A P2P VPN Method Based on Chinese Cryptographic Algorithms

Abstract

The application discloses a kind of P2P VPN based on national secret algorithm method, belong to network security and virtual private network technical field.The method includes node registration, three-layer architecture construction, identity authentication and key negotiation, P2P communication channel establishment and data encryption verification steps: through service node forwarding node identity information and public key to authentication node to complete registration, construct authentication node-service node-common node three-layer architecture, identity authentication and key exchange are realized using asymmetric national secret algorithm, P2P channel is established between nodes directly or with the aid of service node, data is encrypted by symmetric national secret algorithm, and the integrity is verified by hash national secret algorithm.The method effectively avoids the central bottleneck and single point failure of traditional VPN, ensures the autonomous security and compliance of data transmission, improves transmission efficiency and network stability, and adapts to diversified network communication scenarios.

Description

Technical Field

[0001] This invention relates to the fields of network security and virtual private network technology, and in particular to a P2P VPN method based on Chinese national cryptographic algorithms. Background Technology

[0002] With the rapid development of the Internet and IoT technologies, the security and reliability of network data transmission have become a core concern for various industries. Virtual Private Networks (VPNs), as a key technology for building private communication channels, have been widely used in many scenarios such as enterprise intranet interconnection, remote office, and IoT device communication. Currently, VPN technology is mainly divided into two categories: client / server (C / S) architecture and peer-to-peer (P2P) architecture. The traditional C / S architecture relies on a central gateway to forward data and occupies a certain market share in large-scale applications; while the P2P architecture, with its decentralized characteristics, is gradually becoming an important direction for solving large-scale node communication, and related open-source projects have also been promoted to a certain extent. At the same time, my country's requirements for independent control of network security are increasing. National cryptographic algorithms such as SM2, SM3, and SM4 have become mandatory compliance standards for network security products and are widely used in traditional IPsec VPNs, SSL VPNs, and other products, promoting the standardized development of domestic network security technology. In addition, the maturity of protocols such as Message Queuing Telemetry Transport (MQTT) provides technical support for the construction of distributed network architectures, further improving the scalability and compatibility of VPN networks, and gradually optimizing the access and interaction efficiency of various nodes.

[0003] Despite the widespread application of VPN technology, existing technologies still face numerous unresolved issues. In terms of architecture, traditional client / server (C / S) architectures suffer from a central bottleneck, requiring all data to be forwarded through a central server. While some P2P VPN solutions are decentralized, they lack a robust layered architecture, leading to chaotic node management, uneven load distribution, and difficulties in efficient node scheduling and resource allocation. Regarding security, mainstream VPN solutions often rely on international algorithms, posing potential security risks and failing to meet my country's strategic requirements of "independent security and controllability." Furthermore, some solutions lack rigorous authentication mechanisms, making it difficult to effectively verify the legitimacy of node access, and the security of the key negotiation process is insufficient. In terms of communication efficiency and stability, the establishment of point-to-point connections between nodes is often limited by factors such as Network Address Translation (NAT), resulting in a low connection success rate. Simultaneously, the lack of robust encryption and integrity verification mechanisms during data transmission makes data tampering and leakage a serious concern. Finally, the lack of a unified registration and filing process, coupled with fragmented node identity information and key management, negatively impacts the security and manageability of the entire VPN network. These problems are intertwined, making it difficult for existing VPN solutions to simultaneously meet the practical application requirements in terms of security, autonomy, stability, and efficiency. There is an urgent need for a technical solution that balances architectural rationality, security and autonomy, and communication efficiency. Summary of the Invention

[0004] The purpose of this invention is to overcome the shortcomings of the prior art and provide a P2P VPN method based on Chinese cryptographic algorithms.

[0005] The objective of this invention is achieved through the following technical solution:

[0006] A P2P VPN method based on Chinese national cryptographic algorithms is provided, which includes the following steps:

[0007] S1. Receive the registration request initiated by the node, extract the node identity information in the request, obtain the key pair generated by the node, and forward the node identity information and the public key in the key pair to the authentication node through the service node. The authentication node collects and organizes the information and completes the filing.

[0008] S2. Construct a three-layer network architecture consisting of authentication nodes, service nodes, and ordinary nodes. Bind service nodes to authentication nodes through a proxy protocol. Use an asymmetric national cryptographic algorithm to verify the identity information of nodes and the public key of the record to complete identity authentication. Then, use the same asymmetric national cryptographic algorithm to complete key exchange between nodes to be communicated and generate session keys.

[0009] S3. After identity authentication is successful, nodes directly initiate point-to-point connection requests, detect network connectivity, and choose to establish a point-to-point communication channel directly or with the assistance of a service node based on the detection results.

[0010] S4. In the established communication channel, the plaintext data is encrypted using a symmetric national cryptographic algorithm, and the integrity of the transmitted data and session key is verified using a hash-based national cryptographic algorithm. After the receiver completes the ciphertext decryption and integrity verification, the data transmission is completed.

[0011] Furthermore, step S1 includes the following sub-steps:

[0012] S1.1. Ordinary nodes select the nearest service node or the service node with a load below a preset threshold based on network conditions to initiate a registration request. The service node receives the registration request and extracts the node identity information from it.

[0013] S1.2. Obtain the key pair containing the public and private keys generated during the node's initial registration. The node extracts the public key separately and submits it to the service node.

[0014] S1.3. The service node forwards its identity information and public key to the authentication node through a preset message subject;

[0015] S1.4. The authentication node categorizes and organizes the received information, establishes a dedicated filing list, and completes the filing process.

[0016] Furthermore, step S2 includes the following sub-steps:

[0017] S2.1. When building a three-layer network architecture, the authentication node is deployed in a highly secure and stable network environment, the service node is deployed in a distributed manner, and the ordinary nodes access the VPN through a virtual network card;

[0018] S2.2. The message queue telemetry transmission protocol is used as the proxy protocol to bind service nodes and authentication nodes, forming a proxy network of multiple service nodes mapping to a single authentication node;

[0019] S2.3. When performing identity authentication, the node first signs the identity information with its own private key, and then sends the signature information and public key to the service node, which then forwards it to the authentication node.

