A ship-to-shore information communication method and device

By employing a combination of SM1 encryption algorithm, SM3 verification algorithm, and SM2 signature authentication in coastal communications, the security threats of traditional encryption methods are resolved, achieving highly secure data transmission and ensuring data integrity and privacy.

CN116346421BActive Publication Date: 2026-06-30THE QUARTERMASTER RES INST OF THE GENERAL LOGISTICS DEPT OF THE CPLA +1

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
THE QUARTERMASTER RES INST OF THE GENERAL LOGISTICS DEPT OF THE CPLA
Filing Date
2023-02-27
Publication Date
2026-06-30

AI Technical Summary

Technical Problem

In traditional coastal communications, encryption algorithms used for direct internet transmission or "IPSEC VPN + international cryptographic standards" are facing increasingly serious security threats and cannot guarantee data integrity and privacy in scenarios with high security requirements.

Method used

By combining the SM1 data encryption algorithm and the SM3 verification digest algorithm with the SM2 signature authentication algorithm, and through the parsing and verification of ESP protocol messages, the integrity of data packets is detected and decrypted in reverse, thus constructing a secure encrypted tunnel to ensure the security of data transmission.

Benefits of technology

It improves the data integrity and privacy of coastal satellite communications, is suitable for encrypted transmission from various offshore platforms to shore-based centers, and meets application scenarios with high security requirements.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN116346421B_ABST
    Figure CN116346421B_ABST
Patent Text Reader

Abstract

This application discloses a ship-to-shore information communication method and apparatus, relating to the technical field of coastal communication. The method includes: responding to receiving an encrypted data packet from a ship-based or shore-based IPSec security gateway device; if the packet's message structure is an ESP protocol message, then searching for an encryption algorithm and security specification according to the security parameter index; after verifying the integrity of the ESP message in the data packet according to the encryption algorithm and security specification, detecting whether the data packet is a replay attack; if the data packet is not a replay attack, then decrypting the data packet in reverse according to the encryption algorithm and security specification, obtaining and sending the original IP data to the core network layer for subsequent processing and forwarding. This method ensures the integrity and privacy of transmitted data in high-security scenarios such as ship-to-shore communication.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the technical field of coastal communication, and more specifically, to a ship-to-shore information communication method and apparatus. Background Technology

[0002] Long-term marine research requires stable communication methods. However, building wired communication infrastructure at sea, especially in the mid-to-far seas, as on land requires substantial financial and time investment. Furthermore, the marine environment changes rapidly, and natural disasters such as typhoons and tsunamis are highly destructive, often causing frequent and devastating damage to marine infrastructure, making maintenance difficult and extremely costly. The civilian application of satellite communication has alleviated some of the difficulties in maritime communication. In particular, the emergence of high-throughput satellites has promoted the diversified development of marine satellite communication. It is foreseeable that in the future, marine observation, far-sea scientific expeditions, and other work will increasingly rely on high-throughput satellites to solve communication problems.

[0003] In the field of marine communications, internet access is paramount. High-throughput satellites can currently achieve a maximum download bandwidth of 40Mbps and an upload bandwidth of 12Mbps for a single commercial user using a 0.8m satellite antenna, sufficient to meet the internet access needs of maritime platforms. However, in recent years, network security issues have emerged frequently. In wireless communication, especially in applications such as marine information collection and transmission, and marine scientific research, there are high requirements for data integrity and privacy. Traditional satellite communication security encryption methods use "IPSEC VPN + international cryptographic standards" to achieve virtual leased line transmission. This mainly uses shore-based networks as core nodes, with ship-based nodes using a convenient connection through "brute-force negotiation" to build a virtual transmission encryption channel. With the development of cryptographic and computer technologies, traditional cryptographic algorithms such as RSA and MD5 are facing increasingly serious security threats and pose security risks in system applications. In scenarios with high security requirements, traditional encryption methods are gradually being phased out. Therefore, a more secure and reliable shore-based encrypted communication method is urgently needed. Summary of the Invention

[0004] The purpose of this application is to provide a ship-to-shore information communication method to address the increasingly serious security threats and frequent security incidents posed by encryption and verification algorithms used in traditional coastal communication methods such as direct Internet transmission or "IPSEC VPN + international cryptographic standards," which cannot guarantee the integrity and privacy of data in scenarios with high security requirements.

[0005] In a first aspect, this application provides a ship-to-shore information communication method, the method comprising: in response to receiving an encrypted data packet sent by a ship-based or shore-based IPSec security gateway device, confirming whether the message structure of the data packet is an ESP protocol message; if the message structure of the data packet is an ESP protocol message, parsing the data packet to obtain a security parameter index, and searching for an encryption algorithm and security specification according to the security parameter index; verifying the integrity of the ESP message in the data packet according to the encryption algorithm and security specification; if the ESP message in the data packet is complete, detecting the message sequence number of the ESP message in the data packet to determine whether the data packet is a replay attack; if the data packet is not a replay attack, reverse decrypting the data packet according to the encryption algorithm and security specification to obtain the original IP data, and sending the original IP data to the core network layer for subsequent processing and forwarding.

