Method for verifying integrity of ethernet data packet

By splicing and encrypting verification data in data packets, the problem of complex packet splitting and merging is solved, achieving simple and efficient integrity verification and improving network utilization and accuracy.

CN116781394BActive Publication Date: 2026-07-14BEIJING JN TASS TECH

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
BEIJING JN TASS TECH
Filing Date
2023-07-20
Publication Date
2026-07-14

AI Technical Summary

Technical Problem

Existing technologies require complex packet unpacking and repackaging operations for data packet integrity verification, leading to increased network traffic and latency.

Method used

Data M is formed by concatenating the data before and after the checksum in the upper-layer data packet, calculating the hash value CV using a digest algorithm, writing it into the checksum position, forming a data packet B, which is then encrypted and encapsulated. The receiving end decrypts the data and performs integrity verification.

Benefits of technology

Without changing the packet structure and length, the integrity verification process is simplified, network utilization is improved, network latency is reduced, and the accuracy of integrity verification is enhanced.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN116781394B_ABST
    Figure CN116781394B_ABST
Patent Text Reader

Abstract

The application belongs to the field of computer communication security, and discloses an Ethernet data packet integrity verification method, which comprises the following steps: receiving and buffering an upper-layer data packet A; splicing the data before the check sum and the data after the check sum in the data packet A to form data M; calculating the Hash value CV of the data M by using a pre-set summary algorithm; writing the CV into the position of the check sum in the upper-layer data packet A to form a data packet B; encrypting the data packet B, and encapsulating the encrypted data packet B and a current-layer packet header to form a current-layer data packet C and send the current-layer data packet C to a receiving end; comparing the calculated CV' with the received check sum CV data, and if they are consistent, the integrity verification is passed, otherwise, the integrity verification fails. The data packet integrity verification method does not increase additional check data fields, and does not need to disassemble and assemble the data packet in the whole data packet integrity verification process, so that the integrity verification is more convenient.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention belongs to the field of computer communication security, and specifically relates to a method for verifying the integrity of Ethernet data packets. Background Technology

[0002] Computer communication primarily relies on Ethernet-based network connections and communication. The Ethernet protocol suite operates at Layer 2 (Data Link Layer) and Layer 1 (Physical Layer) of the OSI model. Data link layer packets, generally called MAC packets, consist of a preamble, MAC header, upper-layer data (IP packets), and a checksum. Figure 1 As shown; the IP protocol belongs to the third layer (network layer) and is the most widely used transmission protocol. IP packets are network layer transmission packets, consisting of an IP packet header and IP data / payload (TCP / UDP packets). The IP packet header contains a two-byte header checksum, such as... Figure 2 As shown; TCP / UDP packets are as follows Figure 3 As shown.

[0003] Network encryption is generally divided into two-layer encryption and three-layer encryption. Two-layer encryption preserves the MAC header and checksum from the second layer, encrypting only the data / payload (i.e., IP packets) within the MAC packet. Three-layer encryption preserves the IP packet header, encrypting only the IP data / payload (i.e., TCP / UDP packets). Network encryption typically requires ensuring data confidentiality and integrity. For example, the IPsec protocol specifically specifies the addition of an authentication data field for verifying the integrity of the entire IP packet. This authentication data field is appended to the MAC / IP packet, increasing its length, often exceeding the MTU (Mean Transmission Unit). In such cases, the sender needs to split the MAC / IP packet into two packets and add authentication data to each. The receiver, in addition to verifying the integrity of the two packets, needs to reassemble them to reconstruct the original data packet.

[0004] The aforementioned unpacking and repackaging process not only complicates the processing, but also increases network traffic, reduces network utilization, and increases network latency.

