bag under using foreach (FileSystemInfo fsi in di.GetFileSystemInfos ()) traversal to check catalogue.As existed, first calling the open () function in the USB.DLL of Controling network wiretap, making switch point to Intranet.After switching over, employing string x=Path.GetDirectoryName () function obtains the title of the data to be transferred bag under catalogue, and then call send () and sent, after call File.Delete () function and delete this data to be transferred bag.
507, middle machine sends to netting twine switch and controls instruction after data send, and network connection is connect from Intranet and is switched to outer net connection.
After data to be transferred bag is sent completely, middle machine is now connected with intranet server, and middle machine sends to netting twine switch and controls instruction, and netting twine connection is switched to outer net from Intranet connection and connects, now, machine is connected with outer network termination.
Embodiment seven
The schematic flow sheet of a kind of data unidirectional transmission method that Figure 10 provides for the embodiment of the present invention seven.On the basis of above-described embodiment, described middle machine also comprises before network connection is switched to Intranet connection from outer net connection:
601, middle machine obtains the process run, and the described process run is compared with trusted process in the white list that prestores.
The process run described in if 602 described trusted process do not comprise, the process that described middle machine will run described in out of service.
For ensureing that the environment of middle machine is safe and reliable, need when middle machine runs to detect the fail safe of middle machine running environment.When middle machine is opened, run a thread at background loop, and be provided with a white list " Process.txt ", wherein store trusted process in this white list.At interval of the regular hour, middle machine obtains all processes run, such as can call Process.GetProcesses () and obtain all processes run, then the trusted process in the process run and white list be compared.Process as run is not stored in white list, then the process that in the middle of, machine will run described in out of service, namely calls Process.Kill () and terminated.
For C# language, its program is as follows.Those skilled in the art it will be appreciated that and are only example herein, and programming language can not as restriction condition of the present invention.
Alternatively, simultaneously process is also called MD5 to the file of middle machine self and is carried out calculatings and detect, and as found to be modified, copying file that portion is modified to catalogue, continue operation in safety zone.Communication can be carried out like this under a comparatively believable environment.
Embodiment eight
The structural representation of a kind of data unidirectional transmission system that Figure 11 provides for the embodiment of the present invention eight.As shown in figure 11, this system comprises: outer network termination 1, middle machine 2 and intranet server 3.
Wherein, outer network termination 1, for downloading data to be transferred bag from outer net, being encrypted conversion in data link layer to described data to be transmitted bag by intermediate drivers and obtaining the first packet, and is connected described first Packet Generation to middle machine by outer net.
Described middle machine 2, for receiving described first packet, after receiving described first packet, network is connected and switches to Intranet connection from outer net connection, and adopt described intermediate drivers to be decrypted described first packet to obtain described data to be transferred bag, connected described data to be transferred Packet forwarding to intranet server by described Intranet.
Described intranet server 3, connects for receiving described middle machine the described data to be transferred bag sent by described Intranet.
In the present embodiment, after middle machine receives outer net packet, network is switched to Intranet from outer net, make to achieve and transmit data from outer net to Intranet, and respectively intermediate drivers is housed in network termination and middle machine outside, and intermediate drivers is not installed in intranet server, the data that intranet server is sent to middle machine can not be transmitted, thus ensure that the one-way that data are transmitted from outer net to Intranet, and by intermediate drivers, symmetric cryptography is carried out to packet in this one-way transmission process, ensure that the fail safe of data.
Embodiment nine
The structural representation of a kind of data unidirectional transmission system that Figure 12 provides for the embodiment of the present invention nine.As shown in figure 12, this system comprises outer network termination 1, middle machine 2 and the intranet server 3 in above-described embodiment eight.
Wherein, outer network termination 1 comprises; Download module 11, encrypting module 12 and sending module 13.
Download module 11, for downloading data to be transferred bag from outer net.
The encrypting module 12 be connected with download module 11, obtains the first packet for being encrypted conversion in data link layer to described data to be transmitted bag by intermediate drivers.
The sending module 13 be connected with encrypting module 12, for connecting described first Packet Generation to middle machine by outer net.
Described middle machine 2 comprises: the first receiver module 21, handover module 22 and deciphering module 23 and forwarding module 24.
