CN117201022B - Method for constructing encrypted communication network system based on WireGuard - Google Patents
Method for constructing encrypted communication network system based on WireGuard Download PDFInfo
- Publication number
- CN117201022B CN117201022B CN202311172054.1A CN202311172054A CN117201022B CN 117201022 B CN117201022 B CN 117201022B CN 202311172054 A CN202311172054 A CN 202311172054A CN 117201022 B CN117201022 B CN 117201022B
- Authority
- CN
- China
- Prior art keywords
- key
- algorithm
- wireguard
- encryption
- terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000006854 communication Effects 0.000 title claims abstract description 108
- 238000004891 communication Methods 0.000 title claims abstract description 107
- 238000000034 method Methods 0.000 title claims abstract description 63
- 230000004048 modification Effects 0.000 claims description 6
- 238000012986 modification Methods 0.000 claims description 6
- 230000000977 initiatory effect Effects 0.000 description 13
- 238000004364 calculation method Methods 0.000 description 7
- 101100059544 Arabidopsis thaliana CDC5 gene Proteins 0.000 description 4
- 101100244969 Arabidopsis thaliana PRL1 gene Proteins 0.000 description 4
- 102100039558 Galectin-3 Human genes 0.000 description 4
- 101100454448 Homo sapiens LGALS3 gene Proteins 0.000 description 4
- 101150115300 MAC1 gene Proteins 0.000 description 4
- 101150051246 MAC2 gene Proteins 0.000 description 4
- 238000010276 construction Methods 0.000 description 3
- 238000005265 energy consumption Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 230000004044 response Effects 0.000 description 3
- 230000003068 static effect Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The invention provides a method for constructing an encryption communication network system based on a wireless guard, which comprises the following steps: building a terminal based on a WireGuard; generating a first key algorithm program of the terminal; carrying out handshake communication among the terminals and generating a second key algorithm program of the terminals; the terminal is configured with a first key algorithm program and a second key algorithm program. By combining the wireless guard with the national encryption algorithm and configuring the terminal, the encryption and decryption algorithm in the encryption communication network system meets domestic requirements, and can provide high-efficiency and high-security network communication, thereby solving the problem that the conventional encryption algorithm cannot realize high-efficiency encryption while ensuring security.
Description
Technical Field
The invention relates to the technical field of computer network communication, in particular to a method for constructing an encrypted communication network system based on a wireless guard.
Background
With the development of network communication technology, network communication security is also an important link not to be ignored in network communication. How to provide a secure and efficient network communication path is a problem of concern for those skilled in the relevant art, and more stringent requirements are imposed on network communication security, especially for government institutions, finance, medical and other fields involving confidentiality and high-tech content.
Currently, security of network communications is generally improved through encryption algorithms. In the prior art, there are generally two encryption algorithms: firstly, a symmetric encryption mode is utilized to configure a symmetric key of each execution terminal and a communication key between the execution terminals which are communicated with each other for each execution terminal in a communication network system, the calculation speed of the mode is high, the energy consumption is low, the requirement on the calculation capability of the execution terminals is low, but the safety is poor; the other is that an asymmetric encryption mode is utilized to configure an asymmetric key of each execution terminal and a communication key between the execution terminals which are mutually communicated for each execution terminal in a communication network system, and the mode has good safety performance and strong authenticability, but has higher requirement on the computing capability of the execution terminals, slow computing time and higher energy consumption.
Therefore, the existing encryption algorithm cannot realize efficient encryption while ensuring security.
Disclosure of Invention
The invention aims to provide a method for constructing an encryption communication network system based on WireGuard, which solves the problem that the existing encryption algorithm cannot realize efficient encryption while ensuring the security.
In order to solve the technical problems, the invention provides a method for constructing an encrypted communication network system based on a wireless guard, which comprises the following steps:
building a terminal based on a WireGuard;
generating a first key algorithm program of the terminal;
carrying out handshake communication among the terminals and generating a second key algorithm program of the terminals;
the terminal is configured with a first key algorithm program and a second key algorithm program.