[0005] Patent application number 202310216204.8, entitled "An Invention Patent for a Method of Encrypting and Decrypting IP Data Packets," describes an invention that extracts the IP packet header and plaintext data / payload from a plaintext IP packet. Based on the fields in the IP packet header, it obtains an encryption initialization vector (IPF), the position information of the plaintext IP packet within the upper-layer packet, and the length information of the plaintext data / payload. Based on the IPF, position information, length information, and a pre-negotiated key, it obtains a keystream data segment corresponding to the position information. The plaintext data / payload is then encrypted using the keystream data segment to generate ciphertext data / payload. Finally, the IP packet header and the ciphertext data / payload are combined and encapsulated to generate a ciphertext IP packet. This invention avoids the processes of unpacking, repackaging, and re-encapsulating the original data packet, thus improving encryption and decryption speed and reducing processing latency.

[0006] This invention only discusses integrity verification methods for two-layer and three-layer encryption, and does not discuss encryption methods or key management methods. Summary of the Invention

[0007] To address the aforementioned technical problems, this invention provides a method for verifying the integrity of Ethernet data packets, aiming to solve the problem that the operation of disassembling and reassembling packets during data packet integrity verification is quite complex.

[0008] In a first aspect, the present invention also provides a method for verifying the integrity of Ethernet packets, the method comprising:

[0009] S11: Receive and buffer upper-layer data packet A, and process the data before and after the checksum in data packet A.

[0010] Rows are concatenated to form data M;

[0011] S12: Calculate the hash value CV of data M using a pre-defined digest algorithm;

[0012] S13: Write the CV to the checksum position in the upper layer data packet A to form data packet B;

[0013] S14: Encrypt the data packet B, and encapsulate the encrypted data packet B and the header of this layer to form the data packet C of this layer and send it to the receiving end.

[0014] Furthermore, the upper-layer data packet A is an IP data packet / TCP data packet / UDP data packet.

[0015] Furthermore, the digest algorithm can be any specified HASH algorithm, or a keyed HMAC algorithm can be used.

[0016] Furthermore, before step S13, the CV data is compressed into 2 bytes using a compression algorithm.

[0017] Furthermore, the compression algorithm includes, but is not limited to, a multi-half XOR algorithm.

[0018] Furthermore, the specific method for compressing CV data to 2 bytes using the compression algorithm is as follows: If the data length of CN is 2N, then the multiple binary XOR algorithm is as follows:

[0019] XOR the first N bytes of CV with the last N bytes to get N bytes of CV1;

[0020] XOR the first 2 / N bytes of CV1 with the last 2 / N bytes to get 2 / N bytes of CV2;

[0021] XOR the first 4 / N bytes of CV2 with the last 4 / N bytes to get 4 / N bytes of CV3;

[0022] ……

[0023] XOR the first 2 bytes of CVM with the last 2 bytes to get 2 bytes CV(M+1).

[0024] Secondly, the present invention provides a method for verifying the integrity of Ethernet packets, the method comprising:

[0025] S21: Receive data packet C and decrypt it to obtain data packet B';

[0026] S22: Concatenate the data before and after the checksum in data packet B' to form data M';

[0027] S23: Calculate the hash value CV' of data M' using a pre-defined digest algorithm;

[0028] S24: Compare the checksum data in CV' and data packet B'. If they match, the integrity check passes; otherwise, it fails.

[0029] Furthermore, before step S23, the method further includes compressing the CV' data into 2 bytes using a compression algorithm.

[0030] Thirdly, the present invention provides a computer storage medium storing program instructions, wherein the program instructions, when running, control the device where the computer storage medium is located to execute any of the above-mentioned Ethernet packet integrity verification methods.

[0031] Fourthly, the present invention provides a processor for running a program, wherein the program executes the Ethernet packet integrity verification method described above during runtime.

[0032] Compared with the prior art, the beneficial effects of the present invention are as follows: (1) By concatenating, hashing and compressing the data before and after the checksum in the upper layer data packet to obtain the checksum data, and writing this checksum data into the checksum position in the upper layer data packet for verification, without adding an extra checksum data field; the present invention can achieve the same effect as adding an extra checksum data field without changing the structure and length of the data packet, and the entire data packet integrity verification process does not require disassembling and reassembling packets, making integrity verification simpler, improving network utilization and reducing network latency caused by encryption. (2) By encrypting the entire upper layer data packet, if an attacker wants to modify any content of the data, they need to simultaneously replace the ciphertext of the checksum data, which can be considered impossible, making the data packet integrity verification process more accurate. Attached Figure Description

[0033] To more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on the provided drawings without creative effort.