The first receiver module 21 be connected with described sending module 13, for receiving described first packet that described sending module 13 sends.
The handover module 22 be connected with described first receiver module 21, for after receiving described first packet, connects network and switches to Intranet connection from outer net connection.
The deciphering module 23 be connected with described handover module 22, to be decrypted described first packet for adopting described intermediate drivers and to obtain described data to be transferred bag.
The forwarding module 24 be connected with described deciphering module 23, for connecting described data to be transferred Packet forwarding to intranet server by described Intranet.
Described intranet server 3 comprises:
The second receiver module 31 be connected with described forwarding module 24, connects for receiving described forwarding module 24 the described data to be transferred bag sent by described Intranet.
In the present embodiment, after middle machine receives outer net packet, network is switched to Intranet from outer net, make to achieve and transmit data from outer net to Intranet, and respectively intermediate drivers is housed in network termination and middle machine outside, and intermediate drivers is not installed in intranet server, the data that intranet server is sent to middle machine can not be transmitted, thus ensure that the one-way that data are transmitted from outer net to Intranet, and by intermediate drivers, symmetric cryptography is carried out to packet in this one-way transmission process, ensure that the fail safe of data.
Embodiment ten
The structural representation of a kind of data unidirectional transmission system that Figure 13 provides for the embodiment of the present invention ten.As shown in figure 13, on the basis of above-described embodiment, described encrypting module 12, also for being encrypted before conversion obtains the first packet by intermediate drivers to described data to be transferred bag in data link layer, carries out Advanced Encryption Standard AES encryption to described data to be transferred bag.
When encrypting module 12 carries out AES encryption to packet to be passed, correspondingly, described intranet server 3 also comprises: AES deciphering module 32, for carrying out the deciphering of AES confusion to the described data to be transferred bag received from described forwarding module 24.
Further, described outer network termination 1 also comprises: the first authentication module 14, for after downloading data to be transferred bag from outer net, obtain the sequence number of the hard disk of current operation, the running environment whether safety of self is judged by described sequence number, if judged result is no, described outer network termination 1 out of service.
Further, described first authentication module 14, specifically for obtaining the Message Digest 5 MD5 value of described sequence number, the MD5 value of described MD5 value with the hard disk serial number of the mandate prestored is compared, if described MD5 value is all not identical with the MD5 value of the hard disk serial number of all mandates, judge that the running environment of self is dangerous.
Further, described middle machine also comprises: netting twine switch 25, switches between outer net and Intranet for the control command sent according to described handover module 22.In the present embodiment, netting twine switch 25 is connected with outer net netting twine and Intranet outside line respectively by switch, and is connected with handover module 22.When netting twine switch 25 is connected with outer net netting twine, sending module 13 is connected with the first receiver module 21, thus sending module 13 can send the first packet to the first receiver module 21.And when netting twine switch 25 is connected with Intranet netting twine, forwarding module 24 is connected with the second receiver module 31, thus forwarding module 24 can forward the first packet to the second receiver module 31.
Described handover module 22, if specifically for not receiving data from described outer network termination in preset duration, judge that described first receives data packets completes, to described netting twine switch 25 sending controling instruction, indicate described netting twine switch 25 to connect from described outer net and be switched to the connection of described Intranet.
Further, described sending module 13, is undertaken dividing into groups and numbering by described first packet specifically for being connected by outer net, the grouping of described first packet is sent to described first receiver module 21 according to the order of described numbering;
Described first receiver module 21 be connected with described sending module 13, also obtains described first packet for combination being carried out in grouping according to described numbering after receiving all groupings.
Further, described middle machine also comprises: the second authentication module 26, before network connection being switched to Intranet connection from outer net connection at described handover module 22, obtain the process run, the described process run is compared with trusted process in the white list that prestores, the process run described in if described trusted process does not comprise, by the process run described in out of service.
Further, described handover module 22, also for after being connected by described Intranet at described forwarding module 24 described data to be transferred bag being issued intranet server 3, is connected network and connects switchback from Intranet and connect to outer net.
In the present embodiment, after middle machine receives outer net packet, network is switched to Intranet from outer net, make to achieve and transmit data from outer net to Intranet, and respectively intermediate drivers is housed in network termination and middle machine outside, and intermediate drivers is not installed in intranet server, the data that intranet server is sent to middle machine can not be transmitted, thus ensure that the one-way that data are transmitted from outer net to Intranet, and by intermediate drivers, symmetric cryptography is carried out to packet in this one-way transmission process, ensure that the fail safe of data.