Optionally, in the method for building a wireless guard-based encrypted communication network system, the method for generating the first key algorithm program of the terminal includes:
acquiring a first public key, a first private key and a first shared key by utilizing an encryption algorithm of the WireGuard;
replacing an encryption algorithm of the wireless guard by a first key algorithm program based on a national encryption algorithm, wherein the first key algorithm program comprises a first public and private key generation algorithm and a first shared key generation algorithm;
the first key algorithm program is utilized to replace the first public key with the second public key, replace the first private key with the second private key and replace the first shared key with the second shared key.
Optionally, in the method for building the encryption communication network system based on the WireGuard, the encryption algorithm of the WireGuard itself adopts Curve25519, and the lengths of the first public key, the first private key and the first shared key are 32Byte; the cryptographic algorithm of China adopts SM2, the length of the second public key is 64Byte, the length of the second private key is 32Byte, and the length of the second shared key is 64Byte.
Optionally, in the method for building the wireless guard-based encryption communication network system, the method for replacing the encryption algorithm of the wireless guard with the first key algorithm program based on the cryptographic algorithm of the country comprises:
randomly generating a first private key by utilizing an encryption algorithm of the WireGuard;
calling a generation library in the national encryption algorithm to generate a second public key corresponding to the first private key;
replacing the first public key in the encryption algorithm of the wireless guard with the second public key;
the negotiation function input value in the encryption algorithm of the wireless guard is changed into a second public key and a second private key, and the negotiation algorithm is changed into the point multiplication of the second public key of the communication party terminal and the second private key of the communication party terminal.
Optionally, in the method for building the wireless guard-based encrypted communication network system, the method for performing handshake communication between the terminals and generating the second key algorithm program of the terminal includes:
acquiring a handshake initial packet and a handshake reply packet;
modifying the sizes of the handshake initial packet and the handshake reply packet using a first key algorithm program;
and carrying out key negotiation and handshake communication by using the handshake initial packet and the handshake reply packet with the changed sizes, and generating a second key algorithm program.
Optionally, in the method for building a wireless guard-based encrypted communication network system, the method for generating the second key algorithm program includes:
obtaining a third key by using a communication encryption algorithm of the WireGuard;
and replacing the third key with the fourth key based on the national secret communication encryption algorithm.
Optionally, in the method for building the encryption communication network system based on the WireGuard, the communication encryption algorithm of the WireGuard itself adopts chacha20poly1305, and the length of the third key is 32Byte; the encryption algorithm of the national cipher communication adopts SM4, and the length of a key number four is 16Byte; the method for replacing the third key with the fourth key based on the national secret communication encryption algorithm comprises the following steps:
based on the small modification principle, the original half array in the third key is intercepted to be used as the fourth key.
Optionally, in the method for setting up a wireless guard-based encrypted communication network system, the method for configuring the terminal by using a first key algorithm program and a second key algorithm program includes:
dividing virtual network segments of the terminal according to an actual physical network environment, and constructing a network topology of the terminal;
placing and running a first key algorithm program and a second key algorithm program on each node;
generating a virtual network card on each node, and setting a virtual IP;
and configuring a WireGuard.
Optionally, in the method for building the wireless guard-based encrypted communication network system, the method for dividing the virtual network segment of the terminal according to the actual physical network environment includes:
dividing a large section according to the position of the server and the physical network condition;
the small segments are divided according to different functions and object-oriented functions of the server, wherein the size of the small segments is smaller than that of the large segments.
Optionally, in the method for setting up a wireless-based encrypted communication network system, the method for configuring the wireless includes:
configuring a WireGuard network card;
configuring a wireless public key, a private key and a configuration file so that the public key is a second public key and the private key is a second private key;
apply the configuration file and create the tunnel connection.
The invention provides a method for constructing an encryption communication network system based on a WireGuard, which comprises the following steps: building a terminal based on a WireGuard; generating a first key algorithm program of the terminal; carrying out handshake communication among the terminals and generating a second key algorithm program of the terminals; the terminal is configured with a first key algorithm program and a second key algorithm program. By combining the wireless guard with the national encryption algorithm and configuring the terminal, the encryption and decryption algorithm in the encryption communication network system meets domestic requirements, and can provide high-efficiency and high-security network communication, thereby solving the problem that the conventional encryption algorithm cannot realize high-efficiency encryption while ensuring security.