[0006] In any of the above technical solutions, the encryption algorithm further includes the SM1 data encryption algorithm and the SM3 verification digest algorithm, and the security specification includes key information.

[0007] In any of the above technical solutions, the data packet further includes an ESP message, and the ESP message includes an ESP header; and

[0008] Parsing the data packet to obtain the security parameter index includes:

[0009] Parse the ESP header to obtain the security parameter index.

[0010] In any of the above technical solutions, the ESP message further includes encrypted data and an ESP digest; and

[0011] Verifying the integrity of the ESP message in the data packet according to the encryption algorithm and security specifications includes:

[0012] According to the SM3 verification digest algorithm, the ESP header and encrypted data are verified to obtain a calculated value. The calculated value is then used for data authentication with the ESP digest to verify the integrity of the ESP message in the data packet.

[0013] In any of the above technical solutions, further, the step of reverse decrypting the data packet according to the encryption algorithm and security specifications includes:

[0014] Based on the SM1 data encryption algorithm and key information, the encrypted data is decrypted in reverse to obtain the original IP data and ESP tail.

[0015] In any of the above technical solutions, further, before sending the raw IP data to the core network layer, the method further includes:

[0016] The ESP tail determines whether the data packet is fragmented. If fragmentation exists, subsequent data packets are received and reassembled until the complete original IP data is obtained, and then the complete original IP data is sent to the core network layer. If no fragmentation exists, the original IP data is sent directly to the core network layer.

[0017] In any of the above technical solutions, the encrypted data packet is further obtained by the shore-based or ship-based system in tunnel mode through the following method:

[0018] The encrypted data is obtained by encrypting the original data packet according to the SM1 data encryption algorithm. In this process, the ESP protocol combines the security parameter index and the message sequence number into an ESP header and adds it to the beginning of the encrypted data. According to the SM3 verification digest algorithm, the ESP header and the encrypted data are subjected to SM3 integrity verification calculation to obtain an ESP digest, which is then added to the end of the encrypted data. Finally, an external IP header is added to the beginning of the ESP header to form a complete encrypted data packet that can be transmitted in the tunnel.

[0019] Secondly, this application also provides a ship-to-shore information communication device, comprising: a first processing module, configured to, in response to receiving an encrypted data packet sent by a ship-based or shore-based IPSec security gateway device, confirm whether the message structure of the data packet is an ESP protocol message; a second processing module, configured to, if the message structure of the data packet is an ESP protocol message, parse the data packet to obtain a security parameter index, and search for an encryption algorithm and security specification according to the security parameter index; a third processing module, configured to, according to the encryption algorithm and security specification, verify the integrity of the ESP message in the data packet, and if the ESP message in the data packet is complete, detect the message sequence number of the ESP message in the data packet to determine whether the data packet is a replay attack; and a fourth processing module, configured to, if the data packet is not a replay attack, reverse decrypt the data packet according to the encryption algorithm and security specification to obtain the original IP data, and send the original IP data to the core network layer for subsequent processing and forwarding.

[0020] Thirdly, this application also provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the program to implement the steps of any of the ship-to-shore information communication methods described above.

[0021] Fourthly, this application also provides a non-transitory computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, implements the steps of any of the ship-to-shore information communication methods described above.

[0022] Fifthly, this application also provides a computer program product, including a computer program that, when executed by a processor, implements the steps of any of the ship-to-shore information communication methods described above.

[0023] The beneficial effects of this application are: the technical solution in this application, by organically combining encryption algorithms and security specifications, meets the communication encryption needs of application scenarios with high security requirements and key equipment facilities, and is applicable to encrypted transmission applications from various offshore platforms to shore-based centers, thereby improving the data integrity and privacy of coastal satellite communications. Attached Figure Description

[0024] The advantages of the above and / or additional aspects of this application will become apparent and readily understood in the description of the embodiments in conjunction with the following drawings, wherein:

[0025] Figure 1 This is a schematic flowchart of a ship-to-shore information communication method according to an embodiment of this application;

[0026] Figure 2 This is a schematic diagram of one embodiment of the security handling method negotiation process;

[0027] Figure 3 This is a schematic diagram of the data encryption message structure;

[0028] Figure 4 This is a schematic block diagram of a ship-to-shore information communication method network.

[0029] Figure 5 This is a schematic diagram of the structure of some embodiments of the ship-to-shore information communication device provided by the present invention;

[0030] Figure 6 This is a schematic diagram of the structure of an electronic device provided according to the present invention. Detailed Implementation

[0031] To better understand the above-mentioned objectives, features, and advantages of this application, the application will be further described in detail below with reference to the accompanying drawings and specific embodiments. It should be noted that, unless otherwise specified, the embodiments and features described in the embodiments of this application can be combined with each other.

[0032] In the following description, many specific details are set forth in order to provide a full understanding of this application. However, this application may also be implemented in other ways different from those described herein. Therefore, the scope of protection of this application is not limited to the specific embodiments disclosed below.