[0034] Figure 1 This is the MAC data packet format of the present invention;

[0035] Figure 2 This is the IP packet format of the present invention;

[0036] Figure 3 This is the TCP packet format of the present invention;

[0037] Figure 4 This is the UDP packet format of the present invention;

[0038] Figure 5 This is a flowchart of the Ethernet packet integrity verification method according to Embodiment 1 of the present invention;

[0039] Figure 6 This is a flowchart of the Ethernet packet integrity verification method according to Embodiment 2 of the present invention;

[0040] Figure 7 This is a flowchart of the Ethernet packet integrity verification method described in Embodiment 3 of the present invention. Detailed Implementation

[0041] To make the objectives, technical solutions, and advantages of this invention clearer, the invention will be further described in detail below with reference to the accompanying drawings and embodiments. Obviously, the specific embodiments described herein are merely illustrative of the invention and represent only a portion, not all, of the embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of this invention without inventive effort are within the scope of protection of this invention.

[0042] It should be noted that if the embodiments of the present invention involve descriptions such as "first," "second," and "third," these descriptions are for descriptive purposes only and should not be construed as indicating or implying their relative importance or implicitly specifying the number of technical features indicated. Therefore, a feature defined with "first," "second," and "third" may explicitly or implicitly include at least one of those features. Furthermore, the technical solutions of the various embodiments can be combined with each other, but this must be based on the ability of those skilled in the art to implement them. When the combination of technical solutions is contradictory or impossible to implement, it should be considered that such a combination of technical solutions does not exist and is not within the scope of protection claimed by the present invention.

[0043] Example 1

[0044] Figure 5 The diagram shown is a flowchart of a first embodiment of the Ethernet packet integrity verification method provided by the present invention. The flowchart specifically includes:

[0045] S11: Receive and buffer the upper-layer data packet A, and concatenate the data before and after the checksum in data packet A to form data M;

[0046] Specifically, for Layer 2 encryption, the data link layer receives IP packets transmitted from the network layer. The specific structure of the IP packets is as follows: Figure 2 As shown, the data before and after the IP packet checksum are concatenated to form data M.

[0047] For three-layer encryption, the network layer receives TCP / UDP packets transmitted by the transport layer. The specific structure of the TCP packet is as follows: Figure 3 As shown, the specific structure of a UDP packet is as follows: Figure 4 As shown, the data before and after the checksum of the TCP / UDP data packet are concatenated to form data M.

[0048] S12: Calculate the hash value CV of data M using a pre-defined digest algorithm;

[0049] Specifically, CV = SM3(M), and the pre-set digest algorithm can be any specified HASH algorithm, such as MD4, MD5, etc., or a keyed HMAC algorithm can be used.

[0050] S13: Write the CV to the checksum position in the upper layer data packet A to form data packet B;

[0051] Specifically, for layer 2 encryption, the CV data is written to the location of the IP packet checksum. For layer 3 encryption, the CV data is written to the location of the TCP / UDP packet checksum.

[0052] S14: Encrypt the data packet B, and encapsulate the encrypted data packet B and the header of this layer to form the data packet C of this layer and send it to the receiving end.

[0053] Specifically, for Layer 2 encryption, encrypted IP packets and MAC headers are encapsulated to form MAC packets. For Layer 3 encryption, encrypted TCP / UDP packets and IP headers are encapsulated to form IP packets.

[0054] In this embodiment, under Layer 2 encryption, the actual encryption is of IP data packets. This invention replaces the checksum in the IP data packet header with a checksum CV, enabling integrity verification of the entire IP data packet without increasing its length. Under Layer 3 encryption, the actual encryption is of TCP / UDP data packets. This invention replaces the checksum in the TCP / UDP data packet header with a checksum CV, enabling integrity verification of the entire TCP / UDP data packet without increasing its length. This embodiment achieves data packet integrity verification without changing the data packet structure or increasing its length, avoiding the complex packet splitting and reassembly operations required for integrity verification. It also improves network utilization and reduces network latency caused by encryption.