Drawings
Fig. 1 is a flowchart of a method for setting up a wireless-guard-based encrypted communication network system according to the present embodiment;
fig. 2 is a schematic diagram of key negotiation and handshake communication using a handshake initial packet and a handshake reply packet according to the present embodiment;
fig. 3 is a logic schematic diagram of a method for setting up an encryption communication network system based on WireGuard according to the present embodiment.
Detailed Description
The method for constructing the wireless-guard-based encrypted communication network system provided by the invention is further described in detail below with reference to the accompanying drawings and specific embodiments. It should be noted that the drawings are in a very simplified form and are all to a non-precise scale, merely for convenience and clarity in aiding in the description of embodiments of the invention. Furthermore, the structures shown in the drawings are often part of actual structures. In particular, the drawings are shown with different emphasis instead being placed upon illustrating the various embodiments.
It is noted that "first", "second", etc. in the description and claims of the present invention and the accompanying drawings are used to distinguish similar objects so as to describe embodiments of the present invention, and not to describe a specific order or sequence, it should be understood that the structures so used may be interchanged under appropriate circumstances. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
WirelGuard is an emerging open source VPN tool, and has the advantages of high speed, high performance, simple configuration and safe use. WireGuard has many advantages over other common VPN protocols, such as smaller code libraries, faster speeds, lower system resource consumption, simpler architecture, and safer encryption. The efficient data packet format and efficient handshaking mechanism may increase network speed and efficiency. It also uses a new key management scheme to accomplish handshaking and communication faster.
The national cipher algorithm is a series of cipher standards issued by the national cipher administration, namely, a domestic cipher algorithm which is already recognized by the national cipher administration, also called commercial cipher (which refers to a technology capable of realizing functions of encryption, decryption, authentication and the like of the commercial cipher algorithm), and ensures information transmission safety in the fields of government institutions, finance, medical treatment and the like, wherein the national cipher algorithm comprises SM1, SM2, SM3, SM4, SM7, SM9, ZUC and other series of encryption algorithms.
Based on this, the present embodiment provides a method for building an encrypted communication network system based on WireGuard, including:
s1, building a terminal based on a WireGuard;
s2, generating a first key algorithm program of the terminal;
s3, handshake communication is carried out among the terminals, and a second key algorithm program of the terminals is generated;
s4, the terminal is configured by utilizing the first key algorithm program and the second key algorithm program.
According to the method for constructing the encryption communication network system based on the wireless guard, the wireless guard and the national encryption algorithm are combined, and the terminal is configured, so that the encryption and decryption algorithm in the encryption communication network system meets domestic requirements, high-efficiency and high-safety network communication can be provided, and the problem that the conventional encryption algorithm cannot realize efficient encryption while guaranteeing safety is solved.
Specifically, in this embodiment, the key generated by the first key algorithm program is asymmetric encryption; the key generated by the second key algorithm program is symmetrically encrypted. Asymmetric encryption is not generally directly applied to communication, but asymmetric encryption has better security, so in this embodiment, the key generated by the first key algorithm program is asymmetric encryption, so as to improve the security of the encrypted communication network system. The symmetric encryption is generally applied to the communication process, and has fast calculation speed and small energy consumption, so in the embodiment, the key generated by the second key algorithm program is symmetric encryption, so as to improve the operation efficiency of the encrypted communication network system. Therefore, the asymmetric encryption and the symmetric encryption are combined, so that the operation efficiency of the encrypted communication network system can be improved while the communication safety is ensured.
It should be noted that, in the practical application process, other steps may be added between the steps of the method to add or improve functions. The technical proposal that other steps are added on the premise of not deviating from the gist of the application also belongs to the protection scope of the application.
In this embodiment, step S1, a terminal is built based on WireGuard. Specifically, the terminal can be an electronic product with a network communication function, such as a computer, a notebook, a mobile phone and the like, and the construction of the terminal based on the WireGuard means that the WireGuard is constructed in the terminal, so that the terminal can utilize the encryption technology in the network communication. The construction method of WireGuard is well known to those skilled in the art and will not be described here.
Further, in this embodiment, in step S2, the method for generating the first key algorithm program of the terminal includes:
s21, acquiring a first public key, a first private key and a first shared key by utilizing an encryption algorithm of the WireGuard;
s22, replacing an encryption algorithm of the WireGuard by a first key algorithm program based on a national encryption algorithm, wherein the first key algorithm program comprises a first public and private key generation algorithm and a first shared key generation algorithm;
s23, replacing the first public key with the second public key, replacing the first private key with the second private key and replacing the first shared key with the second shared key by using the first key algorithm program.