[0033] like Figure 1 As shown, this embodiment provides a ship-to-shore information communication method, which includes:

[0034] Step 1: In response to receiving an encrypted data packet from a ship-based or shore-based IPSec security gateway device, confirm whether the message structure of the data packet is an ESP protocol message.

[0035] Step 2: If the message structure of the data packet is an ESP protocol message, then parse the data packet to obtain the security parameter index, and look up the encryption algorithm and security specification according to the security parameter index.

[0036] In some optional implementations, the encryption algorithm includes the SM1 data encryption algorithm and the SM3 verification digest algorithm, and the security specification includes key information.

[0037] SM1 is a symmetric encryption algorithm with a key length and block length of 128 bits. Its encryption strength is comparable to AES. The algorithm is not publicly available, and it needs to be called through the interface of the encryption chip.

[0038] The SM3 hash algorithm is a cryptographic hash algorithm with a key length and block length of 128 bits. It is suitable for generating and verifying digital signatures and authentication codes for verification messages, as well as generating random numbers in commercial cryptographic applications. It can meet the security requirements of various cryptographic applications. In order to ensure the security of the hash algorithm, the length of the hash value it generates should not be too short. The output length of the SM3 algorithm is 256 bits. Therefore, the security of the SM3 algorithm is higher than that of the MD5 and SHA-1 algorithms.

[0039] In some alternative implementations, the data packet includes an ESP message, which includes an ESP header, so that the security parameter index can be obtained by parsing the ESP header.

[0040] As an example, after receiving the encrypted data packet, the shore-based IPsec security gateway device parses the ESP header to obtain the Security Parameter Index (SPI), and then looks up the corresponding SA's symmetric encryption algorithm (SM1 data encryption algorithm, SM3 verification digest algorithm) and security specification (key information) based on the SPI.

[0041] Step 3: Verify the integrity of the ESP message in the data packet according to the encryption algorithm and security specifications. If the ESP message in the data packet is complete, detect the message sequence number of the ESP message in the data packet to determine whether the data packet is a replay attack.

[0042] In some optional implementations, the ESP message also includes encrypted data and an ESP digest. Therefore, the ESP header and encrypted data can be verified using the SM3 verification digest algorithm (SM 1, SM2 or SM4 algorithm) to obtain a calculated value. The calculated value is then used for data authentication with the ESP digest to verify the integrity of the ESP message in the data packet.

[0043] As an example, based on the obtained encryption mode and security specifications, the integrity of the ESP message (ESP header + encrypted data + ESP digest) can be verified first. The ESP header and encrypted data in the ESP message can be verified using SM3 verification to see if they are consistent with the ESP digest authentication data. If they fail, it indicates that the data is incomplete or has been tampered with.

[0044] The SM2 elliptic curve public-key cryptography algorithm is a public-key cryptography algorithm that includes the SM2-1 elliptic curve digital signature algorithm, the SM2-2 elliptic curve key exchange protocol, and the SM2-3 elliptic curve public-key encryption algorithm, which are used to implement functions such as digital signature key negotiation and data encryption. Unlike the RSA algorithm, the SM2 algorithm is based on the discrete logarithm problem of point groups on elliptic curves. Compared to the RSA algorithm, the 256-bit SM2 cryptography is stronger than the 2048-bit RSA cryptography.

[0045] The SM4 block cipher is a symmetric block cipher used for encryption and decryption to ensure the confidentiality of data and information. A fundamental requirement for the security of a symmetric cipher algorithm is a sufficient key length. SM4 has the same key length and block length of 128 bits as AES, thus offering higher security than 3DES.

[0046] Step 4: If the data packet is not a replay attack, then the data packet is decrypted in reverse according to the encryption algorithm and security specifications to obtain the original IP data, and the original IP data is sent to the core network layer for subsequent processing and forwarding.

[0047] As an example, a non-replay attack can be identified by examining the message sequence number (Seq) in the ESP header.

[0048] In some alternative implementations, the encrypted data can be reverse-decrypted based on the SM1 (SM 1, SM2 or SM3) algorithm and key information to obtain the original IP data and ESP tail.

[0049] In some optional implementations, before sending the original IP data to the core network layer, it can be determined whether the data packet is fragmented based on the ESP tail. If fragmentation exists, subsequent data packets are received and reassembled until the complete original IP data is obtained, and then the complete original IP data is sent to the core network layer. If no fragmentation exists, the original IP data is sent directly to the core network layer.

[0050] The above steps employ a multi-factor authentication mechanism, which can avoid the threats of unauthorized node devices gaining unauthorized access and data tampering in traditional IPSec VPN construction methods, further enhancing security and demonstrating good application value in intranet communication and critical information transmission for both onshore and offshore enterprises.

[0051] As an example, the padding information can be removed based on the padding length at the end of the ESP, and the next header information can be recorded to obtain the actual original data packet (IP data packet). If there is next header information, it means that the data packet is fragmented, and it is necessary to wait for subsequent data packets to be reassembled until the data packet is complete. If the next header information is null, proceed directly to the next step. The original data packet (IP data packet) is sent to the core network layer of the shore base station for forwarding, completing the decryption process of the received packet by the shore base station IPsec security gateway device.