[0055] Example 2

[0056] Figure 6 The diagram shown is a flowchart of a second embodiment of the Ethernet packet integrity verification method provided by the present invention. The flowchart specifically includes:

[0057] S11: Receive and buffer the upper-layer data packet A, and concatenate the data before and after the checksum in data packet A to form data M;

[0058] Specifically, for Layer 2 encryption, the data link layer receives IP packets transmitted from the network layer. The specific structure of the IP packets is as follows: Figure 2 As shown, the data before and after the IP packet checksum are concatenated to form data M.

[0059] For three-layer encryption, the network layer receives TCP / UDP packets transmitted by the transport layer. The specific structure of the TCP packet is as follows: Figure 3 As shown, the specific structure of a UDP packet is as follows: Figure 4 As shown, the data before and after the checksum of the TCP / UDP data packet are concatenated to form data M.

[0060] S12: Calculate the hash value CV of data M using a pre-defined digest algorithm;

[0061] Specifically, CV = SM3(M), where CV is 32 bytes. The pre-defined hash algorithm can be any specified hash algorithm, such as MD4, MD5, etc., or a keyed HMAC algorithm can be used.

[0062] S13: Compress the CV data to 2 bytes using a compression algorithm;

[0063] Specifically, HASH and HMAC algorithms typically generate long data, while IP packets and TCP / UDP checksums are 2 bytes. Therefore, CV data needs to be compressed to 2 bytes. Specific compression algorithms can include multiple binary XOR operations, truncation, etc., which are not limited here. The specific steps for compressing CV data using the multiple binary XOR method are as follows:

[0064] a) XOR the first 16 bytes of CV with the last 16 bytes to get 16 bytes of CV1.

[0065] b) XOR the first 8 bytes of CV1 with the last 8 bytes to obtain 8 bytes of CV2.

[0066] c) XOR the first 4 bytes of CV2 with the last 4 bytes to obtain 4 bytes of CV3.

[0067] d) XOR the first 2 bytes of CV3 with the last 2 bytes to obtain 2 bytes of CV4.

[0068] S14: Write the CV to the checksum position in the upper layer data packet A to form data packet B;

[0069] Specifically, for layer 2 encryption, the compressed CV data, i.e., CV4, is written to the IP packet checksum location. For layer 3 encryption, the compressed CV data, i.e., CV4, is written to the TCP / UDP packet checksum location.

[0070] S15: Encrypt the data packet B, and encapsulate the encrypted data packet B and the header of this layer to form the data packet C of this layer and send it to the receiving end.

[0071] Specifically, for Layer 2 encryption, encrypted IP packets and MAC headers are encapsulated to form MAC packets. For Layer 3 encryption, encrypted TCP / UDP packets and IP headers are encapsulated to form IP packets.

[0072] In this embodiment, by compressing the verification data (CV) to 2 bytes, the digest algorithm applicable to the data packet is broadened, improving the applicability of the data packet verification method. This embodiment achieves data packet integrity verification without changing the data packet structure or increasing the data packet length, avoiding the complex operations of splitting and reassembling packets during integrity verification. It also improves network utilization and reduces network latency caused by encryption.

[0073] Example 3

[0074] Figure 7 The diagram shows a flowchart of a third embodiment of the Ethernet packet integrity verification method provided by the present invention. The flowchart specifically includes:

[0075] S21: Receive data packet C and decrypt it to obtain data packet B';

[0076] Specifically, for layer 2 encryption, MAC packets are received and decrypted using a pre-set key to obtain IP packets. For layer 3 encryption, IP packets are received and decrypted using a pre-set key to obtain TCP / UDP packets.

[0077] S22: Concatenate the data before and after the checksum in data packet B' to form data M';

[0078] Specifically, for two-layer encryption, the data before and after the checksum of the decrypted IP packet are concatenated to form data M'. For three-layer encryption, the data before and after the checksum of the decrypted TCP / UDP packet are concatenated to form data M'.