Specifically, in this embodiment, the encryption algorithm of the WireGuard itself adopts Curve25519, where the lengths of the first public key, the first private key and the first shared key are all 32Byte; the cryptographic algorithm of China adopts SM2, the length of the second public key is 64Byte, the length of the second private key is 32Byte, and the length of the second shared key is 64Byte.
Both the Curve25519 encryption algorithm and the SM2 encryption algorithm are asymmetric encryption, wherein SM2 comprises digital signature, key exchange, public key encryption and the like. The Curve25519 encryption algorithm and the SM2 encryption algorithm are well known to those skilled in the art, and only the differences from the prior art are specifically described in this application, and other contents can be known by the prior art and are not described herein.
In this embodiment, the SM2 encryption algorithm is implemented based on the following elliptic curve:
in this embodiment, the method for replacing the encryption algorithm of the WireGuard itself with the first key algorithm program based on the cryptographic algorithm of the country includes: firstly, randomly generating a large random number d which is a first private key of 32Byte by utilizing an encryption algorithm of the WireGuard (Curve 25519 encryption algorithm); then, a generation library in a national encryption algorithm (SM 2) is called to generate a second public key corresponding to the first private key, namely a second public key of 64Byte corresponding to d obtained by SM 2; next, the public key No. two is replaced with the public key No. one in the encryption algorithm of the WireGuard itself (the encryption algorithm of Curve 25519), that is, the private key No. one d of 32Byte and the public key No. two of 64Byte are respectively replaced with the return values of the encryption algorithm of the WireGuard itself (the encryption algorithm of Curve 25519); finally, when negotiating the shared key, changing the negotiation function input value in the encryption algorithm of the WireGuard (Curve 25519 encryption algorithm) into a second public key and a second private key, namely, into a public private key of SM 2; and changing the negotiation algorithm into the point multiplication of the second public key of the terminal of the communication party and the second private key of the terminal of the communication party, namely changing the negotiation algorithm into the point multiplication result of the private key of one party and the public key of the other party.
In this embodiment, the encryption algorithm of the WireGuard itself adopts Curve25519, and the cryptographic algorithm of the national cipher adopts SM2. Of course, in other embodiments, other encryption algorithms of the WireGuard itself and other encryption algorithms of the national secret may be adopted, and the replacement principle and the core theory of the WireGuard are to replace the public-private key generating function and the return value thereof, but for different algorithms, the algorithm of negotiating the key will have small differences, and finally both parties can obtain the same negotiating key value through calculation. For example, the SM2 algorithm in the present embodiment may be replaced by the SM9 algorithm, which is more complex in terms of calculation, resulting in a larger calculation amount and lower efficiency of the encrypted communication network system.
After each WireGuard terminal generates its own public and private key, it starts handshake communication. In this embodiment, step S3, the method for performing handshake communication between the terminals and generating the second key algorithm program of the terminal includes:
s31, acquiring a handshake initial packet and a handshake reply packet.
Specifically, in this embodiment, the handshake initiation packet MessageInitiation is 148 bytes, and the handshake reply packet MessageResponse is 92 bytes, each of which constitutes the following table:
handshake initiation packet message initiation structure and size:
| Type | Sender | Ephemeral | Static | Timestamp | MAC1 | MAC2 |
| 4Byte | 4Byte | 32Byte | 48Byte | 28Byte | 16Byte | 16Byte |
handshake reply packet MessageResponse structure and size:
| Type | Sender | Receiver | Ephemeral | Empty | MAC1 | MAC2 |
| 4Byte | 4Byte | 4Byte | 32Byte | 16Byte | 16Byte | 16Byte |
s32, the first key algorithm program is utilized to change the sizes of the handshake initial packet and the handshake reply packet.
Because the public and private key digits of the SM2 encryption algorithm and the Curve25519 encryption algorithm adopted in the embodiment are different, and the handshake data packet needs to store the public and private keys of the corresponding algorithm, the digits of the handshake data packet are also different, and the size of the handshake data packet needs to be correspondingly changed.