[0052] In some optional implementations, the encrypted data packet can be obtained by the shore-based or ship-based system in tunnel mode through the following methods: encrypting the original data packet according to the SM1 data encryption algorithm, wherein the ESP protocol assembles the security parameter index and message sequence number into an ESP header and adds it to the beginning of the encrypted data; calculating the ESP digest by performing SM3 integrity verification on the ESP header and the encrypted data according to the SM3 verification digest algorithm, and adding the ESP digest to the end of the encrypted data; finally, adding an external IP header to the beginning of the ESP header to form a complete encrypted data packet that can be transmitted in the tunnel.

[0053] As an example, the encryption and decryption process of data packets transmitted from the sea-based terminal to the shore-based terminal can be referenced as follows: The data stream of interest (the data to be transmitted encrypted) is processed according to the obtained security encryption method. In tunnel mode, the length of the original data packet (internal IP header, IP packet) is first determined, and the ESP tail is padded as needed (padding information + padding length + next header (slice identifier); ensuring a fixed length for each data packet) to form a new original data packet. The original data packet undergoes SM1 encryption calculation to obtain encrypted data. The ESP protocol combines the Security Parameter Index (SPI) and Sequence Number (Seq) to form the ESP header and adds it to the beginning of the encrypted data. Then, the ESP header and encrypted data undergo SM3 integrity verification calculation to obtain the ESP digest, which is added to the end of the encrypted data. Finally, an external IP header is added to the header of the new message content (ESP header, encrypted data, ESP digest), forming a complete encrypted data packet that can be transmitted in the tunnel (the encrypted data packet structure is as follows). Figure 3(As shown). Then, the sea-based IPSec security gateway device addresses the destination IP address in the external IP header and sends encrypted data packets. The shore-based IPSec security gateway device receives data packets matching the destination IP address in the external IP header through the listening port where the negotiation was completed, and executes steps 1-4 to decrypt the encrypted data packets.

[0054] The steps in this application can be rearranged, combined, or deleted according to actual needs.

[0055] In an application scenario, if Figure 2 As shown, based on the algorithmic characteristics of SM1, SM2, SM3, or SM4, IKE SA and IPSec SA can be constructed by combining the SM1 encryption algorithm, the SM3 verification algorithm, and the SM2 signature authentication algorithm. SM1 encrypts the transmitted data, SM3 is used as the encryption algorithm to verify data integrity, and the SM2 (or SM4) signature is used for encrypting two-way authentication information. In IKE SA, the proposed negotiation authentication type is SM2-256 certificate authentication, the encryption algorithm is SM1, and the verification algorithm is SM3; in IPSec SA, the proposed negotiation protocol type is ESP, the encryption algorithm is SM1, and the verification algorithm is SM3.

[0056] The process of transmitting encrypted data messages from the shore-based platform to the sea-based platform is the reverse of the above description.

[0057] The technical solution of this application is based on Figure 4 The network configuration shown is a case study, illustrating the specific network configuration for transmitting encrypted information between shore and sea in high-throughput satellite communication.

[0058] The connectivity configuration of the shore-based center is as follows:

[0059] Step 1-1: The core network of the shore-based central node is connected to the Internet through an IPSec security gateway, and a fixed public IP address is configured on the interface of the IPSec security gateway that connects to the Internet, so that the ship-based platform node can access this interface IP address through the Internet.

[0060] Steps 1-2: Configure the shore-based core network equipment with a default static route, with the next hop pointing to the IPSec security gateway;

[0061] Steps 1-3: Configure a default static route for the IPSec security gateway, with the next hop pointing to the gateway's public IP address. Then configure the route for the core network service network segment that the ship-based platform node needs to access, with the next hop pointing to the interface address between the core network and the IPSec security gateway.

[0062] Steps 1-4: Configure access control measurement and open mutual access addresses and ports as needed.

[0063] The connectivity configuration of the ship-based platform nodes is as follows:

[0064] Step 2-1: The local area network of the ship-based platform node is connected to the satellite communication station modem through the IPSec security gateway, and the private network IP address assigned by the satellite communication center station is configured on the IPSec security gateway connection interface. SNAT is set on the satellite communication center station so that the ship-based platform node can access the Internet through this IP address.

[0065] Step 2-2: Configure the switching equipment of the ship-based platform node with a default static route, with the next hop pointing to the IPSec security gateway;

[0066] Steps 2-3: Configure a default static route for the IPSec security gateway, with the next hop pointing to the IP address gateway connecting the satellite communication center station. Then configure the address network segment route that the ship-based platform needs to access the shore-based center network, with the next hop pointing to the IP address connecting the ship-based platform's switching equipment and the IPSec security gateway.

[0067] Steps 2-4: Configure access control measurement and open mutual access addresses and ports as needed.

