Cross-domain data routing method based on stateless coordination layer and hybrid encrypted envelope
By employing a stateless coordination layer and a hybrid encrypted envelope for cross-domain data routing, the problems of poor scalability and replay attack detection in cross-domain data transmission systems are solved, achieving high security and low memory consumption, and ensuring the uniqueness of data packets and transmission reliability.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- SUZHOU ABYSS MATRIX TECHNOLOGY CO LTD
- Filing Date
- 2026-03-20
- Publication Date
- 2026-06-16
AI Technical Summary
Existing cross-domain data transmission systems suffer from poor scalability, lack of control over data lifecycle, and easy retention of sensitive information due to the maintenance of session state tables at intermediate nodes. Furthermore, replay attack detection is difficult to achieve in stateless designs.
A cross-domain data routing method based on a stateless coordination layer and a hybrid encrypted envelope is adopted. Data encryption is performed by constructing inner and outer envelope structures, and lifecycle verification and memory clearing are performed using hardware security modules and Bloom filters to ensure the uniqueness and security of data packets.
It achieves high security, low state maintenance overhead and stability in the cross-domain data routing process, reduces the risk of replay attacks, and ensures that sensitive information is not left behind.
Smart Images

Figure CN122226388A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the fields of privacy computing and network security technology, and in particular to a cross-domain data routing method based on a stateless coordination layer and a hybrid encrypted envelope. Background Technology
[0002] With the continuous development of distributed computing systems, cross-domain data exchange platforms, and cloud-edge collaborative networks, the demand for data sharing and task collaboration between different network domains continues to grow. Data security transmission and node collaborative routing technologies in cross-domain environments have gradually become important research directions in information system construction. Existing cross-domain data transmission systems typically rely on centralized gateways or intermediate nodes with state recording capabilities for data forwarding and routing control. However, in practical applications, the following problems are commonly encountered: High overhead of state maintenance: Traditional methods require maintaining session state tables in intermediate nodes, which leads to linear increases in memory usage and poor scalability as concurrency increases.
[0003] Lack of control over data lifecycle: The lack of effective replay attack protection mechanisms means that data packets may be maliciously reused.
[0004] Sensitive information is easily left behind: After the intermediate nodes have finished processing, routing information (such as node identifiers and task identifiers) is easily left in memory, which poses a risk of being attacked by cold start attacks or recovered through memory forensics.
[0005] The contradiction between statelessness and security: Existing "stateless" designs usually only refer to the logical absence of session storage, but sensitive information is still stored in physical memory, and there is a lack of effective replay attack detection mechanisms (because detection usually requires state recording).
[0006] Compared with existing technologies (such as the Anti-Replay mechanism of DTLS 1.3), this invention solves the compatibility problem between stateless architecture and replay attack detection: by replacing the complete state table with a Bloom filter, probabilistic deduplication is achieved in a fixed storage space, which not only meets the requirements of quasi-stateless design (fixed space, not growing with data packets) but also provides practical security protection. Summary of the Invention
[0007] One objective of this invention is to propose a cross-domain data routing method based on a stateless coordination layer and a hybrid encrypted envelope. This invention constructs an inner and outer envelope structure by the sending node. The original data is symmetrically encrypted using a session key to generate ciphertext. The session key is then asymmetrically encrypted using the receiving node's public key to generate a first ciphertext block. Simultaneously, the receiving node's identifier, task identifier, timestamp, and destruction token are asymmetrically encrypted using the coordination layer node's public key to generate a second ciphertext block. Within the coordination layer node, a hardware security module decrypts the outer envelope and generates a routing decision via a directory service. After completing envelope lifecycle verification and generating a route proof digest, the inner envelope is forwarded to the receiving node. The receiving node decrypts the ciphertext using its private key to obtain the session key and then decrypts the ciphertext to obtain the original data. This invention offers advantages such as high security for cross-domain data transmission, stateless routing process, controllable data lifecycle, and low risk of sensitive information residue.
[0008] The cross-domain data routing method based on a stateless coordination layer and a hybrid encrypted envelope according to an embodiment of the present invention includes the following steps: S1. The sending node obtains the receiving node identifier and the task identifier, and generates a session key and a destruction token. It then uses the session key to perform symmetric encryption on the original data to generate ciphertext. S2. The sending node uses the receiving node's public key to perform asymmetric encryption on the session key to generate a first ciphertext block, and encapsulates the first ciphertext block and the data ciphertext to form an inner envelope; S3. The sending node uses the public key of the coordination layer node to perform asymmetric encryption on the sending node identifier, receiving node identifier, task identifier, timestamp, and destruction token to generate a second ciphertext block, and encapsulates the second ciphertext block to form an outer envelope. S4. The sending node combines the outer envelope and the inner envelope according to the data encapsulation structure to form a data packet, and sends the data packet to the coordination layer node; S5. The coordination layer node calls the hardware security module to perform decryption processing on the outer envelope, and obtains the sending node identifier, receiving node identifier, task identifier, timestamp and destruction token from the volatile memory buffer; S6. The coordination layer node performs envelope lifecycle verification based on the timestamp and destruction token. If the timestamp exceeds the preset time window or the destruction token is determined to be duplicated by the Bloom filter, the data packet is discarded. If the verification passes, the target node address is queried through the directory service based on the receiving node identifier and a routing decision is generated. A routing proof digest is generated using the HMAC-SM3 algorithm based on the sending node identifier, receiving node identifier, task identifier, data packet identifier, and timestamp. The routing proof digest is written to the audit log, and a deterministic zeroing operation is performed on the volatile memory buffer using the secure erase function. After generating the routing decision, the target node address is written to the independent hardware register of the network interface controller or the kernel-mode dedicated forwarding buffer. Then, a deterministic zeroing operation is performed on the volatile memory buffer used to store decrypted routing information (sending node identifier, receiving node identifier, task identifier, timestamp, destruction token) to ensure that forwarding control and memory cleanup do not conflict with each other.