[0020] S2.4. After the authentication node extracts the public key for recordation and completes the signature verification, the waiting communication node executes the key exchange process through the asymmetric national cryptographic algorithm to generate the session key.

[0021] Furthermore, step S2.3 includes the following sub-steps:

[0022] S2.3.1. A regular node uses its own private key to sign its node identity information, generating signed identity information;

[0023] S2.3.2. Send the signed identity information along with your public key to the service node;

[0024] S2.3.3. The service node forwards the received signature information and public key to the authentication node, and the authentication node extracts the corresponding public key from the registration list;

[0025] S2.3.4. Use an asymmetric national cryptographic algorithm to verify the signature with the public key used for registration. If the signatures match, the identity is confirmed as legitimate; otherwise, the registration request is rejected.

[0026] Furthermore, step S2.4 includes the following sub-steps:

[0027] S2.4.1. The first node generates a random number, calculates the corresponding elliptic curve point according to the preset elliptic curve parameters, and sends it to the second node;

[0028] S2.4.2. After receiving the data, the second node generates its own random number, calculates the corresponding elliptic curve point based on the same elliptic curve parameters, and returns it.

[0029] S2.4.3. The first node calculates by combining its own private key with the received elliptic curve points, and the second node calculates by combining its own private key with the sent elliptic curve points.

[0030] S2.4.4. The two nodes obtain the same session key through the same calculation rules and complete the key negotiation.

[0031] Furthermore, in step S2, the agent program is first deployed and communication parameters are configured; the IP address and port mapping relationship between the service node and the authentication node is established through the agent program; after the agent network is built, the dynamic expansion monitoring mechanism is enabled; when the network load is detected to increase, the load balancing strategy is triggered to distribute registration requests and data forwarding tasks to each service node.

[0032] Furthermore, in step S2.1, after the service nodes are deployed in a distributed manner, they continuously report their own operating status and load information to the authentication nodes. When a service node fails, it sends a fault notification to the authentication nodes and other nodes through a will message. After receiving the fault notification, the ordinary nodes scan other currently online service nodes, filter out service nodes with loads below a preset threshold, and initiate a reconnection request to the service nodes with loads below the preset threshold to complete the service node switchover and achieve fault transfer.

[0033] Furthermore, in step S3, after a node initiates a point-to-point connection request, it sends a network probe message to detect the connectivity status of both parties; if network address translation traversal is required, it sends an address negotiation request to the service node; after receiving the request, the service node obtains the address information of both parties and forwards it; the node completes the negotiation based on the received address information; if an abnormal interruption occurs during the connection process, the service node's data forwarding takeover mechanism is triggered, and the service node temporarily forwards the data.

[0034] Furthermore, in step S4, when using the symmetric national cryptographic algorithm, the plaintext data is first grouped into groups of a preset length; padding is performed on data that is not long enough for a group; ciphertext is generated through multiple rounds of iterative encryption based on the session key; after the receiver obtains the ciphertext, it uses the session key to generate a round key; the plaintext is decrypted and restored through multiple rounds of inverse iterative operations; when using the hash-based national cryptographic algorithm, the hash value of the transmitted data and the session key is first calculated; the hash value is transmitted along with the data; the receiver recalculates the hash value and compares it with the transmitted hash value.

[0035] Furthermore, in step S4, before encrypting with the symmetric national cryptographic algorithm, the characteristics of the application scenario of the data transmission are first determined; according to the scenario characteristics, the corresponding encryption mode is selected from the cryptographic block linking mode, electronic codebook mode, ciphertext feedback mode and output feedback mode; the encryption parameters of the symmetric national cryptographic algorithm are configured according to the selected encryption mode, and then block filling and iterative encryption operations are performed on the plaintext data.

[0036] The beneficial effects of this invention are:

[0037] (1) By relying on node registration and filing, three-layer architecture construction, national cryptographic algorithm encryption and verification and P2P communication channel establishment, the central bottleneck of traditional VPN is effectively avoided, and the security and autonomy of data transmission are guaranteed;

[0038] (2) By leveraging the distributed deployment, dynamic expansion and failover mechanisms of service nodes, coupled with load balancing strategies, the continuity and stability of network operation are greatly improved, adapting to different network load scenarios.

[0039] (3) Integrating the technical advantages of point-to-point direct communication and the full-link application of national cryptographic algorithms, reducing intermediate links in data transmission, balancing transmission efficiency and compliance, and meeting diverse network communication needs. Attached Figure Description

[0040] Figure 1 A flowchart illustrating the steps of a P2P VPN method based on Chinese cryptographic algorithms;

[0041] Figure 2 A flowchart illustrating the specific steps of a P2P VPN method based on Chinese cryptographic algorithms is provided for this embodiment.

[0042] Figure 3 The diagram shows a three-layer P2P VPN network architecture based on Chinese cryptographic algorithms, provided for an example. Detailed Implementation

[0043] The technical solution of the present invention will be clearly and completely described below with reference to the embodiments. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0044] Example 1

[0045] See Figure 1 This paper provides a P2P VPN method based on Chinese national cryptographic algorithms, which includes the following steps:

[0046] S1. Receive the registration request initiated by the node, extract the node identity information in the request, obtain the key pair generated by the node, and forward the node identity information and the public key in the key pair to the authentication node through the service node. The authentication node collects and organizes the information and completes the filing.

[0047] S2. Construct a three-layer network architecture consisting of authentication nodes, service nodes, and ordinary nodes. Bind service nodes to authentication nodes through a proxy protocol. Use an asymmetric national cryptographic algorithm to verify the identity information of nodes and the public key of the record to complete identity authentication. Then, use the same asymmetric national cryptographic algorithm to complete key exchange between nodes to be communicated and generate session keys.

[0048] S3. After identity authentication is successful, nodes directly initiate point-to-point connection requests, detect network connectivity, and choose to establish a point-to-point communication channel directly or with the assistance of a service node based on the detection results.

[0049] S4. In the established communication channel, the plaintext data is encrypted using a symmetric national cryptographic algorithm, and the integrity of the transmitted data and session key is verified using a hash-based national cryptographic algorithm. After the receiver completes the ciphertext decryption and integrity verification, the data transmission is completed.

[0050] Step S1 includes the following sub-steps:

[0051] S1.1. Ordinary nodes select the nearest service node or the service node with a load below a preset threshold based on network conditions to initiate a registration request. The service node receives the registration request and extracts the node identity information from it.

[0052] S1.2. Obtain the key pair containing the public and private keys generated during the node's initial registration. The node extracts the public key separately and submits it to the service node.

[0053] S1.3. The service node forwards its identity information and public key to the authentication node through a preset message subject;

[0054] S1.4. The authentication node categorizes and organizes the received information, establishes a dedicated filing list, and completes the filing process.

[0055] Step S2 includes the following sub-steps:

[0056] S2.1. When building a three-layer network architecture, the authentication node is deployed in a highly secure and stable network environment, the service node is deployed in a distributed manner, and the ordinary nodes access the VPN through virtual network cards;

[0057] S2.2. The message queue telemetry transmission protocol is used as the proxy protocol to bind service nodes and authentication nodes, forming a proxy network of multiple service nodes mapping to a single authentication node;

[0058] S2.3. When performing identity authentication, the node first signs the identity information with its own private key, and then sends the signed information and public key to the service node, which then forwards it to the authentication node.

[0059] S2.4. After the authentication node extracts the public key for recordation and completes the signature verification, the waiting communication node executes the key exchange process through the asymmetric national cryptographic algorithm to generate the session key.

[0060] Step S2.3 includes the following sub-steps:

[0061] S2.3.1. A regular node uses its own private key to sign its node identity information, generating signed identity information;

[0062] S2.3.2. Send the signed identity information along with your public key to the service node;

[0063] S2.3.3. The service node forwards the received signature information and public key to the authentication node, and the authentication node extracts the corresponding public key from the registration list;

[0064] S2.3.4. Use an asymmetric national cryptographic algorithm to verify the signature with the public key used for registration. If the signatures match, the identity is confirmed as legitimate; otherwise, the registration request is rejected.

[0065] Step S2.4 includes the following sub-steps:

[0066] S2.4.1. The first node generates a random number, calculates the corresponding elliptic curve point according to the preset elliptic curve parameters, and sends it to the second node;

[0067] S2.4.2. After receiving the data, the second node generates its own random number, calculates the corresponding elliptic curve point based on the same elliptic curve parameters, and returns it.

[0068] S2.4.3. The first node calculates by combining its own private key with the received elliptic curve points, and the second node calculates by combining its own private key with the sent elliptic curve points.

[0069] S2.4.4. The two nodes obtain the same session key through the same calculation rules and complete the key negotiation.

[0070] In step S2, the agent program is first deployed and communication parameters are configured; the agent program establishes the IP address and port mapping relationship between the service node and the authentication node; after the agent network is built, the dynamic expansion monitoring mechanism is enabled; when the network load is detected to increase, the load balancing strategy is triggered to distribute registration requests and data forwarding tasks to each service node.

[0071] In step S2.1, after the service nodes are deployed in a distributed manner, they continuously report their own operating status and load information to the authentication nodes. When a service node fails, it sends a failure notification to the authentication nodes and other nodes through a will message. After receiving the failure notification, the ordinary nodes scan other currently online service nodes, filter out service nodes with loads below a preset threshold, and initiate a reconnection request to the service nodes with loads below the preset threshold to complete the service node switchover and achieve failover.

[0072] In step S3, after a node initiates a point-to-point connection request, it sends a network probe message to detect the connectivity status between the two parties. If network address translation traversal is required, it sends an address negotiation request to the service node. After receiving the request, the service node obtains the address information of both parties and forwards it. The node completes the negotiation based on the received address information. If an abnormal interruption occurs during the connection process, the service node's data forwarding takeover mechanism is triggered, and the service node temporarily forwards the data.

[0073] In step S4, when using the symmetric national cryptographic algorithm, the plaintext data is first grouped into groups of a preset length; padding is performed on data that is not long enough for a group; ciphertext is generated through multiple rounds of iterative encryption based on the session key; after the receiver obtains the ciphertext, it uses the session key to generate a round key; the ciphertext is decrypted and the plaintext is restored through multiple rounds of inverse iterative operations; when using the hash-based national cryptographic algorithm, the hash value of the transmitted data and the session key is first calculated; the hash value is transmitted along with the data; the receiver recalculates the hash value and compares it with the transmitted hash value.

[0074] In step S4, before encrypting with the symmetric national cryptographic algorithm, the characteristics of the application scenario of the data transmission are first determined; according to the scenario characteristics, the corresponding encryption mode is selected from the cryptographic block linking mode, electronic codebook mode, ciphertext feedback mode and output feedback mode; the encryption parameters of the symmetric national cryptographic algorithm are configured according to the selected encryption mode, and then block filling and iterative encryption operations are performed on the plaintext data.

[0075] Example 2

[0076] This paper provides a specific implementation process for a P2P VPN method based on Chinese national cryptographic algorithms, such as... Figure 2 As shown, the specific steps are as follows:

[0077] S1. The node initiates a registration application and submits relevant information. The service node forwards the information to the authentication node, and the authentication node completes the information filing and archiving.

[0078] S1.1. When a regular node first accesses the network, it scans for available service nodes and selects those that meet preset conditions based on network latency, link stability, and load. The node then initiates a registration request to the selected service node. The service node listens for registration requests in real time, receives the request, parses the message, and extracts node identity information such as node identifier and basic device information.

[0079] S1.2. Ordinary nodes create a key pair containing a public and private key through the built-in key generation module. The key pair generation process follows the key generation specifications of the asymmetric national cryptographic algorithm. After generation, the key pair is encrypted and stored locally. At the same time, the public key is extracted separately, packaged into a message packet according to the preset data format, and submitted to the service node.

[0080] S1.3. The service node performs integrity verification on the received node identity information and public key information packet, checking whether the data fields are complete and whether the format conforms to the transmission standard. After the verification is successful, a forwarding message is constructed based on the preset MQTT topic, forwarding the node identity information and public key together to the authentication node. During the forwarding process, the message transmission mechanism of the MQTT protocol is followed to ensure that the information is not lost or tampered with.

[0081] S1.4. After receiving the information forwarded by the service node, the authentication node initiates the information processing flow, classifies and organizes the information according to the node's identity identifier, establishes a dedicated filing list containing node identity information, public key, registration time, etc., encrypts and stores the filing list and maintains it in real time, and completes the filing and archiving of node information to provide data support for subsequent identity authentication and access control.

[0082] S1.5. After the authentication node completes the filing, it generates a filing confirmation message, which is then sent to the ordinary nodes through the service nodes. Upon receiving the confirmation message, the ordinary nodes confirm that the registration application has been submitted to the authentication node and await the start of the identity authentication process.

[0083] S2. Establish a three-layer network architecture and complete node binding. Perform identity authentication and key negotiation using an asymmetric national cryptographic algorithm to generate a session key.

[0084] S2.1. A three-tier distributed network architecture consisting of authentication nodes, service nodes, and ordinary nodes is constructed according to the pre-defined architecture design. Authentication nodes are deployed in a highly secure and stable network environment with physical isolation, access control, and security auditing functions, focusing on identity management and key distribution. Service nodes adopt a multi-site distributed deployment mode, covering different network areas to improve network coverage and fault tolerance. Ordinary nodes create virtual network interfaces through virtual network cards to complete the basic access configuration with the VPN network.

[0085] S2.1.1. After the service node is deployed, the status monitoring and reporting module is started to continuously collect its own CPU utilization, memory usage, connection count, and other operating status and load information, and report to the authentication node at preset time intervals to ensure that the authentication node has real-time knowledge of the working status of each service node:

[0086] S2.1.2. Deploy a proxy program between the service node and the authentication node, and configure the proxy program's communication port, transmission protocol, timeout retransmission, and other parameters to ensure communication compatibility between the proxy program and the two endpoints:

[0087] S2.1.3. Establish IP address and port mapping between the service node and the authentication node through a proxy program, enabling the service node to accurately identify and forward various requests and instructions directed to the authentication node:

[0088] S2.1.4. After completing the mapping configuration between multiple service nodes and authentication nodes, construct a proxy network that maps multiple service nodes to a single authentication node, enable the dynamic scaling monitoring mechanism, and monitor the changes in request volume and load pressure of each service node in the network in real time:

[0089] S2.2. The message queue telemetry transmission protocol is adopted as the communication protocol of the proxy network. The message transmission parameters of the service node and the authentication node are configured, including message queue size, transmission timeout time, retransmission number threshold, etc., to achieve stable binding between the service node and the authentication node, ensuring that requests and data are transmitted in an orderly and efficient manner in the proxy network, and avoiding congestion or data loss.

[0090] S2.3. The authentication node initiates the identity authentication process, verifying the legitimacy of the ordinary node's identity using an asymmetric national cryptographic algorithm:

[0091] S2.3.1. After receiving the authentication start command, a regular node calls its locally stored private key and uses an asymmetric national cryptographic algorithm to digitally sign its own node identity information, generating signature data that is unique and unforgeable:

[0092] S2.3.2. Ordinary nodes combine and encapsulate the signature data with their own public key, adding auxiliary information such as a message header and a message checksum. The message header includes the node identifier, message type, and sending time. The message checksum is used by the service node to verify message integrity. After encapsulation, the message is sent to the service node.

[0093] S2.3.3. After receiving the encapsulated message, the service node first verifies the message checksum using a preset verification algorithm to confirm that the message has not been tampered with or damaged during transmission. If the verification passes, the message is parsed, the signature data and public key are extracted, and then the message is forwarded to the authentication node. The authentication node, based on the node identifier in the message, extracts the registration public key corresponding to the ordinary node from the registration list.

[0094] S2.3.4. The authentication node uses the same asymmetric national cryptographic algorithm as the ordinary node when signing. It uses the extracted public key for registration to verify the signature data, comparing the signature data with the verification result. If they match, the ordinary node is deemed legitimate and allowed to access the network; if they do not match, authentication fails, the ordinary node's registration request is rejected, and the service node returns an authentication failure message and reason.

[0095] S2.4. If a regular node that has passed authentication needs to communicate with other nodes, it initiates a key negotiation process and generates a session key using an asymmetric national cryptographic algorithm:

[0096] S2.4.1. The first node initiating communication generates a random number. Based on the preset elliptic curve parameters and the calculation rules of the asymmetric national cryptographic algorithm, it performs calculations on the random number to obtain the corresponding elliptic curve point. This elliptic curve point is then formatted to meet network transmission requirements before being sent to the second node.

[0097] S2.4.2. After receiving the elliptic curve points sent by the first node, the second node verifies their format and validity. If the verification passes, it generates its own random number, calculates the corresponding elliptic curve points based on the same elliptic curve parameters and calculation rules as the first node, converts the format of the elliptic curve points, and returns them to the first node.

[0098] S2.4.3. After receiving the elliptic curve points returned by the second node, the first node combines the private key corresponding to its own generated random number with the received elliptic curve points, and calculates according to the preset key derivation algorithm to generate key material:

[0099] S2.4.4. The second node combines the private key corresponding to the random number it generated with the elliptic curve points previously sent to the first node, and uses the same key derivation algorithm as the first node to calculate and generate the same key material:

[0100] S2.4.5. The first and second nodes process the key materials respectively, generate a session key for encrypted data transmission through the key expansion mechanism, store the session key in the local key cache module, and encrypt it to complete the key negotiation process:

[0101] S2.5. When the dynamic capacity expansion monitoring mechanism detects an increase in network load and the load pressure on some service nodes exceeds a preset threshold, a load balancing strategy is triggered. The system calculates the carrying capacity of each service node based on factors such as the real-time load of each service node, network latency, and link stability, and evenly distributes new registration requests and data forwarding tasks to each service node to avoid overloading a single service node and ensure that the processing efficiency and response speed of the entire network remain at a stable level.

[0102] S3. Nodes that have passed authentication initiate connection requests, check network status, and establish a point-to-point communication channel to ensure continuous data transmission:

[0103] S3.1. Once an ordinary node has passed authentication, it initiates a point-to-point connection request to the target node according to communication needs. The connection request message includes basic information such as its own network identifier, communication port, and supported transmission protocols. After being encapsulated according to a preset communication protocol format, it is sent to the target node.

[0104] S3.2. After the connection request is sent, the initiating node sends network probe packets at a preset frequency. The probe packets contain information such as connection identifier and probe sequence number. After receiving the probe packets, the receiving node returns a response packet in the agreed format. Based on the reception status of the response packet, response delay, and other parameters, the initiating node determines the network connectivity status, network type, and whether there is a network address translation (NAT) traversal requirement between the two parties.

[0105] S3.3. If the initiating node determines from the probe results that both parties have a network address translation (NAT) traversal requirement, i.e., it cannot directly obtain the other party's real network address, the initiating node sends an address negotiation request to the service node. The request message includes its own network address information, communication port, and connection target identifier:

[0106] S3.4. After receiving the address negotiation request, the service node parses the message, extracts the address information of the initiating node and the identifier of the target node, and sends an address query request to the target node. The query request contains the basic information of the initiating node and the negotiation requirements:

[0107] S3.5. After receiving the address query request, the target node returns its own network address information and communication port. After receiving the target node's address information, the service node organizes and verifies the address information of both the initiator and the target to ensure the validity of the address information.

[0108] S3.6. The service node forwards the verified address information of both parties to the corresponding nodes. After receiving the address information, the initiating node and the target node adjust their own network configuration parameters and attempt to establish a connection according to the negotiated communication protocol and port, gradually completing the network address translation and penetration process:

[0109] S3.7. If the detection results show that the network connectivity of both parties is good, there is no need to perform network address translation (NAT) tunneling. The initiating node and the target node directly establish a point-to-point communication channel based on each other's network identifiers and communication ports. After the channel is established, both parties send test data packets to verify connectivity and confirm that data can be transmitted normally.

[0110] S3.8. If a connection between nodes is abnormally interrupted due to network fluctuations, link interruptions, or other reasons during the connection process, the service node will detect the interruption by monitoring the connection status between nodes in real time and automatically trigger the data forwarding takeover mechanism, whereby the service node will temporarily take over the data forwarding task:

[0111] S3.9. The initiating node sends the data to be transmitted to the service node. The service node encapsulates the data according to the preset forwarding rules and transmits the data to the target node through the proxy network, ensuring uninterrupted data transmission.

[0112] S3.10. The service node continuously monitors the connection recovery status of interrupted nodes and periodically sends probe packets to detect whether nodes have re-established connections. When a normal connection is detected between nodes, the service node stops the temporary forwarding service and returns data transmission authority to the node itself, ensuring the continuity and stability of data transmission.

[0113] S4. The transmitted data is encrypted and its integrity is verified using the national cryptographic algorithm. The receiver completes the decryption and verification before data transmission is achieved.

[0114] S4.1. Before transmitting data, the sending node encrypts the plaintext data using a symmetric national cryptographic algorithm. The encryption process strictly follows the standard specifications of the symmetric national cryptographic algorithm.

[0115] S4.1.1. The sending node obtains the plaintext data to be transmitted, and divides the plaintext data into packets according to the preset packet length of the symmetric national cryptographic algorithm, splitting the continuous plaintext data into fixed-length data packets to ensure that each data packet meets the encryption operation requirements:

[0116] S4.1.2. For the last data packet after grouping that is less than the preset length, padding is performed according to the padding method specified by the symmetric national cryptographic algorithm. The padding content is related to the data length to ensure that the padding content can be accurately removed during decryption.

[0117] S4.1.3. Based on the characteristics of the data transmission application scenario and the scenario's requirements for data security and real-time performance, the sending node selects an appropriate encryption mode from the cryptographic block linking mode, electronic codebook mode, ciphertext feedback mode, and output feedback mode:

[0118] S4.1.4. Configure the relevant parameters of the symmetric national cryptographic algorithm according to the selected encryption mode, including the number of iterations, transformation rules, key expansion method, etc., to ensure that the encryption process meets the mode requirements:

[0119] S4.1.5. The session key generated through key negotiation is invoked, and the round keys required for multiple rounds of encryption are generated using the key expansion mechanism of the symmetric national cryptographic algorithm. The generation process of the round keys follows the algorithm's preset expansion rules to ensure encryption strength.

[0120] S4.1.6. The generated round key is used to perform multiple rounds of nonlinear iterative encryption on the block-shaped plaintext data packets. The iterative process includes operations such as S-box transformation and linear transformation to gradually convert the plaintext data into ciphertext data. After encryption, the ciphertext data is encapsulated.

[0121] S4.2. To ensure the integrity of transmitted data and session keys, the sending node uses a hash-based national cryptographic algorithm for integrity verification:

[0122] S4.2.1. The sending node performs hash-based national cryptographic algorithms on the session key and each set of plaintext data respectively to calculate the corresponding hash value. The hash value calculation process follows the standard procedure of hash-based national cryptographic algorithms to ensure the uniqueness and collision resistance of the hash value:

[0123] S4.2.2. Associate the calculated hash value with the corresponding ciphertext data packet, and construct a complete transmission data packet in the format of "ciphertext data + hash value". The hash value is appended to the ciphertext data to facilitate verification by the receiving node.

[0124] S4.3. The sending node sends the constructed data packets to the receiving node in an orderly manner through the established point-to-point communication channel, following the transmission protocol of the communication channel during the transmission process to ensure that the data packets arrive in order and avoid out-of-order delivery.

[0125] S4.4. The receiving node receives the transmitted data packets through the communication channel, performs an integrity check on the received data packets to confirm whether the fields of the data packets are complete and the format is correct. If any data packets are lost or corrupted, it sends a retransmission request to the sending node.

[0126] S4.5. The receiving node separates the ciphertext data and hash value from the transmitted data packet and stores them separately in their corresponding buffer areas to prepare for subsequent decryption and verification:

[0127] S4.6. The receiving node retrieves the previously negotiated session key from the local key cache module and generates a round key corresponding to the encryption key according to the key expansion rules of the symmetric national cryptographic algorithm. The generation order of the round key is the reverse of that during encryption.

[0128] S4.7. Using the generated round key, perform multiple rounds of inverse iterative decryption operations on the ciphertext data. The inverse iterative process is the reverse of the encryption process, gradually restoring the plaintext data and padding content after grouping:

[0129] S4.8. The receiving node removes the padding content from the plaintext data according to the padding removal rules of the symmetric national cryptographic algorithm, restoring the original state of the plaintext data:

[0130] S4.9. The receiving node uses the same hash-based national cryptographic algorithm as the sending node to recalculate the hash values ​​for the recovered plaintext data and the session key:

[0131] S4.10. Compare the recalculated hash value with the received hash value one by one to check if they are completely identical:

[0132] S4.11. If the hash values ​​match, it indicates that the session key has not been tampered with and the transmitted data is complete and valid. The receiving node then performs further processing on the plaintext data. If the hash values ​​do not match, it is determined that the data has been tampered with or is erroneous during transmission. The receiving node discards the data and returns a data verification failure message to the sending node, requesting that the data be retransmitted.

[0133] The technical solution adopted in this embodiment, by building a three-layer distributed network architecture, realizes dynamic expansion and automatic fault switching of service nodes, avoiding the single point of failure risk in traditional architectures and ensuring the stability of network operation. It uses asymmetric national cryptographic algorithms for node authentication and key negotiation, combined with data encryption using symmetric national cryptographic algorithms and integrity verification using hash-based national cryptographic algorithms, to construct a full-link security protection system, ensuring legitimate node access and confidential and complete data transmission, meeting autonomous security and compliance requirements. Nodes transmit data directly through point-to-point communication, with service nodes providing auxiliary forwarding only when necessary, reducing intermediate links in data transmission and improving data transmission efficiency and bandwidth utilization. Simultaneously, the application of network address translation (NAT) penetration mechanisms and connection anomaly handling mechanisms enhances the network's adaptability and fault tolerance, enabling nodes in different network environments to successfully complete communication and ensuring data transmission continuity.

[0134] Example 3

[0135] In some embodiments, such as Figure 3As shown, the network architecture is divided into an authentication node layer, a service node layer, and a normal node layer from top to bottom. The normal node layer is distributed in different NAT domains. Nodes at each layer interact through preset protocols and rules to jointly realize the entire process of P2P VPN registration, authentication, communication, and data transmission. As a terminal access node, a normal node, upon first accessing the VPN network, will select the nearest service node or one with a load below a preset threshold to initiate a registration request based on network conditions. The service node receives the request, parses and extracts the node identity information, and simultaneously obtains the SM2 key pair containing the public and private keys generated by the normal node during its initial registration. The normal node will separately extract the public key and submit it to the service node. The service node performs integrity verification on the received node identity information and public key, checking for missing or corrupted data. After successful verification, it constructs a forwarding message based on a preset MQTT topic, forwarding the node identity information and public key together to the authentication node. During forwarding, the message transmission mechanism of the MQTT protocol is followed, and communication with the authentication node is achieved through a proxy program to ensure that information is not lost or tampered with. As the core of identity management, the authentication node receives information forwarded by the service node and initiates an information processing flow. It categorizes and organizes the information according to the node's identity identifier, establishing a dedicated registration list containing node identity information, public key, registration time, etc. The authentication node is only responsible for identity management and key distribution and does not participate in data forwarding. This design reduces the load on core nodes and improves the overall network operating efficiency. After completing the registration, the authentication node generates a registration confirmation message, which is fed back to the ordinary nodes through the service nodes. Upon receiving the confirmation message, the ordinary nodes confirm that the registration application has been submitted and enter a state of waiting for identity authentication.

[0136] After completing node registration and information filing, a three-tier distributed network architecture consisting of authentication nodes, service nodes, and ordinary nodes is constructed. Authentication nodes are deployed in a highly secure and stable network environment with physical isolation, access control, and security auditing capabilities. The service node layer adopts a multi-site distributed deployment mode, covering different network areas, transparent to ordinary nodes, and supports dynamic expansion. Ordinary nodes create virtual network interfaces through virtual network interface cards (TUN / TAP) to complete basic access configuration with the VPN network, possessing basic data sending and receiving and encryption / decryption functions. During the architecture construction process, a Sock2mq proxy program is deployed between the service nodes and authentication nodes. The communication port, transmission protocol, timeout retransmission, and other parameters of the proxy program are configured. Through this proxy program, the IP address and port mapping relationship between the service nodes and authentication nodes is established, forming a proxy network of "multiple service nodes mapping to a single authentication node." The Message Queuing Telemetry Transport (MQTT) protocol is used as the communication protocol for the proxy network. Message transmission parameters between the service nodes and authentication nodes are configured, including message queue size, transmission timeout time, and retransmission threshold. Leveraging the high concurrency support capabilities of the MQTT protocol, this proxy network can support large-scale node access. After constructing the proxy network, a dynamic scaling monitoring mechanism is activated. When an increase in network load is detected, and the load pressure on some service nodes exceeds a preset threshold, a load balancing strategy is triggered. The system distributes new registration requests and data forwarding tasks evenly across service nodes based on factors such as real-time load, network latency, and link stability, preventing overload on any single service node. During the identity authentication phase, ordinary nodes use their private keys to sign their node identity information, generating signed identity information which is then sent to the service nodes along with their public keys. The service nodes forward this information to the authentication nodes. The authentication nodes extract the corresponding registration public key from the registration list and verify the signature using the SM2 asymmetric national cryptographic algorithm. If the signature matches, the identity is confirmed as legitimate; otherwise, the registration request is rejected. After successful identity authentication, the communication node executes the key exchange process using the SM2 asymmetric national cryptographic algorithm. The first node generates a random number and calculates the corresponding elliptic curve point according to the preset elliptic curve parameters, then sends it to the second node. Upon receiving the elliptic curve point, the second node generates its own random number and calculates the corresponding elliptic curve point, returning it to the second node. Both nodes combine their own private keys with the received or sent elliptic curve points and obtain the same session key using the same calculation rules, thus completing the key negotiation. The session key is used for subsequent encrypted data transmission.

[0137] Nodes that have passed authentication initiate point-to-point connection requests directly, sending network probe packets to check their connectivity. Based on parameters such as the reception of response packets and response latency, they determine the network connectivity, network type, and whether NAT traversal is required. If NAT traversal is detected (meaning ordinary nodes in different NAT domains cannot directly obtain each other's addresses), the node sends an address negotiation request to the service node. Upon receiving the request, the service node obtains the address information of both parties and forwards it. The node then completes the negotiation based on the received address information, gradually completing the NAT traversal process and overcoming the isolation restrictions between different NAT domains. If the network connectivity is good, a point-to-point communication channel is established directly. After the channel is established, test data packets are sent to verify connectivity. In this case, data transmission does not require service node relay, improving transmission efficiency. If the connection between nodes is abnormally interrupted due to network fluctuations, link breaks, or other reasons, the service node detects the interruption by monitoring the connection status between nodes in real time and automatically triggers a data forwarding takeover mechanism. The service node temporarily takes over the data forwarding task to ensure uninterrupted data transmission. Meanwhile, after the service nodes are deployed in a distributed manner, they continuously report their own operating status and load information to the authentication nodes. When a service node fails and goes offline, ordinary nodes can detect the failure status through the "last will message" of MQTT, automatically scan other currently online service nodes, filter out service nodes with loads below the preset threshold and reconnect, realize the failover of service nodes, ensure that the network will not be interrupted due to the failure of a single service node, and maintain the continuity of communication.

[0138] In the established point-to-point communication channel, the SM4 symmetric national cryptographic algorithm is used to encrypt the transmitted plaintext data. Before encryption, the characteristics of the data transmission application scenario are determined. Based on the scenario characteristics, an appropriate encryption mode is selected from Cipher Block Chain (CBC), Electronic Codebook (ECB), Ciphertext Feedback (CFB), and Output Feedback (OFB) modes. For example, the lightweight OFB mode can be selected for scenarios with high real-time requirements. Subsequently, the relevant parameters of the SM4 algorithm are configured according to the selected encryption mode, including the number of iterations, transformation rules, key expansion method, etc. The session key generated through key negotiation is called, and the key expansion mechanism of the SM4 algorithm generates the round keys required for 32 rounds of encryption. The plaintext data is processed into 128-bit blocks. For the last data packet that is less than 128 bits, padding is performed according to the padding method specified by the SM4 algorithm. The generated round keys are used to perform 32 rounds of nonlinear iterative encryption operations on the block-formed plaintext data packets. The iteration process includes operations such as S-box transformation and linear transformation, gradually converting the plaintext data into ciphertext data. Meanwhile, the SM3 hash-based national cryptographic algorithm is used to verify the integrity of the transmitted data and session key. The sending node performs SM3 hash algorithm operation on the session key and each set of plaintext data respectively to calculate the corresponding hash value. The hash value is associated with the corresponding ciphertext data, and a complete transmission data packet is constructed according to the format of "ciphertext data + hash value". It is then sent to the receiving node in an orderly manner through the established point-to-point communication channel. After receiving the transmitted data packet, the receiving node separates the ciphertext data and hash value. It extracts the session key from its local key cache module and generates a 32-round key corresponding to the encryption process according to the key expansion rules of the SM4 algorithm. The ciphertext data is decrypted through 32 rounds of inverse iterative operations. After removing padding, the plaintext data is restored to its original state. Then, using the same SM3 hash-based national cryptographic algorithm as the sender, the hash values ​​of the restored plaintext data and session key are recalculated. The recalculated hash values ​​are compared one by one with the received hash value. If they match, it indicates that the session key has not been tampered with and the transmitted data is complete and valid. The receiving node then proceeds with further processing of the plaintext data. If they do not match, it is determined that the data has been tampered with or erroneous during transmission. The receiving node discards the data and returns a data verification failure message to the sending node, requesting a retransmission of the data.

[0139] This method, through the design of a three-layer network architecture and the full-link application of national cryptographic algorithms, effectively avoids the central bottleneck and single point of failure issues of traditional VPNs, achieving autonomous security and compliance in data transmission. The point-to-point communication mode between nodes reduces intermediate forwarding links and improves data transmission efficiency, while multiple encryption and verification mechanisms ensure the security and integrity of data transmission. Furthermore, the application of dynamic expansion and failover mechanisms gives the entire VPN system good scalability and stability, enabling it to adapt to different application scenarios.

[0140] The above description is merely a preferred embodiment of the present invention. It should be understood that the present invention is not limited to the forms disclosed herein and should not be construed as excluding other embodiments. It can be used in various other combinations, modifications, and environments, and can be altered within the scope of the concept described herein through the above teachings or related technologies or knowledge. Modifications and variations made by those skilled in the art that do not depart from the spirit and scope of the present invention should be within the protection scope of the appended claims.

Claims

1. A P2P VPN method based on Chinese national cryptographic algorithms, characterized in that, Includes the following steps: S1. Receive the registration request initiated by the node, extract the node identity information in the request, obtain the key pair generated by the node, and forward the node identity information and the public key in the key pair to the authentication node through the service node. The authentication node collects and organizes the information and completes the filing. S2. Construct a three-layer network architecture consisting of authentication nodes, service nodes, and ordinary nodes. Bind service nodes to authentication nodes through a proxy protocol. Use an asymmetric national cryptographic algorithm to verify the identity information of nodes and the public key of the record to complete identity authentication. Then, use the same asymmetric national cryptographic algorithm to complete key exchange between nodes to be communicated and generate session keys. S3. After identity authentication is successful, nodes directly initiate point-to-point connection requests, detect network connectivity, and choose to establish a point-to-point communication channel directly or with the assistance of a service node based on the detection results. S4. In the established communication channel, the symmetric national cryptographic algorithm is used to encrypt the transmitted plaintext data, and the hash-based national cryptographic algorithm is used to verify the integrity of the transmitted data and the session key. After the receiver completes the ciphertext decryption and integrity verification, the data transmission is completed. Step S2 includes the following sub-steps: S2.

1. When building a three-layer network architecture, the authentication node is deployed in a highly secure and stable network environment, the service node is deployed in a distributed manner, and the ordinary nodes access the VPN through a virtual network card; S2.

2. The message queue telemetry transmission protocol is used as the proxy protocol to bind service nodes and authentication nodes, forming a proxy network of multiple service nodes mapping to a single authentication node; S2.

3. When performing identity authentication, the node first signs the identity information with its own private key, and then sends the signature information and public key to the service node, which then forwards it to the authentication node. S2.

4. After the authentication node extracts the public key for recordation and completes the signature verification, the waiting communication node executes the key exchange process through the asymmetric national cryptographic algorithm to generate the session key.

2. The method according to claim 1, characterized in that, Step S1 includes the following sub-steps: S1.

1. Ordinary nodes select the nearest service node or the service node with a load below a preset threshold based on network conditions to initiate a registration request. The service node receives the registration request and extracts the node identity information from it. S1.

2. Obtain the key pair containing the public and private keys generated during the node's initial registration. The node extracts the public key separately and submits it to the service node. S1.

3. The service node forwards its identity information and public key to the authentication node through a preset message subject; S1.

4. The authentication node categorizes and organizes the received information, establishes a dedicated filing list, and completes the filing process.

3. The method according to claim 1, characterized in that, Step S2.3 includes the following sub-steps: S2.3.

1. A regular node uses its own private key to sign its node identity information, generating signed identity information; S2.3.

2. Send the signed identity information along with your public key to the service node; S2.3.

3. The service node forwards the received signature information and public key to the authentication node, and the authentication node extracts the corresponding public key from the registration list; S2.3.

4. Use an asymmetric national cryptographic algorithm to verify the signature with the public key used for registration. If the signatures match, the identity is confirmed as legitimate; otherwise, the registration request is rejected.

4. The method according to claim 1, characterized in that, Step S2.4 includes the following sub-steps: S2.4.

1. The first node generates a random number, calculates the corresponding elliptic curve point according to the preset elliptic curve parameters, and sends it to the second node; S2.4.

2. After receiving the data, the second node generates its own random number, calculates the corresponding elliptic curve point based on the same elliptic curve parameters, and returns it. S2.4.

3. The first node calculates by combining its own private key with the received elliptic curve points, and the second node calculates by combining its own private key with the sent elliptic curve points. S2.4.

4. The two nodes obtain the same session key through the same calculation rules and complete the key negotiation.

5. The method according to claim 1, characterized in that, In step S2, the agent program is first deployed and communication parameters are configured; the agent program establishes the IP address and port mapping relationship between the service node and the authentication node; after the agent network is built, the dynamic expansion monitoring mechanism is enabled; when the network load is detected to increase, the load balancing strategy is triggered to distribute registration requests and data forwarding tasks to each service node.

6. The method according to claim 1, characterized in that, In step S2.1, after the service nodes are deployed in a distributed manner, they continuously report their own operating status and load information to the authentication nodes. When a service node fails, it sends a failure notification to the authentication nodes and other nodes through a will message. After receiving the failure notification, the ordinary nodes scan other currently online service nodes, filter out service nodes with loads below a preset threshold, and initiate a reconnection request to the service nodes with loads below the preset threshold to complete the service node switchover and achieve failover.

7. The method according to claim 1, characterized in that, In step S3, after a node initiates a point-to-point connection request, it sends a network probe message to detect the connectivity status between the two parties; if network address translation traversal is required, it sends an address negotiation request to the service node. After receiving the request, the service node obtains the address information of both parties and forwards it. The node completes the negotiation based on the received address information; If an abnormal interruption occurs during the connection process, the data forwarding takeover mechanism of the service node is triggered, and the service node temporarily forwards the data.

8. The method according to claim 1, characterized in that, In step S4, when using the symmetric national cryptographic algorithm, the plaintext data is first grouped into groups of a preset length; padding is performed on data that is not long enough for a group; ciphertext is generated through multiple rounds of iterative encryption based on the session key; after the receiver obtains the ciphertext, it uses the session key to generate a round key; and the ciphertext is decrypted and the plaintext is restored through multiple rounds of inverse iterative operations. When using hash-based national cryptographic algorithms, first calculate the hash value of the transmitted data and the session key; The hash value is transmitted along with the data; the receiver recalculates the hash value and compares it with the transmitted hash value.

9. The method according to claim 7, characterized in that, In step S4, before encrypting with the symmetric national cryptographic algorithm, the characteristics of the application scenario of the data transmission are first determined; according to the scenario characteristics, the corresponding encryption mode is selected from the cryptographic block linking mode, electronic codebook mode, ciphertext feedback mode and output feedback mode; the encryption parameters of the symmetric national cryptographic algorithm are configured according to the selected encryption mode, and then block filling and iterative encryption operations are performed on the plaintext data.

Images