[0068] Among them, the IPSec security gateway encryption configuration of the shore-based platform center is as follows:

[0069] Step 3-1: When using the SM1 algorithm, it needs to be used in conjunction with a dongle. This case uses a combination of SM1 encryption algorithm + SM3 verification algorithm + SM2 signature certificate algorithm for illustration.

[0070] Step 3-2: This case uses an automatic IPSec tunnel. The automatic IPSec negotiation uses the IKE method to negotiate the IPSec tunnel. By negotiating the key parameters used in the IPSec tunnel through IKE, the workload of manually specifying IPSec key parameters by the user is reduced, and security is improved. Negotiating the IPSec tunnel through the IKE method supports both traffic redirection via security policies (i.e., security policy-based IPSec) and traffic redirection via routing (i.e., routing-based IPSec).

[0071] Step 3-3: Add an IKE suggestion (custom name):

[0072] The IKE(P1) proposal is used to define the parameters used in the first phase of IPSec negotiation (SA, often referred to as "IKE SA" or "ISAKMPSA"), including the type of authentication used (pre-shared key or certificate), encryption algorithm, authentication algorithm, lifecycle, etc.

[0073] A. Select certificate authentication as the authentication type, and select the trusted certificate applied for by the gateway. Select SM2-256 as the public key algorithm for the certificate.

[0074] B. Select SM1 as the encryption algorithm and call the dongle interface;

[0075] C. Select SM3 as the verification algorithm;

[0076] D. The default lifespan is 86400s.

[0077] Steps 3-4: Configure the IKE negotiation port to a custom port 4200;

[0078] Steps 3-5: Add an IKE gateway (custom name): When configuring IPSec automatic tunneling, you need to specify an IKE gateway. The IKE gateway defines parameters such as the local interface for IPSec negotiation, IP address, negotiation mode, peer type, peer address, local type, and IKE proposal.

[0079] (1) Select the IKE interface as the physical interface for the device to connect to the Internet;

[0080] (2) Select the IP address of the IKE interface for the local IP address;

[0081] (3) Select the custom 4200 port for IKE port;

[0082] (4) Configure the IKE gateway to use the SM1 (SM2, SM3 or SM4) algorithm for negotiation and install the device's encryption card;

[0083] (5) Configure negotiation parameters, including:

[0084] Select static mode for the docking port;

[0085] Enter the peer's public IP address and port after NAT translation;

[0086] The local ID value is selected as the value of the "Subject" field in ASN1DN (Certificate Subject);

[0087] The peer ID value should be selected as the value of the "Subject" field in the corresponding ASN1DN (Certificate Subject);

[0088] Select a local encryption certificate with the purpose of "encryption" and the algorithm of SM2-256;

[0089] Select a local signing certificate with the purpose of "signing" and the algorithm of SM2-256;

[0090] The IKE proposal name created in step 3) is selected;

[0091] Select the trusted certificate for the peer device and import the SM2-256 algorithm CA certificate.

[0092] Steps 3-6, Advanced Configuration: Select bidirectional connection type; enable NAT traversal; keep other configurations at their default settings.

[0093] Steps 3-7: Add an IPSec proposal (custom name): The IPSec proposal is used to configure the negotiation parameters for the second phase. IPSec proposals support ESP and AH protocols, encryption algorithms SM1 and SM4, and authentication algorithm SM3.

[0094] (1) Protocol selection: ESP;

[0095] (2) Select encryption algorithm SM1 and call the dongle interface;

[0096] (3) Verification algorithm selection: Algorithm SM3;

[0097] (4) Keep other configurations at their default settings (both ends must be consistent).

[0098] Steps 3-8: Add an IPSec tunnel (custom name): The IPSec tunnel is used for negotiation parameters of the IPSec Phase 2 SA.

[0099] (1) IPSec (P2) Proposal Selection Step 7) New Proposal Name;

[0100] (2) Select the new IKE gateway name in step 5);

[0101] (3) Select IPv4 as the address type;

[0102] (4) Protect the data stream by adding IP address ranges that need to be accessed by mutual access;

[0103] (5) Data flow redirection should be configured according to the actual situation.

[0104] The encryption configuration of the IPSec security gateway at the ship-based platform center is basically the same as that at the shore-based platform center. When selecting the local IP address in steps 3-5, select the address of the Lianweitong small station modem on the IPSec security gateway device (ensure that the Weitong central station has completed NAT configuration and the port is reachable).

[0105] The traditional coastal communication methods, such as direct internet transmission or "IPSEC VPN + international cryptographic standards," which rely on combined encryption and verification algorithms like SHA, RSA, and MD5, are facing increasingly serious security threats and frequent security incidents. These methods fail to guarantee data integrity and privacy in high-security scenarios. The aforementioned method can be used to configure high-throughput satellite coastal communication, constructing a high-throughput satellite encrypted coastal communication link that meets the requirements of key infrastructure. This enables secure and reliable information transmission, satisfying the data integrity and privacy requirements of high-security scenarios. Specifically, the above case uses an organic combination of SM1 encryption algorithm, SM3 verification algorithm, and SM2 encrypted certificate signing to construct a secure negotiation mechanism and a secure encrypted tunnel for service isolation at both ends of the coast. This ensures the security and privacy of business data and eliminates the security threats posed by the combination of encryption and verification algorithms like SHA, RSA, and MD5 used in traditional "IPSEC VPN + international cryptographic standards" methods.