[0009] S7. The coordination layer node forwards the inner envelope to the receiving node according to the routing decision. The receiving node uses its own private key to decrypt the first ciphertext block to obtain the session key, and uses the session key to decrypt the data ciphertext to obtain the original data.
[0010] Optionally, S1 specifically includes: The sending node reads the task identifier from the task management service and the receiving node identifier from the node registration information; The operating system's cryptographically secure pseudo-random number generator (CSPRNG) is invoked to generate session keys and destroy tokens; The original data byte sequence is input into a symmetric encryption algorithm (such as SM4-GCM) to perform encryption calculations and generate ciphertext. To facilitate understanding of the encryption principle, this embodiment uses byte-by-byte XOR operation as a simplified example of symmetric encryption. In actual systems, it is recommended to use the SM4-GCM algorithm that conforms to the national cryptographic standard for encryption (for specific implementation, refer to GM / T 0002-2012) to provide higher security and integrity protection. Optionally, S2 specifically includes: The sending node reads the receiving node's public key from the node registration information; it then inputs the session key into an asymmetric encryption algorithm to perform encryption calculations and generate the first ciphertext block. The first ciphertext block and the data ciphertext are written into the envelope data structure in the order of data encapsulation to form the inner envelope; The first ciphertext block records the session key content processed by the asymmetric encryption algorithm in the form of a ciphertext sequence, and the data ciphertext records the original data content processed by the symmetric encryption algorithm in the form of a byte sequence. The inner envelope contains the first ciphertext block field and the data ciphertext field in sequence according to the envelope data structure.
[0011] Optionally, S3 specifically includes: The sending node reads the coordinating layer node's public key from the node registration information; The system time is read from the operating system time service to generate a timestamp, and the sending node identifier, receiving node identifier, task identifier, timestamp, and destruction token are combined in the order of preset fields to form a routing information sequence; The routing information sequence is input into an asymmetric encryption algorithm to perform encryption calculations and generate a second ciphertext block; The second ciphertext block is written into the envelope data structure in the order of data encapsulation to form the outer envelope; The second ciphertext block records the routing information processed by the asymmetric encryption algorithm in the form of a ciphertext sequence, and the outer envelope contains the fields of the second ciphertext block according to the envelope data structure.
[0012] Optionally, S4 specifically includes: The sending node establishes a data packet data structure, which includes a data packet identifier field, an outer envelope field, and an inner envelope field in the order of fields. Write the outer envelope into the outer envelope field and the inner envelope into the inner envelope field to form a complete data packet byte sequence; Write the complete data packet byte sequence into the network transmission buffer to generate a data frame to be sent; The network communication protocol stack is invoked to perform encapsulation processing on the data frame to be sent, encapsulating it to generate a network data frame and writing it into the network interface sending queue. The network interface controller sends network data frames to the communication network, enabling the network data frames to be transmitted to the coordination layer node according to the network routing path.
[0013] Optionally, S5 specifically includes: The coordination layer node receives network data frames through the network interface controller and writes the network data frames into the network receive buffer; The network communication protocol stack is invoked to perform protocol decapsulation processing on the network data frames in the network receive buffer, and parsing is used to generate data packet byte sequences. Read the outer envelope field according to the data packet data structure and write the outer envelope byte sequence into the hardware security module input register; The hardware security module calls its internal private key to perform asymmetric decryption operations to generate a routing information byte sequence, and writes the routing information byte sequence into the hardware security module's output register; The coordination layer node reads the routing information byte sequence from the output register of the hardware security module and writes the routing information byte sequence into a volatile memory buffer; The sender node identifier, receiver node identifier, task identifier, timestamp, and destroy token are parsed from the volatile memory buffer in the order of fields.
[0014] Optionally, the coordination layer node queries the target node address through a directory service based on the receiving node identifier and generates a routing decision, specifically: The coordination layer node reads the receiving node identifier from the volatile memory buffer; Construct a directory service query message, which includes a receiving node identifier field; Send directory service query messages to the directory service via the network communication protocol stack; Receive the query response message returned by the directory service and parse it to generate the target node address; Write the target node address into the routing decision record, and generate the next-hop node address field in the routing decision record.
[0015] Optionally, the step of performing a deterministic zeroing operation on the volatile memory buffer using the secure erase function specifically involves: Get the starting address and length of the volatile memory buffer; The safe erase function is invoked to perform a byte-by-byte write-zero operation on the volatile memory buffer; zero-value bytes are written to the volatile memory buffer in ascending address order until the entire address range is covered; Execute a memory barrier instruction to flush the processor cache; read the contents of the volatile memory buffer and perform a zero-value check.
[0016] Optionally, S7 specifically includes: Continue to refer to Figure 3 After completing the routing decision, the coordination layer node forwards the inner envelope to the receiving node based on the target node address stored in the forwarding buffer. The forwarding operation and memory cleanup do not conflict, ensuring reliable data transmission. Write the inner envelope byte sequence into the network transmission buffer to generate a data frame to be forwarded; The network communication protocol stack is invoked to encapsulate the data frame to be forwarded, generating a network data frame; the network interface controller then sends the network data frame to the communication network, ensuring that the network data frame is transmitted to the receiving node according to the network routing path. The receiving node receives network data frames through the network interface controller and writes them into the network receive buffer. The network communication protocol stack is invoked to perform protocol decapsulation processing on the network data frames in the network receive buffer, generating an inner envelope byte sequence. Read the first ciphertext block field and the data ciphertext field from the inner envelope byte sequence; input the first ciphertext block into the private key for decryption operation to generate the session key; The session key is input into a symmetric decryption algorithm to perform decryption operations on the encrypted byte sequence of data, generating the original data byte sequence.