Specifically, in this embodiment, ephemeral in the handshake initiation packet message initiation is a temporary public key, static is a fixed public key, both of which are replaced by Curve25519 to SM2 algorithm, and the number of bits is increased to 64Byte by 32Byte, so the number and structure of bits after modification are as follows:
modified handshake initiation packet message initiation structure and size:
| Type | Sender | Ephemeral | Static | Timestamp | MAC1 | MAC2 |
| 4Byte | 4Byte | 64Byte | 80Byte | 28Byte | 16Byte | 16Byte |
modified handshake reply packet message response structure and size:
| Type | Sender | Receiver | Ephemeral | Empty | MAC1 | MAC2 |
| 4Byte | 4Byte | 4Byte | 64Byte | 16Byte | 16Byte | 16Byte |
by comparing the structure and size of the handshake initiation packet MessageInitiation and the handshake reply packet MessageResponse before and after modification, it can be found that: the modified handshake initiation packet MessageInitiation is 212 bytes and the modified handshake reply packet MessageResponse is 124 bytes.
Of course, different encryption algorithms are adopted, and the size of the handshake data packet is changed differently, so that the configuration needs to be set according to actual situations. The size of handshake packets between different algorithms may be adapted by a person skilled in the art according to the examples provided in the present application.
And S33, carrying out key negotiation and handshake communication by using the handshake initial packet and the handshake reply packet with the changed sizes, and generating a second key algorithm program.
The principle of key negotiation and handshake communication using a handshake initiation packet and a handshake reply packet can be seen in fig. 2. Node A sends a handshake initiation packet MessageInitialization to node B for handshake initiation; the node B sends a handshake reply packet MessageResponse to the node A for handshake response; thereafter, node a establishes data communication with node B. Specific implementation methods and procedures for key negotiation and handshake communication using handshake initiation packets and handshake reply packets are well known to those skilled in the art and will not be described in detail herein.
In this embodiment, the method for generating the second key algorithm program includes: obtaining a third key by using a communication encryption algorithm of the WireGuard; and replacing the third key with the fourth key based on the national secret communication encryption algorithm.
Specifically, in this embodiment, the communication encryption algorithm of the WireGuard itself adopts chacha20poly1305, and the length of the third key is 32Byte; the encryption algorithm of the national cipher communication adopts SM4, and the length of a key number four is 16Byte. Therefore, when the key No. three is replaced with the key No. four based on the cryptographic communication encryption algorithm of the country, the length of the key No. three of 32Byte needs to be changed to 16Byte. Based on the small modification principle, the embodiment intercepts the original half array in the third key as the fourth key, for example, continuous 16Byte in the third key can be intercepted as the fourth key.
Of course, when the communication encryption algorithm of the different WireGuard itself and the national encryption communication encryption algorithm are selected, the mode of replacing the third key with the fourth key will also be different, but the principle is consistent, and a person skilled in the art can adaptively adjust to realize that the third key is replaced with the fourth key between different algorithms according to the examples provided in the application.
Further, in this embodiment, step S4, the method for configuring the terminal by using the first key algorithm program and the second key algorithm program includes:
s41, dividing the virtual network segment of the terminal according to the actual physical network environment, and constructing the network topology of the terminal.
Specifically, in this embodiment, the dividing basis for dividing the virtual network segment of the terminal according to the actual physical network environment includes:
(1) dividing a large section according to the position of the server and the physical network condition;
(2) the small segments are divided according to different functions and object-oriented functions of the server, wherein the size of the small segments is smaller than that of the large segments.
Methods of constructing network topologies are well known to those skilled in the art, such as designing star structures, ring structures, bus structures, hybrid topologies, distributed structures, tree structures, mesh topologies, or cellular topologies. Those skilled in the art should select a reasonable network topology according to actual network communication requirements, and the specific construction method thereof is not described in detail in this application.
S42, the first key algorithm program and the second key algorithm program are placed on each node and run. Since the first key algorithm program is used to improve the security of the encrypted communication network system and the second key algorithm program is used to improve the operation efficiency of the encrypted communication network system, in this embodiment, each node is provided with the first key algorithm program and the second key algorithm program, so that each node can operate the first key algorithm program and the second key algorithm program.
S43, generating a virtual network card on each node, and setting a virtual IP. The implementation of this step is well known to those skilled in the art and will not be described in detail here.