[0106] In the above case, the shore-based core network accesses the internet by deploying IPSec security gateway devices and configuring them with fixed public IP addresses. The sea-based node network accesses the high-throughput satellite internet by deploying IPSec security gateway devices at its local area network exit and configuring them with fixed private IP addresses assigned by the satellite center station. PNAT translation is configured at the internet exit of the satellite center station to achieve bidirectional address reachability. Moreover, by using IPSec security gateway devices and combining SM2 encryption certificate authentication, SM1 data encryption algorithm, and SM3 verification algorithm, the system ensures that private information in transmitted data during coastal communications is not stolen or tampered with, thereby providing end users with internet-based network services with performance similar to a private network.

[0107] In summary, the technical solution and method described in this application aim to construct a secure encrypted transmission method for coastal satellite communication that organically combines SM1 encryption, SM3 verification, and SM2 signature authentication. This method is applicable to encrypted transmission applications from various maritime platforms to shore-based centers, improves the data integrity and privacy of coastal satellite communication, and meets the communication encryption needs of application scenarios with high security requirements and key equipment and facilities.

[0108] Please see Figure 5 , Figure 5 These are schematic diagrams illustrating the structure of some embodiments of the ship-to-shore information communication device provided by the present invention. As an implementation of the methods shown in the above figures, the present invention also provides some embodiments of the ship-to-shore information communication device, which are similar to... Figure 1 The embodiments of some of the methods shown correspond to this, and the device can be applied to a variety of electronic devices.

[0109] like Figure 5As shown, some embodiments of the ship-to-shore information communication device include a first processing module 501, a second processing module 502, a third processing module 503, and a fourth processing module 504: The first processing module 501 is used to, in response to receiving an encrypted data packet sent by a ship-based or shore-based IPSec security gateway device, confirm whether the message structure of the data packet is an ESP protocol message; the second processing module 502 is used to, if the message structure of the data packet is an ESP protocol message, parse the data packet to obtain a security parameter index, and look up the encryption algorithm and security specification according to the security parameter index; the third processing module 503 is used to, according to the encryption algorithm and security specification, verify the integrity of the ESP message in the data packet, and if the ESP message in the data packet is complete, detect the message sequence number of the ESP message in the data packet to determine whether the data packet is a replay attack; the fourth processing module 504 is used to, if the data packet is not a replay attack, reverse decrypt the data packet according to the encryption algorithm and security specification to obtain the original IP data, and send the original IP data to the core network layer for subsequent processing and forwarding.

[0110] In some optional implementations of embodiments, a first processing module is configured to, in response to receiving an encrypted data packet from a ship-based or shore-based IPSec security gateway device, confirm whether the packet's message structure is an ESP protocol message; a second processing module is configured to, if the packet's message structure is an ESP protocol message, parse the packet to obtain a security parameter index, and look up the encryption algorithm and security specifications based on the security parameter index; a third processing module is configured to, according to the encryption algorithm and security specifications, verify the integrity of the ESP messages in the packet, and if the ESP messages in the packet are complete, detect the message sequence number of the ESP messages in the packet to determine whether the packet is a replay attack; a fourth processing module is configured to, if the packet is not a replay attack, reverse decrypt the packet according to the encryption algorithm and security specifications to obtain the original IP data, and send the original IP data to the core network layer for subsequent processing and forwarding.

[0111] In some optional implementations of the embodiments, the encryption algorithm includes the SM1 data encryption algorithm and the SM3 verification digest algorithm, and the security specification includes key information.

[0112] In some optional implementations of embodiments, the data packet includes an ESP message, the ESP message including an ESP header; and a second processing module for parsing the ESP header to obtain a security parameter index.

[0113] In some optional implementations of the embodiments, the ESP message further includes encrypted data and an ESP digest; and a third processing module, configured to perform verification calculations on the ESP header and encrypted data according to the SM3 verification digest algorithm to obtain a calculated value, and perform data authentication with the calculated value and the ESP digest to verify the integrity of the ESP message in the data packet.

[0114] In some optional implementations of the embodiments, the fourth processing module is used to reverse decrypt the encrypted data according to the SM1 data encryption algorithm and key information to obtain the original IP data and ESP tail.

[0115] In some optional implementations of the embodiments, the apparatus further includes a fifth processing module, used to determine whether the data packet is fragmented based on the ESP tail; if fragmentation exists, it continues to receive subsequent data packets and reassembles the data until the complete original IP data is obtained, and then sends the complete original IP data to the core network layer; if no fragmentation exists, it directly sends the original IP data to the core network layer.