[0017] The beneficial effects of this invention are: By constructing a hybrid encrypted envelope structure with inner and outer envelopes at the sending node, the sending node performs symmetric encryption on the original data using the session key to generate ciphertext, and performs asymmetric encryption on the session key using the receiving node's public key to generate the first ciphertext block. At the same time, the coordination layer node's public key performs asymmetric encryption on the receiving node identifier, task identifier, timestamp, and destruction token to generate the second ciphertext block. This ensures that the coordination layer node can only parse the routing information and cannot obtain the original data content, thereby improving the data confidentiality during cross-domain data routing. The coordination layer node calls the hardware security module to decrypt the outer envelope and combines the directory service to query the target node address to generate a routing decision. During the cross-domain data routing process, the coordination layer node does not need to save session state information, enabling the coordination layer node to complete cross-domain data forwarding under stateless conditions, reducing system state maintenance overhead and improving the scalability and stability of the cross-domain data routing system. Envelope lifecycle verification is performed on data packets using timestamps and destruction tokens. Data packets are discarded when the timestamp exceeds a preset time window or the destruction token appears repeatedly. A route proof digest is generated by combining the sending node identifier, receiving node identifier, task identifier, data packet byte sequence, and timestamp. This enables cross-domain data routing to have data packet validity control and route process verifiability, thereby reducing the risk of replay attacks and improving the security and reliability of cross-domain data exchange. After the coordination layer node completes the routing process, a deterministic zeroing operation is performed on the volatile memory buffer using a secure erase function. This thoroughly removes sensitive information such as the receiving node identifier, task identifier, timestamp, and destruction token from the volatile memory buffer, reducing the risk of residual cached data in the coordination layer node and thus improving the security of the cross-domain data routing system during the processing of sensitive information. Attached Figure Description
[0018] The accompanying drawings are provided to further illustrate the invention and form part of the specification. They are used in conjunction with embodiments of the invention to explain the invention and do not constitute a limitation thereof. In the drawings: Figure 1 This is a schematic diagram of the architecture of the cross-domain data routing method based on a stateless coordination layer and a hybrid encrypted envelope proposed in this invention (including a Bloom filter module). Figure 2 This invention presents the hybrid encrypted envelope structure and its lifecycle diagram. Figure 3 This is a flowchart of the data packet processing proposed in this invention (including a quasi-stateless deduplication process). Figure 4 This is a flowchart illustrating the interaction between the HSM and the host. Detailed Implementation
[0019] The present invention will now be described in further detail with reference to the accompanying drawings. These drawings are simplified schematic diagrams, illustrating only the basic structure of the invention, and therefore only show the components relevant to the invention.
[0020] refer to Figures 1 to 4 A cross-domain data routing method based on a stateless coordination layer and a hybrid encrypted envelope includes the following steps: S1. The sending node obtains the receiving node identifier and task identifier, generates a session key and a destruction token, and uses the session key to perform symmetric encryption on the original data to generate ciphertext. S2. The sending node uses the receiving node's public key to perform asymmetric encryption on the session key to generate the first ciphertext block, and encapsulates the first ciphertext block and the data ciphertext to form an inner envelope; S3. The sending node uses the public key of the coordination layer node to perform asymmetric encryption on the sending node identifier, receiving node identifier, task identifier, timestamp, and destruction token to generate a second ciphertext block, and encapsulates the second ciphertext block to form an outer envelope. S4. The sending node combines the outer and inner envelopes according to the data encapsulation structure to form a data packet, and sends the data packet to the coordination layer node; S5. The coordination layer node calls the hardware security module to perform decryption processing on the outer envelope and obtains the receiving node identifier, task identifier, timestamp and destruction token from the volatile memory buffer. S6. The coordination layer node first performs envelope lifecycle verification based on the timestamp and destruction token: it reads the timestamp and destruction token from the volatile memory buffer, performs time window comparison, and checks for duplicates using a Bloom filter. If the timestamp exceeds the preset time window or the destruction token is determined to be duplicated by the Bloom filter, the data packet is discarded and processing is terminated. If the verification passes, the target node address is queried through the directory service based on the receiving node identifier, and a routing decision is generated. The target node address is written to the independent hardware register of the network interface controller or the kernel-mode dedicated forwarding buffer. Subsequently, a route proof digest is generated using the HMAC-SM3 algorithm based on the sending node identifier, receiving node identifier, task identifier, data packet identifier, and timestamp, and the route proof digest is written to the audit log. Finally, a deterministic zeroing operation is performed on the volatile memory buffer storing the decrypted routing information (sending node identifier, receiving node identifier, task identifier, timestamp, destruction token) using a secure erase function. S7, continue to refer to Figure 3After completing the routing decision, the coordination layer node forwards the inner envelope to the receiving node based on the target node address stored in the forwarding buffer. The forwarding operation and memory cleanup do not conflict, ensuring reliable data transmission. The coordination layer node forwards the inner envelope to the receiving node based on the routing decision. The receiving node uses its private key to decrypt the first ciphertext block to obtain the session key, and then uses the session key to decrypt the ciphertext data to obtain the original data.
[0021] like Figure 3 As shown, the data packet processing flow of the present invention covers the above steps S1 to S7, and the following is in conjunction with... Figure 3 Each step is explained in detail.
[0022] In this implementation, the cross-domain data transmission process introduces an inner and outer envelope structure. Symmetric encryption protects the original data, while asymmetric encryption protects the session key and routing information. This ensures that the coordination layer node can only parse the routing information and cannot access the data content, thereby improving the confidentiality of data transmission. Simultaneously, lifecycle verification is performed using timestamps and destruction tokens, and a routing proof digest is generated to control the validity and uniqueness of data packets, reducing the risk of replay attacks. After routing processing is complete, a deterministic zeroing operation is performed on the volatile memory buffer to reduce the residue of sensitive information. Through these improvements, the security, reliability, and traceability of the cross-domain data routing process are enhanced.
[0023] In this embodiment, S1 specifically refers to: The sending node reads the task identifier from the task management service and the receiving node identifier from the node registration information; The sending node establishes the original data byte sequence in memory and divides it into multiple data blocks according to a fixed byte length. The multiple data blocks are arranged in the original order to form a data block set. The operating system's cryptographically secure pseudo-random number generator (CSPRNG) is invoked to generate session keys and destroy tokens; A series of consecutive random numbers are read sequentially from the random number set and written into the key storage area. The key is written byte by byte in the order of reading to form a session key sequence. Continue reading several consecutive random numbers from the random number set and writing them into the token storage area, writing them byte by byte in the order of reading to form a token destruction sequence; The original data byte sequence is input into a symmetric encryption algorithm (such as SM4-GCM) to perform encryption calculations and generate ciphertext. To facilitate understanding of the encryption principle, this embodiment uses byte-by-byte XOR operation as a simplified example of symmetric encryption. In actual systems, it is recommended to use the SM4-GCM algorithm that conforms to the national cryptographic standard for encryption (for specific implementation, refer to GM / T 0002-2012) to provide higher security and integrity protection.
[0024] Each encrypted data block is written sequentially into the contiguous address space of the encrypted storage area to form a complete encrypted data sequence, following the original data block order. The encrypted data is recorded in byte sequence form, the session key is recorded in key sequence form, and the destruction token is recorded in random number sequence form, whereby the value of the randomly generated token is recorded.
[0025] In this embodiment, S2 specifically refers to: The sending node reads the receiving node's public key from the node registration information and writes the receiving node's public key into the cryptographic operation storage area; The sending node writes the session key into the encrypted input storage area and forms a session key byte sequence in byte order; The session key byte sequence is converted into an integer value, and the integer value is then exponentially and moduloed with the public exponent and modulo of the public key in the receiving node's public key to obtain the ciphertext value. The ciphertext value is equal to the result of the session key integer value raised to the power of the public exponent and modulo of the public key. The ciphertext value is divided into multiple ciphertext byte blocks according to a fixed byte length, and the multiple ciphertext byte blocks are written into the contiguous address space of the ciphertext storage area in the order of operation to form the first ciphertext block. Establish an envelope data structure and set the first ciphertext block field and the data ciphertext field in the envelope data structure; Write the byte sequence of the first ciphertext block to the storage location corresponding to the field of the first ciphertext block; Write the ciphertext byte sequence into the storage location corresponding to the ciphertext field; According to the field arrangement order in the envelope data structure, the content of the first ciphertext block field is written first in a contiguous memory address, followed by the content of the data ciphertext field, to form the inner envelope byte sequence; The first ciphertext block records the session key content processed by the asymmetric encryption algorithm in the form of a ciphertext sequence, and the data ciphertext records the original data content processed by the symmetric encryption algorithm in the form of a byte sequence. The inner envelope contains the first ciphertext block field and the data ciphertext field in sequence according to the envelope data structure.
[0026] In this embodiment, S3 specifically refers to: The sending node reads the coordinating layer node's public key from the node registration information and writes the coordinating layer node's public key into the cryptographic operation storage area; The sending node reads the system time from the operating system's time service and records the time value. The time value is converted into an integer form in milliseconds as a timestamp. The sending node establishes a routing information storage area in memory and sequentially writes the sending node identifier, receiving node identifier byte sequence, task identifier byte sequence, timestamp byte sequence, and destruction token byte sequence to form a continuous routing information byte sequence; Each byte in a continuous sequence of routing information bytes is mapped sequentially to an integer value to form a sequence of integer routing information bytes. The values in the integer sequence of routing information are exponentially and moduloed with the public exponent and modulo of the public key in the coordination layer node to obtain the ciphertext sequence. Each ciphertext value in the ciphertext sequence is equal to the result of taking the public exponent power of the corresponding routing information value modulo the public key. The ciphertext sequence is converted into ciphertext byte blocks of fixed length and written into the contiguous address space of the ciphertext storage area in the order of operation to form a second ciphertext block; Establish an envelope data structure and set a second ciphertext block field in the envelope data structure; Write the second ciphertext block byte sequence into the storage location corresponding to the second ciphertext block field to form the outer envelope byte sequence; The second ciphertext block records the routing information processed by the asymmetric encryption algorithm in the form of a ciphertext sequence, and the outer envelope contains the fields of the second ciphertext block according to the envelope data structure.
[0027] In this embodiment, S4 specifically refers to: The sending node establishes a data packet data structure in memory and sets the data packet identifier field, outer envelope field, and inner envelope field in the data packet data structure; The sending node generates a data packet identifier, which is obtained by combining the values of the sending node identifier, the task identifier, and the timestamp. The combination method is to add the value of the sending node identifier to the value of the task identifier, and then add the value of the timestamp to form the value of the data packet identifier. Convert the packet identifier value into a byte sequence of fixed byte length and write it to the storage address corresponding to the packet identifier field; Write the outer envelope byte sequence into the contiguous memory address space corresponding to the outer envelope field; Write the inner envelope byte sequence into the contiguous memory address space of the inner envelope field that immediately follows the outer envelope field; The contents of the packet identifier field, outer envelope field, and inner envelope field are written sequentially into a contiguous memory address space according to the field arrangement order in the packet data structure to form a complete packet byte sequence; Write the complete data packet byte sequence into the contiguous address space of the network transmit buffer to generate a data frame to be sent; The network communication protocol stack generates network frame header information based on the data frame length and writes it to the starting address of the data frame. The length field value in the network frame header is equal to the total number of bytes in the data frame. The network communication protocol stack writes the network frame header and data frame data area into the network interface send queue in address order; The network interface controller reads network data frames from the network interface send queue and sends them to the communication network in byte order. The communication network selects a network routing path based on the destination address field and transmits the network data frames to the coordination layer node.
[0028] In this embodiment, S5 specifically refers to: Reference Figure 4 The interaction process between the HSM and the host is as follows: the coordination layer node receives network data frames from the communication network through the network interface controller and writes them into the contiguous address space of the network receive buffer in byte order; The network communication protocol stack reads network data frames from the network receive buffer and parses the network frame header fields. Based on the length field in the network frame header, it reads the corresponding number of bytes of data area content to generate a data packet byte sequence. Read the byte range corresponding to the outer envelope field from the data packet byte sequence according to the field arrangement order in the data packet data structure, and obtain the outer envelope byte sequence; Write the outer envelope byte sequence into the hardware security module input register address space in byte order; The hardware security module reads the outer envelope byte sequence from the input register and performs a modular exponentiation operation with the internal private key of the hardware security module to generate a routing information value. The modular exponentiation operation specifically includes: raising the ciphertext value to a power and then taking the remainder of the modulus to obtain the plaintext value. The ciphertext value is the integer representation of the outer envelope byte sequence, the exponent is the internal private key value, and the modulus is the modulus in the asymmetric key pair. The result of the modular exponentiation is converted into a sequence of routing information bytes and written into the output register of the hardware security module in byte order. Read the routing information byte sequence from the output register of the hardware security module and write it into the contiguous address space of the volatile memory buffer; The sender node identifier, receiver node identifier, task identifier, timestamp, and destroy token are generated by parsing the corresponding byte range from the volatile memory buffer according to the field arrangement order. The receiver node identifier is read according to the length of the node identifier field and converted into a node identifier value. The task identifier is read according to the length of the task identifier field and converted into a task identifier value. The timestamp is read according to the length of the time field and converted into a time value. The destroy token is read according to the length of the random number sequence field and converted into a random number value.
[0029] In this embodiment, the coordination layer node queries the target node address through the directory service based on the receiving node identifier and generates a routing decision, specifically as follows: The coordination layer node reads the received node identifier byte sequence from the volatile memory buffer according to the length of the node identifier field and converts it into a node identifier value; Establish a directory service query message data structure in memory and set the node identifier field and query time field; Write the received node identifier byte sequence to the node identifier field address location and write the system time value to the query time field address location; According to the order of the fields in the directory service query message data structure, the node identifier field and the query time field are written sequentially into a contiguous memory address space to form the directory service query message byte sequence. The directory service query message byte sequence is written into the network transmission buffer and a directory service query network data frame is generated by using the network communication protocol stack. The communication network returns a query response message, which is then written into the network receive buffer by the network interface controller. The network communication protocol stack reads the query response message from the network receive buffer and parses the node address field according to the field order to obtain the target node address value; Establish a routing decision record data structure in memory and set the target node address field and the next hop node address field; Write the target node address value into the target node address field, and then generate the next-hop node address value according to the network routing table matching result and write it into the next-hop node address field.
[0030] In this embodiment, envelope lifecycle verification is performed based on the timestamp and destruction token. If the timestamp exceeds a preset time window or the destruction token appears repeatedly, the data packet is discarded. A routing proof digest is generated based on the sending node identifier, receiving node identifier, task identifier, data packet identifier, and timestamp. Specifically: like Figure 3 As shown, during the routing decision and lifecycle verification phase, the coordination layer node performs the following sub-steps: reads the timestamp byte sequence from the volatile memory buffer according to the time field length and converts it into a time value; at the same time, it reads the destroy token byte sequence according to the random number sequence field length and converts it into a random number value. Read the system time value from the operating system time service and calculate the time difference by subtracting the timestamp value from the system time value. The time difference value is compared with the preset time window threshold value. When the time difference value is greater than the time window threshold value, a data packet drop flag is written into memory and subsequent processing is stopped. The destruction token is input into the Bloom filter to perform an existence check. If the Bloom filter determines that the destruction token may exist, a packet discard flag is generated and the packet processing flow is terminated; if it is determined that it does not exist, the destruction token is written into the Bloom filter (i.e., the corresponding bit in the bit array is set to 1). The Bloom filter uses a fixed bit array size m = 223 bits (approximately 1MB) and configures k = 3 independent hash functions (such as a variant of MurmurHash3). When the number of inserted elements n reaches 10⁶, the theoretical false positive rate p ≈ (1 − e − kn / m)k ≈ 0.001%, meeting the security tolerance requirements for cross-domain data routing. When the bit array fill rate reaches 80%, a sliding time window shift is triggered, discarding the token fingerprint of the earliest time window.
[0031] The sending node identifier, receiving node identifier, task identifier, data packet identifier, and timestamp are sequentially converted into integer sequences and arranged in order to form a summary input sequence. / / Using the SM3 hash algorithm (National Cryptographic Standard GB / T 32905-2016) #include<openssl / evp.h> #include<openssl / hmac.h> / / Pre-shared key (shared with the auditing system) unsigned char key
[32] = {...}; / / Input: Sending node identifier, receiving node identifier, task identifier, data packet identifier, timestamp unsigned char input[...] = concatenate(sender_id, receiver_id, task_id, packet_id, timestamp); / / Calculate HMAC-SM3 unsigned char result
[32] ; / / SM3 outputs 256 bits (32 bytes) HMAC(EVP_sm3(), key, 32, input, input_len, result, NULL); / / The results are written to the audit log. write_audit_log(result, timestamp, packet_size); Convert the digest value into a digest byte sequence and write it into the route proof digest field, and write the destroy token into the Bloom filter (i.e., the corresponding bit array position is 1).
[0032] In this embodiment, a deterministic zeroing operation is performed on the volatile memory buffer using a secure erase function, specifically as follows: Read the starting address and length of the volatile memory buffer from the memory management table; Set the address pointer value to the starting address value and the counter value to the buffer length value in the processor register; Write a zero-value byte to the corresponding memory address according to the address pointer value, increment the address pointer value by 1, and decrement the counter value by 1; Repeat the address writing zero-value byte operation until the counter value is reduced to 0 to complete the full address range coverage; Executing a processor memory barrier instruction flushes data in the processor cache to physical memory addresses. Read all bytes of the volatile memory buffer in address order and check each byte for zero value. When all bytes are 0, the deterministic zeroing operation is completed.
[0033] In this embodiment, S7 specifically refers to: Continue to refer to Figure 3 After completing the routing decision, the coordination layer node forwards the inner envelope to the receiving node. The inner envelope byte sequence is written into the contiguous address space of the network transmit buffer to form the byte sequence of the data frame to be forwarded. The network communication protocol stack writes a network frame header field at the beginning of the data frame to be forwarded and records the frame length value and the target node address field value in the network frame header to form a network data frame byte sequence. The network interface controller reads the byte sequence of network data frames from the network interface send queue and sends them to the communication network in byte order. The communication network matches the corresponding forwarding path in the network routing table based on the target node address field and transmits the network data frame to the receiving node. The receiving node receives network data frames from the communication network through the network interface controller and writes them into the contiguous address space of the network receive buffer in byte order. The network communication protocol stack reads network data frames from the network receive buffer and parses the network frame header field. Based on the frame length field, it reads the corresponding number of bytes of data area content to generate the inner envelope byte sequence. The first ciphertext block byte sequence is obtained by reading the field byte range of the first ciphertext block field from the inner envelope byte sequence according to the field order in the envelope data structure, and the data ciphertext field byte range is then read to obtain the data ciphertext byte sequence. The first ciphertext block byte sequence is converted into a ciphertext value and then modulo-exponentially exponentiated with the private key value of the receiving node to obtain the session key value. The modulo-exponential operation is to take the remainder of the private key exponent power of the ciphertext value divided by the modulus to obtain the session key value. The ciphertext value is the integer representation of the first ciphertext block, the private key exponent is the private key value of the receiving node, and the modulus is the modulus in the asymmetric key pair. Convert the session key value into a session key byte sequence and write it into the decryption operation buffer; Read the encrypted data byte sequence byte by byte and perform a bitwise XOR operation with the session key byte sequence in cyclic order to obtain the original data byte sequence. The original data byte value is equal to the result of performing a bitwise XOR operation between the encrypted data byte value and the session key byte value. All the original data byte sequences are written into the contiguous memory address space in address order to form the original data content.
[0034] Example 1: To verify the feasibility of this invention in practice, it was applied to a cross-domain data exchange network scenario of a large enterprise. This enterprise deploys multiple business system nodes in data centers A, B, C, and D. These data centers belong to different security domains and collaborate on data processing through a cross-domain data exchange network. In actual operation, business log data, equipment operation data, and order processing data need to be frequently transmitted between the data centers. Traditional cross-domain data exchange methods typically rely on intermediate gateways to maintain session state information and directly process data content during forwarding. When business concurrency increases, the number of intermediate node state records grows rapidly, easily leading to increased memory resource consumption, decreased routing efficiency, and increased risk of data replay. Furthermore, traditional methods can easily leave sensitive information in the cache during data processing, posing a risk of information leakage in the event of system anomalies or malicious access. A sending node is deployed in data center A, a receiving node in data center C, and a coordination layer node is deployed in the cross-domain switching network. The sending node generates a session key and a destruction token, and performs symmetric encryption on the original data to generate ciphertext. Simultaneously, it uses the public keys of the receiving node and the coordination layer node to generate a first and second ciphertext block, forming a hybrid encrypted envelope structure. This ensures that the coordination layer node can only parse the sending node identifier, receiving node identifier, task identifier, timestamp, and destruction token during data forwarding, but cannot obtain the original data content. The coordination layer node queries the target node address through a directory service to generate routing decisions and performs envelope lifecycle verification based on the timestamp and destruction token. Data packets with duplicate destruction tokens or exceeding the time window are discarded. A routing proof digest is generated, and a deterministic zeroing operation is performed on the volatile memory buffer using a secure erase function to prevent sensitive information from remaining in the buffer. Finally, the receiving node uses its private key to decrypt the first ciphertext block to obtain the session key, and uses the session key to decrypt the ciphertext to obtain the original data, achieving secure cross-domain data transmission.
[0035] To verify the feasibility of this invention in practice, seven consecutive days of business data transmission records were selected as test data in the above-mentioned enterprise cross-domain data exchange network environment. Statistical analysis was performed on packet processing delay, replay attack identification rate and memory residue, and the results are shown in Table 1 (the test sample size is the daily average data packets, and no replay attack was missed due to Bloom filter misjudgment).
[0036] Table 1. Cross-domain data routing security performance test results
[0037] Note 1: Under the test conditions, the replay attack detection rate was ≥99.9% (the theoretical false positive rate of the Bloom filter was <0.001%, and no missed detections occurred during the test period). Note 2: Analysis using memory forensics tools such as Volatility revealed no remnants of identifiable plaintext routing information.
[0038] As shown in Table 1, after adopting the cross-domain data routing method based on a stateless coordination layer and hybrid encrypted envelopes, the average latency of cross-domain data routing between different data centers remains between 39 and 43 milliseconds, maintaining stable data transmission performance even with a daily data packet volume of 800,000. Furthermore, by performing envelope lifecycle verification through timestamps and destruction tokens, the replay attack detection rate reached 100% in all test scenarios, indicating that the uniqueness of data packets in the cross-domain network can be effectively controlled. Since the coordination layer node performs a deterministic zeroing operation on the volatile memory buffer using a secure erase function after completing data processing, the test results show that the memory residue rate remains at 0, indicating that sensitive information generated during routing will not remain in the coordination layer node's cache, thus significantly reducing the risk of data leakage during cross-domain data exchange.
[0039] To further verify the advantages of the method of the present invention, the method of the present invention was compared with the traditional stateful cross-domain data routing method under the same network environment and the same data scale. The system resource consumption and data security performance were statistically analyzed, and the results are shown in Table 2.
[0040] Table 2. Comparison Test Results of Cross-Domain Data Routing Methods
[0041] Note 1: In the method of this invention, the Bloom filter occupies approximately 10MB of memory, and the remaining memory (approximately 54MB) is used for routine overhead such as the system protocol stack and audit buffer; the total memory usage is approximately 64MB.
[0042] Note 2: The hybrid encrypted envelope routing method refers to a scheme that uses only double envelopes but does not introduce Bloom filters and HSMs.
[0043] As shown in Table 2, traditional stateful cross-domain data routing methods require maintaining a large amount of session state information at intermediate nodes, with session state consuming up to 520MB of memory. Under high concurrency, the system's stable operation time is short, and due to the lack of an effective data lifecycle control mechanism, the replay attack detection rate is only 83%. While traditional gateway forwarding methods offer performance improvements, they still suffer from high memory slack and session state maintenance overhead. In contrast, this invention achieves cross-domain data routing through a stateless coordination layer and a hybrid encrypted envelope structure. It reduces the average routing latency to 41 milliseconds without maintaining session state information, while simultaneously reducing session state memory consumption to 64MB. Furthermore, it achieves a 100% replay attack detection rate through timestamps and token destruction mechanisms. Moreover, by performing a deterministic zeroing operation on the volatile memory buffer using a secure erase function, the memory slack rate is reduced to 0, thereby significantly improving security and system stability during cross-domain data exchange while ensuring data transmission efficiency.
[0044] The above description is only a preferred embodiment of the present invention, but the scope of protection of the present invention is not limited thereto. Any equivalent substitutions or modifications made by those skilled in the art within the scope of the technology disclosed in the present invention, based on the technical solution and inventive concept of the present invention, should be covered within the scope of protection of the present invention.
Claims
1. A cross-domain data routing method based on a stateless coordination layer and a hybrid encrypted envelope, characterized in that, Includes the following steps: S1. The sending node obtains the receiving node identifier and the task identifier, and generates a session key and a destruction token. It then uses the session key to perform symmetric encryption on the original data to generate ciphertext. S2. The sending node uses the receiving node's public key to perform asymmetric encryption on the session key to generate a first ciphertext block, and encapsulates the first ciphertext block and the data ciphertext to form an inner envelope; S3. The sending node uses the public key of the coordination layer node to perform asymmetric encryption on the sending node identifier, receiving node identifier, task identifier, timestamp, and destruction token to generate a second ciphertext block, and encapsulates the second ciphertext block to form an outer envelope. S4. The sending node combines the outer envelope and the inner envelope according to the data encapsulation structure to form a data packet, and sends the data packet to the coordination layer node; S5. The coordination layer node calls the hardware security module to perform decryption processing on the outer envelope, and obtains the sending node identifier, receiving node identifier, task identifier, timestamp and destruction token from the volatile memory buffer; S6. The coordination layer node performs envelope lifecycle verification based on the timestamp and the destruction token. If the timestamp exceeds the preset time window or the destruction token is determined to be duplicated by the Bloom filter, the data packet is discarded. If the verification passes, the target node address is queried through the directory service based on the receiving node identifier, and a routing decision is generated. A route proof digest is generated using the HMAC-SM3 algorithm based on the sending node identifier, receiving node identifier, task identifier, data packet identifier, and timestamp. The route proof digest is written to the audit log, and a deterministic zeroing operation is performed on the volatile memory buffer using a secure erase function. After generating the routing decision, the target node address is written to the independent hardware register of the network interface controller or the kernel-mode dedicated forwarding buffer. Subsequently, a deterministic zeroing operation is performed on the volatile memory buffer used to store decrypted routing information (sending node identifier, receiving node identifier, task identifier, timestamp, and destruction token) to ensure that forwarding control and memory cleanup do not conflict with each other. The Bloom filter has a fixed-size bit array whose storage space does not increase with the number of packets processed; the coordination layer node does not store any session keys, plaintext routing information, or complete destruction token records; after completing routing processing, the coordination layer node only retains an irreversible route proof digest and does not retain the original routing information, session keys, or forwarding context. S7. The coordination layer node forwards the inner envelope to the receiving node according to the routing decision. The receiving node uses its own private key to decrypt the first ciphertext block to obtain the session key, and uses the session key to decrypt the data ciphertext to obtain the original data.
2. The cross-domain data routing method based on a stateless coordination layer and a hybrid encrypted envelope as described in claim 1, characterized in that, Specifically, S1 is: The sending node reads the task identifier from the task management service and the receiving node identifier from the node registration information; The operating system's cryptographically secure pseudo-random number generator (CSPRNG) is invoked to generate session keys and destroy tokens; The original data byte sequence is input into a symmetric encryption algorithm (such as SM4-GCM) to perform encryption calculations and generate ciphertext. To facilitate understanding of the encryption principle, this embodiment uses byte-by-byte XOR operation as a simplified example of symmetric encryption. In actual systems, it is recommended to use the SM4-GCM algorithm that conforms to the national cryptographic standard for encryption (for specific implementation, refer to GM / T 0002-2012) to provide higher security and integrity protection.
3. The cross-domain data routing method based on a stateless coordination layer and a hybrid encrypted envelope as described in claim 1, characterized in that, Specifically, S2 is: The sending node reads the receiving node's public key from the node registration information; it then inputs the session key into an asymmetric encryption algorithm to perform encryption calculations and generate the first ciphertext block. The first ciphertext block and the data ciphertext are written into the envelope data structure in the order of data encapsulation to form the inner envelope; The first ciphertext block records the session key content processed by the asymmetric encryption algorithm in the form of a ciphertext sequence, and the data ciphertext records the original data content processed by the symmetric encryption algorithm in the form of a byte sequence. The inner envelope contains the first ciphertext block field and the data ciphertext field in sequence according to the envelope data structure.
4. The cross-domain data routing method based on a stateless coordination layer and a hybrid encrypted envelope as described in claim 1, characterized in that, Specifically, S3 is: The sending node reads the coordinating layer node's public key from the node registration information; The system time is read from the operating system time service to generate a timestamp, and the sending node identifier, receiving node identifier, task identifier, timestamp, and destruction token are combined in the order of preset fields to form a routing information sequence; The routing information sequence is input into an asymmetric encryption algorithm to perform encryption calculations and generate a second ciphertext block; The second ciphertext block is written into the envelope data structure in the order of data encapsulation to form the outer envelope; The second ciphertext block records the routing information processed by the asymmetric encryption algorithm in the form of a ciphertext sequence, and the outer envelope contains the fields of the second ciphertext block according to the envelope data structure.
5. The cross-domain data routing method based on a stateless coordination layer and a hybrid encrypted envelope as described in claim 1, characterized in that, Specifically, S4 is: The sending node establishes a data packet data structure, which includes a data packet identifier field, an outer envelope field, and an inner envelope field in the order of fields. Write the outer envelope into the outer envelope field and the inner envelope into the inner envelope field to form a complete data packet byte sequence; Write the complete data packet byte sequence into the network transmission buffer to generate a data frame to be sent; The network communication protocol stack is invoked to perform encapsulation processing on the data frame to be sent, encapsulating it to generate a network data frame and writing it into the network interface sending queue. The network interface controller sends network data frames to the communication network, enabling the network data frames to be transmitted to the coordination layer node according to the network routing path.
6. The cross-domain data routing method based on a stateless coordination layer and a hybrid encrypted envelope as described in claim 1, characterized in that, Specifically, S5 is: The coordination layer node receives network data frames through the network interface controller and writes the network data frames into the network receive buffer; The network communication protocol stack is invoked to perform protocol decapsulation processing on the network data frames in the network receive buffer, and parsing is used to generate data packet byte sequences. Read the outer envelope field according to the data packet data structure and write the outer envelope byte sequence into the hardware security module input register; The hardware security module calls its internal private key to perform asymmetric decryption operations to generate a routing information byte sequence, and writes the routing information byte sequence into the hardware security module's output register; The coordination layer node reads the routing information byte sequence from the output register of the hardware security module and writes the routing information byte sequence into a volatile memory buffer; The sender node identifier, receiver node identifier, task identifier, timestamp, and destroy token are parsed from the volatile memory buffer in the order of fields.
7. The cross-domain data routing method based on a stateless coordination layer and a hybrid encrypted envelope as described in claim 1, characterized in that, The coordination layer node queries the target node address through the directory service based on the receiving node identifier and generates a routing decision, specifically as follows: The coordination layer node reads the receiving node identifier from the volatile memory buffer; Construct a directory service query message, which includes a receiving node identifier field; Send directory service query messages to the directory service via the network communication protocol stack; Receive the query response message returned by the directory service and parse it to generate the target node address; Write the target node address into the routing decision record, and generate the next-hop node address field in the routing decision record.
8. The cross-domain data routing method based on a stateless coordination layer and a hybrid encrypted envelope as described in claim 1, characterized in that, The process of performing envelope lifecycle verification based on timestamps and destruction tokens specifically involves: Read the timestamp and destroy the token from the volatile memory buffer; Read the system time from the operating system time service and calculate the time difference between the system time and the timestamp; The time difference is compared with a preset time window threshold. If the time difference is greater than the preset time window threshold, a data packet drop flag is generated and the data packet processing flow is terminated. The destruction token is input into the Bloom filter to perform an existence query. If the Bloom filter determines that the destruction token may exist (i.e., returns "may be in the set"), a packet discard flag is generated and the packet processing flow is terminated. The destroyed token is written to the Bloom filter. If the bit array fill rate of the Bloom filter reaches a preset threshold, a sliding time window mechanism is used to retain the token fingerprint in the most recent time window, or the Bloom filter reset operation is only performed within the preset security tolerance range.
9. The cross-domain data routing method based on a stateless coordination layer and a hybrid encrypted envelope as described in claim 1, characterized in that, The generated route proof digest is specifically as follows: The sender node identifier, receiver node identifier, task identifier, data packet identifier, and timestamp are combined in the order of the fields to form a summary input sequence; The digest input sequence is input with the pre-shared key and the HMAC-SM3 algorithm is used to perform hash calculation to generate a route proof digest. The routing proof digest is written to the audit log, which contains only the digest value, timestamp, and packet size, and does not contain any decrypted plaintext information or the original value of the node identifier.
10. The cross-domain data routing method based on a stateless coordination layer and a hybrid encrypted envelope according to claim 1, characterized in that, The deterministic zeroing operation performed on the volatile memory buffer using the secure erase function is specifically as follows: Get the starting address and length of the volatile memory buffer; The safe erase function is invoked to perform a byte-by-byte write-zero operation on the volatile memory buffer; zero-value bytes are written to the volatile memory buffer in ascending address order until the entire address range is covered; Execute a memory barrier instruction to flush the processor cache; The secure erase function uses a deterministic zeroing interface provided by the operating system (such as explicit_bzero or SecureZeroMemory), or uses a compiler barrier (asm volatile) to prevent optimization elimination, ensuring that plaintext routing information cannot be recovered through conventional memory forensics methods.