S44, configuring a WireGuard. Specifically, a monitoring port, a routing rule, a public and private key and the like are required to be configured.
In this embodiment, the method for configuring a WireGuard includes:
firstly, a WireGuard network card is configured, and in this embodiment, an achievable configuration code is provided as follows:
ip link add dev wg0 type wireguardip address add dev wg0 10.10.10.1/24ip link set up dev wg0;
then, the wireless public key, the private key and the configuration file are configured so that the public key is the second public key and the private key is the second private key, and in this embodiment, an achievable configuration code is provided as follows:
private key of [ Interface ] privatekey=sm2
ListenPort=54436
PreUp=ip link add dev wg0 type wireguard
PreUp=ip address add dev wg0 10.10.10.1/24
PreUp=ip link set up dev wg0[Peer]
Public key publickey=sm2 public key
Endpoint=192.168.52.134:54436
AllowedIPs=10.10.10.2/24;
Finally, the configuration file is applied and a tunnel connection is created, and its specific implementation is well known to those skilled in the art, and will not be described here again.
Referring to fig. 3, a logic flow of a method for setting up a wireless guard-based encrypted communication network system provided in the present application is briefly described as follows:
firstly, replacing a Curve25519 encryption algorithm by using an SM2 encryption algorithm to generate a public key, namely a second public key and a second private key, wherein the length of an array of the public key and the private key needs to be changed to meet the related requirements of the encryption algorithm; then, the sizes of the initial handshake packet and the handshake response packet are adjusted to be matched with the lengths of the second public key and the second private key, so that key negotiation is completed; next, the chacha20poly1305 encryption algorithm is replaced by the SM4 encryption algorithm to carry out encryption processing so as to replace the third key with the fourth key; then, constructing a network topology and a basic configuration; and finally, constructing a tunnel network communication based on the national secret and the WireGuard. Thus, an encryption communication network system based on the WirelGuard is built.
By utilizing the system, network communication can be safely and efficiently performed, the problem of communication damage caused by insufficient safety degree or low calculation efficiency is avoided, and the system can be widely applied to the fields of government institutions, finance, medical treatment and the like.
In this specification, each embodiment is described in a progressive manner, and each embodiment focuses on the difference from other embodiments, so that the same similar parts of each embodiment are referred to each other.
The method for constructing the encryption communication network system based on the WireGuard provided by the embodiment comprises the following steps: building a terminal based on a WireGuard; generating a first key algorithm program of the terminal; carrying out handshake communication among the terminals and generating a second key algorithm program of the terminals; the terminal is configured with a first key algorithm program and a second key algorithm program. By combining the wireless guard with the national encryption algorithm and configuring the terminal, the encryption and decryption algorithm in the encryption communication network system meets domestic requirements, and can provide high-efficiency and high-security network communication, thereby solving the problem that the conventional encryption algorithm cannot realize high-efficiency encryption while ensuring security.
The above description is only illustrative of the preferred embodiments of the present invention and is not intended to limit the scope of the present invention, and any alterations and modifications made by those skilled in the art based on the above disclosure shall fall within the scope of the appended claims.
Claims (9)
1. The method for constructing the encrypted communication network system based on the WireGuard is characterized by comprising the following steps of:
building a terminal based on a WireGuard;
generating a first key algorithm program of the terminal;
carrying out handshake communication among the terminals and generating a second key algorithm program of the terminals;
configuring the terminal by using a first key algorithm program and a second key algorithm program;
the method for carrying out handshake communication among the terminals and generating the second key algorithm program of the terminals comprises the following steps:
acquiring a handshake initial packet and a handshake reply packet;
modifying the sizes of the handshake initial packet and the handshake reply packet using a first key algorithm program;
and carrying out key negotiation and handshake communication by using the handshake initial packet and the handshake reply packet with the changed sizes, and generating a second key algorithm program.
2. The method for constructing a wireless-guard-based encrypted communication network system according to claim 1, wherein the method for generating the first key algorithm program of the terminal comprises:
acquiring a first public key, a first private key and a first shared key by utilizing an encryption algorithm of the WireGuard;
replacing an encryption algorithm of the wireless guard by a first key algorithm program based on a national encryption algorithm, wherein the first key algorithm program comprises a first public and private key generation algorithm and a first shared key generation algorithm;
the first key algorithm program is utilized to replace the first public key with the second public key, replace the first private key with the second private key and replace the first shared key with the second shared key.