Last it is noted that above each embodiment is only in order to illustrate technical scheme of the present invention, be not intended to limit; Although with reference to foregoing embodiments to invention has been detailed description, those of ordinary skill in the art is to be understood that: it still can be modified to the technical scheme described in foregoing embodiments, or carries out equivalent replacement to wherein some or all of technical characteristic; And these amendments or replacement, do not make the essence of appropriate technical solution depart from the scope of various embodiments of the present invention technical scheme.
Claims (17)
1. a data unidirectional transmission method, is characterized in that, comprising:
Outer network termination downloads data to be transferred bag from outer net, is encrypted conversion obtains the first packet by intermediate drivers in data link layer to described data to be transmitted bag, and is connected described first Packet Generation to middle machine by outer net;
After described middle machine receives described first packet, network is connected and switches to Intranet connection from outer net connection, and adopt described intermediate drivers to be decrypted described first packet to obtain described data to be transferred bag, connected described data to be transferred Packet forwarding to intranet server by described Intranet.
2. data unidirectional transmission method according to claim 1, is characterized in that, described outer network termination to be encrypted before conversion obtains the first packet by intermediate drivers in data link layer to described data to be transferred bag, also comprise:
Described outer network termination carries out Advanced Encryption Standard AES encryption to described data to be transferred bag;
Described middle machine to connect described data to be transferred Packet forwarding to after intranet server by described Intranet, also comprises:
Described intranet server carries out the deciphering of AES confusion to described data to be transferred bag.
3. data unidirectional transmission method according to claim 2, is characterized in that, described outer network termination, from after outer net downloads data to be transferred bag, also comprises:
Described outer network termination obtains the sequence number of the hard disk of current operation;
Described outer network termination judges the running environment whether safety of self by described sequence number;
If judged result is no, described outer network termination is out of service.
4. data unidirectional transmission method according to claim 3, is characterized in that, network, after receiving described first data, connects and switches to Intranet connection from outer net connection, comprise by described middle machine:
If do not receive data from described outer network termination in preset duration, described middle machine judges that described first receives data packets completes;
Described middle machine, to netting twine switch sending controling instruction, indicates described netting twine switch to connect from described outer net and is switched to the connection of described Intranet.
5. the data unidirectional transmission method according to any one of claim 1-4, is characterized in that, described first Packet Generation is given middle machine by outer net connection by described outer network termination, comprising:
Described first packet carries out dividing into groups and numbering by described outer network termination;
The grouping of described first packet is sent to described middle machine according to the order of described numbering by outer net connection by described outer network termination;
Grouping is carried out combination according to described numbering and is obtained described first packet by described middle machine after receiving all groupings.
6. the data unidirectional transmission method according to any one of claim 1-4, is characterized in that, described middle machine also comprises before controlling that network connection is switched to Intranet connection from outer net connection:
Described middle machine obtains the process run, and the described process run is compared with trusted process in the white list that prestores;
The process run described in if described trusted process does not comprise, the process that described middle machine will run described in out of service.
7. data unidirectional transmission method according to claim 3, is characterized in that, described outer network termination judges the running environment whether safety of self by described sequence number, comprising:
Described outer network termination obtains the Message Digest 5 MD5 value of described sequence number;
The MD5 value of described MD5 value with the hard disk serial number of the mandate prestored compares by described outer network termination;
If described MD5 value is all not identical with the MD5 value of the hard disk serial number of all mandates, described outer network termination judges that the running environment of self is dangerous.
8. the data unidirectional transmission method according to any one of claim 1-4, is characterized in that, described middle machine to connect described data to be transferred Packet forwarding to after intranet server by described Intranet, comprising:
Network connects and connects to outer net from Intranet connection switchback by described middle machine.