[0116] In some optional implementations of embodiments, the encrypted data packet is obtained by the shore-based or ship-based system in tunnel mode through the following methods: The encrypted data is obtained by encrypting the original data packet according to the SM1 data encryption algorithm, wherein the ESP protocol combines the security parameter index and the message sequence number into an ESP header and adds it to the beginning of the encrypted data; according to the SM3 verification digest algorithm, the ESP header and the encrypted data are subjected to SM3 integrity verification calculation to obtain an ESP digest, and the ESP digest is added to the end of the encrypted data; finally, an external IP header is added to the beginning of the ESP header to form a complete encrypted data packet that can be transmitted in the tunnel.

[0117] It is understandable that the modules described in this device are consistent with the reference. Figure 1 The steps in the described method correspond to each other. Therefore, the operations, features, and beneficial effects described above for the method also apply to the device and the modules and units contained therein, and will not be repeated here.

[0118] Figure 6 An example is a schematic diagram of the physical structure of an electronic device, such as... Figure 6As shown, the electronic device may include: a processor 610, a communication interface 620, a memory 630, and a communication bus 640, wherein the processor 610, the communication interface 620, and the memory 630 communicate with each other through the communication bus 640. The processor 610 can invoke logical instructions in the memory 630 to execute a ship-to-shore information communication method, which includes: in response to receiving an encrypted data packet from a ship-based or shore-based IPSec security gateway device, confirming whether the packet's message structure is an ESP protocol message; if the packet's message structure is an ESP protocol message, parsing the packet to obtain a security parameter index, and searching for an encryption algorithm and security specification based on the security parameter index; verifying the integrity of the ESP message in the packet according to the encryption algorithm and security specification; if the ESP message in the packet is complete, detecting the message sequence number of the ESP message in the packet to determine whether the packet is a replay attack; if the packet is not a replay attack, decrypting the packet in reverse according to the encryption algorithm and security specification to obtain the original IP data, and sending the original IP data to the core network layer for subsequent processing and forwarding.

[0119] Furthermore, the logical instructions in the aforementioned memory 630 can be implemented as software functional units and, when sold or used as independent products, can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention, in essence, or the part that contributes to the prior art, or a part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present invention. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.

[0120] On the other hand, the present invention also provides a computer program product, which includes a computer program stored on a non-transitory computer-readable storage medium. The computer program includes program instructions, and when the program instructions are executed by a computer, the computer can execute the ship-to-shore information communication method provided by the above methods. The method includes: in response to receiving an encrypted data packet sent by a ship-based or shore-based IPSec security gateway device, confirming whether the message structure of the data packet is an ESP protocol message; if the message structure of the data packet is an ESP protocol message, parsing the data packet to obtain a security parameter index, and searching for an encryption algorithm and security specification according to the security parameter index; verifying the integrity of the ESP message in the data packet according to the encryption algorithm and security specification; if the ESP message in the data packet is complete, detecting the message sequence number of the ESP message in the data packet to determine whether the data packet is a replay attack; if the data packet is not a replay attack, decrypting the data packet in reverse according to the encryption algorithm and security specification to obtain the original IP data, and sending the original IP data to the core network layer for subsequent processing and forwarding.

[0121] In another aspect, the present invention also provides a non-transitory computer-readable storage medium storing a computer program thereon, which, when executed by a processor, implements the ship-to-shore information communication methods provided above. The method includes: in response to receiving an encrypted data packet from a ship-based or shore-based IPSec security gateway device, confirming whether the packet's message structure is an ESP protocol message; if the packet's message structure is an ESP protocol message, parsing the packet to obtain a security parameter index, and searching for an encryption algorithm and security specification based on the security parameter index; verifying the integrity of the ESP message in the packet according to the encryption algorithm and security specification; if the ESP message in the packet is complete, detecting the message sequence number of the ESP message in the packet to determine whether the packet is a replay attack; if the packet is not a replay attack, reverse decrypting the packet according to the encryption algorithm and security specification to obtain original IP data, and sending the original IP data to the core network layer for subsequent processing and forwarding.

[0122] The device embodiments described above are merely illustrative. The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the modules can be selected to achieve the purpose of this embodiment according to actual needs. Those skilled in the art can understand and implement this without any creative effort.

[0123] Through the above description of the embodiments, those skilled in the art can clearly understand that each embodiment can be implemented by means of software plus necessary general-purpose hardware platforms, and of course, it can also be implemented by hardware. Based on this understanding, the above technical solutions, in essence or the part that contributes to the prior art, can be embodied in the form of a software product. This computer software product can be stored in a computer-readable storage medium, such as ROM / RAM, magnetic disk, optical disk, etc., and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute the methods described in the various embodiments or some parts of the embodiments.

[0124] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, and not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some of the technical features; and these modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims

1. A ship-shore information communication method characterized by, The method includes: In response to receiving an encrypted data packet from a ship-based or shore-based IPSec security gateway device, confirm whether the message structure of the data packet is an ESP protocol message; If the message structure of the data packet is an ESP protocol message, then the data packet is parsed to obtain the security parameter index, and the encryption algorithm and security specification are found according to the security parameter index; The integrity of the ESP message in the data packet is verified according to the encryption algorithm and security specifications. If the ESP message in the data packet is complete, the message sequence number of the ESP message in the data packet is detected to determine whether the data packet is a replay attack. If the data packet is a non-replay attack, the data packet is decrypted in reverse according to the encryption algorithm and security specifications to obtain the original IP data, and the original IP data is sent to the core network layer for subsequent processing and forwarding. The encryption algorithm includes the SM1 data encryption algorithm and the SM3 verification digest algorithm, and the security specification includes key information; The data packet includes an ESP message, the ESP message including an ESP header; and Parsing the data packet to obtain the security parameter index includes: Parse the ESP header to obtain the security parameter index; The ESP message also includes encrypted data and an ESP summary; and Verifying the integrity of the ESP message in the data packet according to the encryption algorithm and security specifications includes: According to the SM3 verification digest algorithm, the ESP header and encrypted data are verified and calculated to obtain a calculated value. The calculated value is then used for data authentication with the ESP digest to verify the integrity of the ESP message in the data packet. Based on the padding length at the end of the ESP, remove the padding information, record the next header information, and obtain the actual original data packet. If there is next header information, it means that the data packet is fragmented, and we need to wait for subsequent data packets to be reassembled until the data packet is complete. If the next header information is null, proceed directly to the next step. Send the original data packet to the core network layer of the shore base station for forwarding, and complete the decryption process of the received packet by the shore base station IPSec security gateway device.

2. The ship-shore information communication method according to claim 1, characterized by, The reverse decryption of the data packet according to the encryption algorithm and security specifications includes: Based on the SM1 data encryption algorithm and key information, the encrypted data is decrypted in reverse to obtain the original IP data and ESP tail.

3. The ship-shore information communication method according to claim 2, characterized by, Before sending the raw IP data to the core network layer, the process also includes: The ESP tail determines whether the data packet is fragmented. If fragmentation exists, subsequent data packets are received and reassembled until the complete original IP data is obtained, and then the complete original IP data is sent to the core network layer. If no fragmentation exists, the original IP data is sent directly to the core network layer.

4. The ship-shore information communication method according to any one of claims 1 to 3, characterized by, The encrypted data packet is obtained by the shore-based or ship-based system in tunnel mode through the following method: The encrypted data is obtained by encrypting the original data packet according to the SM1 data encryption algorithm. In this process, the ESP protocol combines the security parameter index and the message sequence number into an ESP header and adds it to the beginning of the encrypted data. According to the SM3 verification digest algorithm, the ESP header and the encrypted data are subjected to SM3 integrity verification calculation to obtain an ESP digest, which is then added to the end of the encrypted data. Finally, an external IP header is added to the beginning of the ESP header to form a complete encrypted data packet that can be transmitted in the tunnel.

5. A ship-to-shore information communication device, characterized in that, include: The first processing module is used to, in response to receiving an encrypted data packet from a ship-based or shore-based IPSec security gateway device, confirm whether the message structure of the data packet is an ESP protocol message. The second processing module is used to parse the data packet to obtain the security parameter index if the message structure of the data packet is an ESP protocol message, and to look up the encryption algorithm and security specification according to the security parameter index; The encryption algorithm includes the SM1 data encryption algorithm and the SM3 verification digest algorithm, and the security specification includes key information; The data packet includes an ESP message, the ESP message including an ESP header; and parsing the data packet to obtain a security parameter index includes: Parse the ESP header to obtain the security parameter index; The third processing module is used to verify the integrity of the ESP message in the data packet according to the encryption algorithm and security specifications. If the ESP message in the data packet is complete, the message sequence number of the ESP message in the data packet is detected to determine whether the data packet is a replay attack. The ESP message also includes encrypted data and an ESP digest; and verifies the integrity of the ESP message in the data packet according to the encryption algorithm and security specifications, including: According to the SM3 verification digest algorithm, the ESP header and encrypted data are verified and calculated to obtain a calculated value. The calculated value is then used for data authentication with the ESP digest to verify the integrity of the ESP message in the data packet. The fourth processing module is used to reverse decrypt the data packet according to the encryption algorithm and security specifications if the data packet is a non-replay attack, obtain the original IP data, and send the original IP data to the core network layer for subsequent processing and forwarding. Based on the padding length at the end of the ESP, remove the padding information, record the next header information, and obtain the actual original data packet. If there is next header information, it means that the data packet is fragmented, and we need to wait for subsequent data packets to be reassembled until the data packet is complete. If the next header information is null, proceed directly to the next step. Send the original data packet to the core network layer of the shore base station for forwarding, and complete the decryption process of the received packet by the shore base station IPSec security gateway device.

6. An electronic device comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, characterized in that, When the processor executes the program, it implements the steps of the ship-to-shore information communication method as described in any one of claims 1 to 4.

7. A non-transitory computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by a processor, it implements the steps of the ship-to-shore information communication method as described in any one of claims 1 to 4.