3. The method for constructing the encrypted communication network system based on the WireGuard according to claim 2, wherein the encryption algorithm of the WireGuard itself adopts Curve25519, and the lengths of the first public key, the first private key and the first shared key are 32Byte; the cryptographic algorithm of China adopts SM2, the length of the second public key is 64Byte, the length of the second private key is 32Byte, and the length of the second shared key is 64Byte.
4. The method for constructing the wireless guard-based encryption communication network system according to claim 2, wherein the method for replacing the encryption algorithm of the wireless guard itself with the first key algorithm program based on the national encryption algorithm comprises the steps of:
randomly generating a first private key by utilizing an encryption algorithm of the WireGuard;
calling a generation library in the national encryption algorithm to generate a second public key corresponding to the first private key;
replacing the first public key in the encryption algorithm of the wireless guard with the second public key;
the negotiation function input value in the encryption algorithm of the wireless guard is changed into a second public key and a second private key, and the negotiation algorithm is changed into the point multiplication of the second public key of the communication party terminal and the second private key of the communication party terminal.
5. The method for constructing a wireless guard-based encrypted communication network system according to claim 1, wherein the method for generating the second key algorithm program comprises:
obtaining a third key by using a communication encryption algorithm of the WireGuard;
and replacing the third key with the fourth key based on the national secret communication encryption algorithm.
6. The method for constructing an encrypted communication network system based on WireGuard according to claim 5, wherein the communication encryption algorithm of the WireGuard itself adopts chacha20poly1305, and the third key has a length of 32Byte; the encryption algorithm of the national cipher communication adopts SM4, and the length of a key number four is 16Byte; the method for replacing the third key with the fourth key based on the national secret communication encryption algorithm comprises the following steps:
based on the small modification principle, the original half array in the third key is intercepted to be used as the fourth key.
7. The method for constructing a WireGuard-based encrypted communication network system according to claim 1, wherein the method for configuring the terminal using the first key algorithm program and the second key algorithm program comprises:
dividing virtual network segments of the terminal according to an actual physical network environment, and constructing a network topology of the terminal;
placing and running a first key algorithm program and a second key algorithm program on each node;
generating a virtual network card on each node, and setting a virtual IP;
and configuring a WireGuard.
8. The method for constructing a wireless-guard-based encrypted communication network system according to claim 7, wherein the method for dividing the virtual network segment of the terminal according to the actual physical network environment comprises:
dividing a large section according to the position of the server and the physical network condition;
the small segments are divided according to different functions and object-oriented functions of the server, wherein the size of the small segments is smaller than that of the large segments.
9. The method for constructing a wireless-based encrypted communication network system according to claim 7, wherein the method for configuring the wireless comprises:
configuring a WireGuard network card;
configuring a wireless public key, a private key and a configuration file so that the public key is a second public key and the private key is a second private key;
apply the configuration file and create the tunnel connection.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311172054.1A CN117201022B (en) | 2023-09-12 | 2023-09-12 | Method for constructing encrypted communication network system based on WireGuard |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311172054.1A CN117201022B (en) | 2023-09-12 | 2023-09-12 | Method for constructing encrypted communication network system based on WireGuard |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117201022A CN117201022A (en) | 2023-12-08 |
| CN117201022B true CN117201022B (en) | 2024-03-19 |
Family
ID=88999441