9. a data unidirectional transmission system, is characterized in that, comprising:
Outer network termination, for downloading data to be transferred bag from outer net, being encrypted conversion in data link layer to described data to be transmitted bag by intermediate drivers and obtaining the first packet, and is connected described first Packet Generation to middle machine by outer net;
Described middle machine, for receiving described first packet, after receiving described first packet, network is connected and switches to Intranet connection from outer net connection, and adopt described intermediate drivers to be decrypted described first packet to obtain described data to be transferred bag, connected described data to be transferred Packet forwarding to intranet server by described Intranet;
Described intranet server, connects for receiving described middle machine the described data to be transferred bag sent by described Intranet.
10. data unidirectional transmission system according to claim 9, is characterized in that,
Described outer network termination comprises:
Download module, for downloading data to be transferred bag from outer net;
Encrypting module, obtains the first packet for being encrypted conversion in data link layer to described data to be transmitted bag by intermediate drivers;
Sending module, for connecting described first Packet Generation to middle machine by outer net;
Described middle machine comprises:
First receiver module, for receiving described first packet that described sending module sends;
Handover module, for after receiving described first packet, connects network and switches to Intranet connection from outer net connection;
Deciphering module, to be decrypted described first packet for adopting described intermediate drivers and to obtain described data to be transferred bag;
Forwarding module, for connecting described data to be transferred Packet forwarding to intranet server by described Intranet.
Described intranet server comprises:
Second receiver module, connects for receiving described forwarding module the described data to be transferred bag sent by described Intranet.
11. data unidirectional transmission systems according to claim 10, it is characterized in that, described encrypting module, also for being encrypted before conversion obtains the first packet by intermediate drivers to described data to be transferred bag in data link layer, Advanced Encryption Standard AES encryption is carried out to described data to be transferred bag;
Described intranet server also comprises: AES deciphering module, for carrying out the deciphering of AES confusion to the described data to be transferred bag received from described forwarding module.
12. data unidirectional transmission systems according to claim 11, it is characterized in that, described outer network termination also comprises: the first authentication module, for after downloading data to be transferred bag from outer net, obtain the sequence number of the hard disk of current operation, the running environment whether safety of self is judged by described sequence number, if judged result is no, described outer network termination out of service.
13. data unidirectional transmission systems according to claim 12, is characterized in that, described middle machine also comprises: netting twine switch, switches between outer net and Intranet for the control command sent according to described handover module;
Described handover module, if specifically for not receiving data from described outer network termination in preset duration, judge that described first receives data packets completes, to described netting twine switch sending controling instruction, indicate described netting twine switch to connect from described outer net and be switched to the connection of described Intranet.
14. data unidirectional transmission systems according to any one of claim 10-13, it is characterized in that, described sending module, specifically for described first packet is carried out dividing into groups and numbering, connected by outer net and the grouping of described first packet is sent to described first receiver module according to the order of described numbering;
Described first receiver module, also obtains described first packet for combination being carried out in grouping according to described numbering after receiving all groupings.
15. data unidirectional transmission systems according to any one of claim 10-13, it is characterized in that, described middle machine also comprises: the second authentication module, before controlling that at described handover module network connection is switched to Intranet connection from outer net connection, obtain the process run, the described process run is compared with trusted process in the white list that prestores, if described trusted process do not comprise described in the process run, then the process run described in out of service.
16. data unidirectional transmission systems according to claim 12, it is characterized in that, described first authentication module, specifically for obtaining the Message Digest 5 MD5 value of described sequence number, the MD5 value of described MD5 value with the hard disk serial number of the mandate prestored is compared, if described MD5 value is all not identical with the MD5 value of the hard disk serial number of all mandates, judge that the running environment of self is dangerous.
17. data unidirectional transmission systems according to any one of claim 10-13, it is characterized in that, described handover module, also for after being connected by described Intranet at described forwarding module described data to be transferred bag being issued intranet server, network is connected and connects switchback from Intranet and connect to outer net.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410601381.9A CN104486289B (en) | 2014-10-30 | 2014-10-30 | Data unidirectional transmission method and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410601381.9A CN104486289B (en) | 2014-10-30 | 2014-10-30 | Data unidirectional transmission method and system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104486289A true CN104486289A (en) | 2015-04-01 |
CN104486289B CN104486289B (en) | 2017-09-29 |
Family
ID=52760793
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410601381.9A Expired - Fee Related CN104486289B (en) | 2014-10-30 | 2014-10-30 | Data unidirectional transmission method and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104486289B (en) |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105577695A (en) * | 2016-02-24 | 2016-05-11 | 上海卓繁信息技术股份有限公司 | Automatic control data exchange device and control method for control system thereof |
CN106790151A (en) * | 2016-12-29 | 2017-05-31 | 中铁信安(北京)信息安全技术有限公司 | A kind of data isolation Transmission system and method |
CN108040122A (en) * | 2017-12-26 | 2018-05-15 | 迈普通信技术股份有限公司 | Document transmission method and device |
CN108777681A (en) * | 2018-05-29 | 2018-11-09 | 中国人民解放军91977部队 | Network data unidirectional transmission control method based on NDIS filtration drives |
CN108846278A (en) * | 2018-07-10 | 2018-11-20 | 北京网藤科技有限公司 | A kind of USB security isolation equipment and its partition method |
CN109639708A (en) * | 2018-12-28 | 2019-04-16 | 东莞见达信息技术有限公司 | Deep learning data access control method and device |
CN110557251A (en) * | 2019-09-27 | 2019-12-10 | 武汉控安融科技有限公司 | Industrial data safety isolation acquisition system and internal and external network data one-way transmission method |
CN110674509A (en) * | 2019-07-30 | 2020-01-10 | 浙江华云信息科技有限公司 | System for realizing cross-network high-frequency data secure transmission and working method thereof |
CN111031196A (en) * | 2019-12-25 | 2020-04-17 | 普世(南京)智能科技有限公司 | Low-power-consumption one-way feedback-free image transmission method and system based on mark frame |
CN113411335A (en) * | 2021-06-18 | 2021-09-17 | 滁州学院 | Network security monitoring system based on big data |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101640595A (en) * | 2008-07-28 | 2010-02-03 | 联想(北京)有限公司 | Method, device and system for controlling switching of isolation card |
CN101645876A (en) * | 2008-08-04 | 2010-02-10 | 中国测绘科学研究院 | Automatic network switching method and system |
CN101753553A (en) * | 2008-12-08 | 2010-06-23 | 北京财富天湖科技有限公司 | Safety isolating and message switching system and method |
CN101883083A (en) * | 2009-05-08 | 2010-11-10 | 杨宏桥 | Inside and outside network isolator and application method thereof in hospital |
CN102664896A (en) * | 2012-04-28 | 2012-09-12 | 郑州信大捷安信息技术股份有限公司 | Safety network transmission system and method based on hardware encryption |
CN103166933A (en) * | 2011-12-15 | 2013-06-19 | 北京天行网安信息技术有限责任公司 | System and method for data safe exchange |
-
2014
- 2014-10-30 CN CN201410601381.9A patent/CN104486289B/en not_active Expired - Fee Related
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101640595A (en) * | 2008-07-28 | 2010-02-03 | 联想(北京)有限公司 | Method, device and system for controlling switching of isolation card |
CN101645876A (en) * | 2008-08-04 | 2010-02-10 | 中国测绘科学研究院 | Automatic network switching method and system |
CN101753553A (en) * | 2008-12-08 | 2010-06-23 | 北京财富天湖科技有限公司 | Safety isolating and message switching system and method |
CN101883083A (en) * | 2009-05-08 | 2010-11-10 | 杨宏桥 | Inside and outside network isolator and application method thereof in hospital |
CN103166933A (en) * | 2011-12-15 | 2013-06-19 | 北京天行网安信息技术有限责任公司 | System and method for data safe exchange |
CN102664896A (en) * | 2012-04-28 | 2012-09-12 | 郑州信大捷安信息技术股份有限公司 | Safety network transmission system and method based on hardware encryption |
Cited By (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105577695B (en) * | 2016-02-24 | 2018-07-13 | 上海卓繁信息技术股份有限公司 | Automatically control the control method of DEU data exchange unit and its control system |
CN105577695A (en) * | 2016-02-24 | 2016-05-11 | 上海卓繁信息技术股份有限公司 | Automatic control data exchange device and control method for control system thereof |
CN106790151A (en) * | 2016-12-29 | 2017-05-31 | 中铁信安(北京)信息安全技术有限公司 | A kind of data isolation Transmission system and method |
CN106790151B (en) * | 2016-12-29 | 2023-02-10 | 中铁信安(北京)信息安全技术有限公司 | Data isolation transmission system and method |
CN108040122B (en) * | 2017-12-26 | 2020-06-19 | 迈普通信技术股份有限公司 | File transmission method and device |
CN108040122A (en) * | 2017-12-26 | 2018-05-15 | 迈普通信技术股份有限公司 | Document transmission method and device |
CN108777681A (en) * | 2018-05-29 | 2018-11-09 | 中国人民解放军91977部队 | Network data unidirectional transmission control method based on NDIS filtration drives |
CN108846278A (en) * | 2018-07-10 | 2018-11-20 | 北京网藤科技有限公司 | A kind of USB security isolation equipment and its partition method |
CN108846278B (en) * | 2018-07-10 | 2023-02-10 | 北京网藤科技有限公司 | USB safety isolation equipment and isolation method thereof |
CN109639708A (en) * | 2018-12-28 | 2019-04-16 | 东莞见达信息技术有限公司 | Deep learning data access control method and device |
CN110674509A (en) * | 2019-07-30 | 2020-01-10 | 浙江华云信息科技有限公司 | System for realizing cross-network high-frequency data secure transmission and working method thereof |
CN110674509B (en) * | 2019-07-30 | 2021-06-29 | 浙江华云信息科技有限公司 | System for realizing cross-network high-frequency data secure transmission and working method thereof |
CN110557251A (en) * | 2019-09-27 | 2019-12-10 | 武汉控安融科技有限公司 | Industrial data safety isolation acquisition system and internal and external network data one-way transmission method |
CN111031196A (en) * | 2019-12-25 | 2020-04-17 | 普世(南京)智能科技有限公司 | Low-power-consumption one-way feedback-free image transmission method and system based on mark frame |
CN111031196B (en) * | 2019-12-25 | 2024-04-26 | 普世(南京)智能科技有限公司 | Low-power-consumption unidirectional feedback-free image transmission method and system based on mark frame |
CN113411335A (en) * | 2021-06-18 | 2021-09-17 | 滁州学院 | Network security monitoring system based on big data |
CN113411335B (en) * | 2021-06-18 | 2022-03-08 | 滁州学院 | Network security monitoring system based on big data |
Also Published As
Publication number | Publication date |
---|---|
CN104486289B (en) | 2017-09-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104486289A (en) | Data one-way transmission method and system | |
CN104392188B (en) | A kind of secure data store method and system | |
CN111132138B (en) | Transparent communication protection method and device for mobile application program | |
CN104331644B (en) | A kind of transparent encipher-decipher method of intelligent terminal file | |
KR101725847B1 (en) | Master key encryption functions for transmitter-receiver pairing as a countermeasure to thwart key recovery attacks | |
JP3688830B2 (en) | Packet transfer method and packet processing apparatus | |
US20160248734A1 (en) | Multi-Wrapped Virtual Private Network | |
CN101789866B (en) | High-reliability safety isolation and information exchange method | |
CN103856485A (en) | System and method for initializing safety indicator of credible user interface | |
WO2010016875A2 (en) | Integrated cryptographic security module for a network node | |
WO2010104632A2 (en) | Offloading cryptographic protection processing | |
WO2008026212A2 (en) | Encryption-based control of network traffic | |
CN1319294A (en) | Adapter having secure function and computer secure system using it | |
WO2017166362A1 (en) | Esim number writing method, security system, esim number server, and terminal | |
CN108322484A (en) | A kind of industrial control data ferry-boat system | |
JP2023510002A (en) | System and method for secure data transfer using air gapping hardware protocol | |
CN112580056B (en) | Terminal device, data encryption method, decryption method and electronic device | |
CN112069535B (en) | Dual-system safety intelligent terminal architecture based on access partition physical isolation | |
US9652611B2 (en) | Mitigating a compromised network on chip | |
CN111092860A (en) | Medical data safety interaction transmission module | |
CN114039812B (en) | Data transmission channel establishment method, device, computer equipment and storage medium | |
CN113542309B (en) | Data processing system and method | |
KR20190134914A (en) | Communication security method for lora communication device and apparatus using the same | |
CN111211958B (en) | Method and device for providing VPN (virtual private network) service, block chain network and node equipment | |
Guillen et al. | Crypto-Bootloader–Secure in-field firmware updates for ultra-low power MCUs |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20170929 |