[0079] S23: Calculate the hash value CV' of data M' using a pre-defined digest algorithm;

[0080] S24: Compare the checksum data in CV' and data packet B'. If they match, the integrity check passes; otherwise, it fails.

[0081] Specifically, for two-layer encryption, the calculated CV' data is compared with the IP packet checksum position data obtained from decrypting the received data packet. If they match, the integrity check passes; otherwise, it fails. Similarly, for three-layer encryption, the calculated CV' data is compared with the TCP / UDP packet checksum position data obtained from decrypting the received data packet. If they match, the integrity check passes; otherwise, it fails.

[0082] Furthermore, prior to step S24, the CV' data is compressed into 2 bytes using a compression algorithm.

[0083] In this embodiment, the integrity of the data packet is achieved by comparing the consistency between the calculated verification data and the received verification data.

[0084] According to another aspect of the present invention, a computer storage medium is provided, which stores program instructions, wherein the program instructions, when executed, control the device where the computer storage medium is located to execute the Ethernet packet integrity verification method described above.

[0085] According to another aspect of the present invention, a processor is provided for running a program, wherein the program executes the Ethernet packet integrity verification method described above.

[0086] The above embodiments merely illustrate preferred embodiments of the present invention, and while the descriptions are specific and detailed, they should not be construed as limiting the scope of the present invention. It should be noted that those skilled in the art can make various modifications and improvements without departing from the concept of the present invention, and these all fall within the scope of protection of the present invention. Therefore, the scope of protection of this patent should be determined by the appended claims.

Claims

1. A method for verifying the integrity of Ethernet packets, characterized in that, Includes the following steps: S11: Receive and buffer the upper-layer data packet A, and concatenate the data before and after the checksum in the data packet A to form data M; S12: Calculate the hash value CV of the data M using a pre-defined digest algorithm; S13: Write the CV into the checksum position of the upper layer data packet A to form data packet B; before step S13, the method further includes compressing the CV data into 2 bytes using a compression algorithm; S14: Encrypt the data packet B, and encapsulate the encrypted data packet B and the header of this layer to form the data packet C of this layer and send it to the receiving end.

2. The Ethernet packet integrity verification method according to claim 1, characterized in that, The upper-layer data packet A is an IP data packet / TCP data packet / UDP data packet.

3. The Ethernet packet integrity verification method according to claim 1, characterized in that, The digest algorithm is either a HASH algorithm or a keyed HMAC algorithm.

4. The Ethernet packet integrity verification method according to claim 1, characterized in that, The compression algorithm is a multiple-half XOR algorithm.

5. The Ethernet packet integrity verification method according to claim 4, characterized in that, The specific steps for compressing the CV data to 2 bytes using a compression algorithm are as follows: If the CV data length is 2N, then the multiple binary XOR algorithm is as follows: XOR the first N bytes of the CV with the last N bytes to obtain N bytes of CV1; XOR the first N / 2 bytes and the last N / 2 bytes of CV1 to obtain N / 2 bytes of CV2; XOR the first N / 4 bytes and the last N / 4 bytes of CV2 to obtain N / 4 bytes of CV3; ……. XOR the first 2 bytes of CVM with the last 2 bytes to get 2 bytes CV(M+1).

6. A method for verifying the integrity of Ethernet packets, characterized in that, Includes the following steps: S21: Receive data packet C and decrypt it to obtain data packet B'; S22: Concatenate the data before and after the checksum in the data packet B' to form data M'; S23: Calculate the hash value CV' of the data M' using a pre-set digest algorithm, and compress the CV' data into 2 bytes using a compression algorithm; S24: Compare the checksum data in CV' and data packet B'. If they match, the integrity check passes; otherwise, it fails.

7. A computer storage medium, characterized in that, The computer storage medium stores program instructions, wherein when the program instructions are executed, they control the device where the computer storage medium is located to execute the Ethernet packet integrity verification method according to any one of claims 1 to 6.

8. A processor, characterized in that, The processor is used to run a program, wherein the program executes the Ethernet packet integrity verification method according to any one of claims 1 to 6.