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311172054.1A Active CN117201022B (en) | 2023-09-12 | 2023-09-12 | Method for constructing encrypted communication network system based on WireGuard |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117201022B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118381603B (en) * | 2024-01-17 | 2025-01-24 | 长扬科技(北京)股份有限公司 | Gateway based on WireGuard protocol |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113452705A (en) * | 2021-06-28 | 2021-09-28 | 长春吉大正元信息技术股份有限公司 | Encrypted communication method, device, electronic equipment and storage medium |
| US11153080B1 (en) * | 2020-07-29 | 2021-10-19 | John A. Nix | Network securing device data using two post-quantum cryptography key encapsulation mechanisms |
| CN113645590A (en) * | 2021-07-16 | 2021-11-12 | 北汽福田汽车股份有限公司 | Method, apparatus, device and medium for remotely controlling vehicle based on encryption algorithm |
| CN114401102A (en) * | 2021-11-29 | 2022-04-26 | 南威软件股份有限公司 | HTTP request parameter encryption scheme based on cryptographic algorithm |
| CN116633562A (en) * | 2023-06-14 | 2023-08-22 | 陈斌 | Network zero trust security interaction method and system based on WireGuard |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116847341A (en) * | 2020-08-31 | 2023-10-03 | Oppo广东移动通信有限公司 | Network connection method, terminal, network equipment to be distributed and storage medium |
-
2023
- 2023-09-12 CN CN202311172054.1A patent/CN117201022B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11153080B1 (en) * | 2020-07-29 | 2021-10-19 | John A. Nix | Network securing device data using two post-quantum cryptography key encapsulation mechanisms |
| CN113452705A (en) * | 2021-06-28 | 2021-09-28 | 长春吉大正元信息技术股份有限公司 | Encrypted communication method, device, electronic equipment and storage medium |
| CN113645590A (en) * | 2021-07-16 | 2021-11-12 | 北汽福田汽车股份有限公司 | Method, apparatus, device and medium for remotely controlling vehicle based on encryption algorithm |
| CN114401102A (en) * | 2021-11-29 | 2022-04-26 | 南威软件股份有限公司 | HTTP request parameter encryption scheme based on cryptographic algorithm |
| CN116633562A (en) * | 2023-06-14 | 2023-08-22 | 陈斌 | Network zero trust security interaction method and system based on WireGuard |
Non-Patent Citations (2)
| Title |
|---|
| 基于国密算法的Android智能终端SSL协议设计与实现;施晓芳;赵少卡;王震懿;;福建师大福清分校学报(第02期);全文 * |
| 施晓芳 ; 赵少卡 ; 王震懿 ; .基于国密算法的Android智能终端SSL协议设计与实现.福建师大福清分校学报.2019,(第02期),全文. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117201022A (en) | 2023-12-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101217362B (en) | An RFID Communication Security Mechanism Based on Dynamic Randomized DRNTRU Public Key Encryption System | |
| US10116450B1 (en) | Merkle signature scheme using subtrees | |
| CA2869404A1 (en) | Public key encryption algorithms for hard lock file encryption | |
| WO2013174554A1 (en) | Key sharing device and system for configuration thereof | |
| CN102970143B (en) | Method for securely computing index of sum of held data of both parties by adopting addition homomorphic encryption | |
| CN108989309A (en) | Encryption communication method and its encrypted communication device based on narrowband Internet of Things | |
| CN116321129B (en) | Lightweight dynamic key-based power transaction private network communication encryption method | |
| CN105376261A (en) | Encryption method and system for instant communication message | |
| CN107395627B (en) | A Lightweight Authentication Protocol Based on One-way Functions | |
| CN117201022B (en) | Method for constructing encrypted communication network system based on WireGuard | |
| CN115051791A (en) | Efficient three-party privacy set transaction method and system based on key agreement | |
| CN102946315A (en) | Method and system for constructing MAC (Media Access Control) code by utilizing packet mode | |
| CN106603224A (en) | Safety operation method and system based on white box encryption | |
| CN114553420A (en) | Digital envelope encapsulation method and data security communication network based on quantum key | |
| CN104902471B (en) | The key of identity-based exchanges design method in wireless sensor network | |
| Zhu et al. | A Survey to Design Privacy Preserving Protocol Using Chaos Cryptography. | |
| Singh et al. | DNA based cryptography: An approach to secure mobile networks | |
| CN117353912A (en) | Three-party privacy set intersection base number calculation method and system based on bilinear mapping | |
| CN113691371B (en) | Identity-based ring signcryption method on block chain | |
| Khosa et al. | Improved encryption algorithm for public wireless network | |
| CN115664661A (en) | Key updating method, device, device and storage medium on industrial field bus | |
| CN104837131B (en) | A kind of batch Cramer-Shoup cryptographic methods based on batch processing multi-exponentiation | |
| Liu et al. | Research on application layer security communication protocol based on lightweight NTRU public key cryptography | |
| CN114553397A (en) | Encryption optimization method and device for SM4 block cipher algorithm | |
| Awlla et al. | Secure device to device communication for 5G network based on improved AES |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |