Network data encryption method, network data decryption method, and electronic device
By performing encryption in the backend driver or virtualization process on the host side, the message data is ensured to be encrypted inside the virtual machine, which solves the problem of plaintext traffic being captured in the virtualized network and realizes secure isolation and efficient communication of the virtual machine network.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- DAWNING CLOUD COMPUTING TECH CO LTD
- Filing Date
- 2026-05-28
- Publication Date
- 2026-07-03
AI Technical Summary
In virtualized network environments, existing technologies deploy encrypted locations on virtual switches, allowing attackers to capture plaintext traffic on the data communication link between virtual machines and virtual switches, resulting in low security for virtual network communication.
Encryption is performed in the backend driver or virtualization process on the host side, so that the message data enters the virtual switch in encrypted form only after leaving the first backend processing module. Encryption is ensured to be performed inside the virtual machine through shared memory or shared kernel path communication, preventing plaintext messages from being stolen.
It effectively prevents malicious attackers with host access privileges from stealing sensitive data from virtual machines, achieves isolation and security protection of virtual machine network communication, improves network security, and maintains flexibility and scalability in different virtualization network scenarios.
Smart Images

Figure CN122339843A_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of network security technology, specifically to a network data encryption method, a network data decryption method, and an electronic device. Background Technology
[0002] In a virtualized network environment, network communication between virtual machines is typically forwarded through virtual switches on the host machine. However, relevant virtualized network security methods often deploy encryption on the virtual switches, allowing attackers to capture plaintext traffic on the data communication link between the virtual machines and the virtual switches, resulting in low security for virtual network communication. Summary of the Invention
[0003] In view of the above problems, this application provides a network data encryption method, a network data decryption method, and an electronic device.
[0004] According to a first aspect of this application, a network data encryption method is provided, comprising: a first back-end processing module encrypting the message data to be sent to obtain initial data, and sending the initial data to a virtual switch running in the kernel space or user space of a host, wherein the first back-end processing module and the virtual switch communicate via shared memory or shared kernel path; the virtual switch determining the target virtual machine corresponding to the message data, and sending the initial data to a second back-end processing module corresponding to the target virtual machine, wherein the second back-end processing module and the virtual switch communicate via shared memory or shared kernel path.
[0005] According to embodiments of this application, the first backend processing module is located between the virtual machine data exit and the virtual switch entry. The second backend processing module is a module with the same function as the first backend processing module, located in the virtualization driver backend of the host where the target virtual machine resides. It performs encryption processing based on the first backend processing module, ensuring that the message data only enters the virtual switch or network channel in its initial encrypted form after leaving the first backend processing module. Since the encryption operation occurs within the backend driver or virtualization process on the host side, the message data exists only within the initial virtual machine and the target virtual machine. Therefore, the host operating system and any process / thread running on the host cannot obtain the plaintext message, effectively preventing malicious attackers with host access rights or unauthorized administrators from stealing sensitive virtual machine data, thus achieving isolation and security protection for virtual machine network communication.
[0006] According to an embodiment of this application, the network data encryption method further includes: determining a first backend processing module corresponding to the initial virtual machine based on a virtualization network policy configured for the initial virtual machine, wherein the virtualization network policy of the initial virtual machine is the same as that of the target virtual machine, and the initial virtual machine is used to send message data.
[0007] According to embodiments of this application, by determining the corresponding first backend processing module based on the virtualization network policy configured in the initial virtual machine, and ensuring that the initial virtual machine and the target virtual machine have the same virtualization network policy, consistency of network policies and secure communication between virtual machines can be achieved. In addition, by moving the encryption and decryption processing from the virtual switch to the first backend processing module directly associated with the initial virtual machine, and dynamically determining the first backend processing module according to the virtualization network policy, the message data sent by the initial virtual machine is encrypted into initial data before entering the virtual switch. The message data always exists in ciphertext form. Even if an attacker obtains access to the host operating system, they cannot capture the plaintext messages of the initial virtual machine on the host side, thereby improving network security.
[0008] According to an embodiment of this application, a first backend processing module corresponding to the initial virtual machine is determined based on the virtualization network policy configured for the initial virtual machine, including: when the virtualization network policy is a semi-virtualized input / output network policy, the first backend processing module is determined to be an execution unit associated with the virtual machine monitor process in the user space on the host side; when the virtualization network policy is a backend driver acceleration policy, the first backend processing module is determined to be a backend driver thread on the host side.
[0009] According to embodiments of this application, by automatically determining the first backend processing module based on the virtualization network policy type, without manual intervention or hard-coded configuration, the flexibility and scalability of the system under different virtualization network scenarios are significantly improved. In addition, for semi-virtualized input / output network policies, the first backend processing module responsible for encryption and decryption is executed in the packet sending and receiving path of the QEMU user-space process, ensuring universal compatibility. For backend driver acceleration policies that require high-performance acceleration, the first backend processing module responsible for encryption and decryption is handled by an independent backend thread on the host side, avoiding additional switching and copying between user-space processes and kernel space, thereby maximizing network throughput.
[0010] According to an embodiment of this application, when the virtualization network policy is a backend driver acceleration policy, determining the first backend processing module as a host-side backend driver thread includes: when the backend driver acceleration policy is a virtual host network policy, determining the first backend processing module as a host-side kernel-mode backend driver thread; and when the backend driver acceleration policy is a virtual host user-mode policy, determining the first backend processing module as a host-side user-mode backend driver thread.
[0011] According to the embodiments of this application, for the three pre-configured virtual host user-space policies, virtual host network policies, and semi-virtualized input / output network policies, the first back-end processing module is always located between the initial virtual machine data exit and the virtual switch, ensuring that the packet data is encrypted before entering the virtual switch, thereby reducing the risk of the host side (such as a virtual Ethernet probe device or inside the virtual switch) capturing the virtual machine plaintext traffic and improving the confidentiality of communication in a multi-tenant environment.
[0012] According to an embodiment of this application, the first backend processing module encrypts the message data to be sent, including: determining the target matching field in the header data of the message data that matches a preset field based on the target field matching rule; performing bit operations on the target matching field and the payload data in the message data respectively using a preset key stream sequence to complete the encryption processing of the target matching field and the payload data, and the initial data is obtained by combining the encrypted payload data, the encrypted target matching field and the header data.
[0013] According to embodiments of this application, by employing a local encryption mechanism based on target field matching rules, only the target matching field and payload data in the packet header data that match preset fields are encrypted, while the remaining header fields, such as unmatched IP addresses and TCP / UDP port numbers, remain in plaintext. This ensures the confidentiality of the core packet content while guaranteeing that network intermediate devices (such as virtual switches, routers, and load balancers) can correctly parse the key information used for forwarding and traffic distribution in the packet header. Since fields such as IP addresses and TCP / UDP port numbers in the header data are not encrypted or are only partially encrypted and do not affect routing decisions, Layer 2 forwarding of virtual switches, Layer 3 forwarding based on IP addresses, NAT address translation based on IP and port mapping, and Layer 4 load balancing based on IP and port distribution can all work normally. This avoids the network service unavailability problem caused by full packet encryption, achieves the unification of encryption requirements and network function compatibility, and solves the technical problem of rapid performance degradation and increased latency caused by decryption and re-encryption in intermediate devices in the scenario of full packet encryption.
[0014] According to an embodiment of this application, the network data encryption method further includes: encrypting an initial factor in groups based on a preset key to obtain an initial key stream, wherein the initial factor is generated based on a random number generator; iteratively encrypting the initial key stream using the preset key to obtain multiple iterative key streams; and obtaining a preset key stream sequence using the initial key stream and the multiple iterative key streams.
[0015] According to embodiments of this application, encryption based on a preset key stream sequence can ensure that the message length does not change before and after encryption, so as not to affect the configuration of associated network cards and virtual switches.
[0016] According to an embodiment of this application, the virtual switch includes a first virtual switch and a second virtual switch, with the initial virtual machine and the target virtual machine located on the same host; wherein, the virtual switch determines the target virtual machine corresponding to the packet data and sends the initial data to the second back-end processing module corresponding to the target virtual machine, including: the first virtual switch extracting keywords from the header data to obtain target keywords, the target keywords including at least one of the destination network address, transport layer port, and virtual LAN identifier; determining the target virtual machine corresponding to the target keywords and sending the initial data to the second virtual switch; the second virtual switch sending the initial data to the second back-end processing module corresponding to the target virtual machine.
[0017] According to the embodiments of this application, since the target virtual machine and the initial virtual machine are located on the same host, communication does not require the participation of a physical network card, further reducing forwarding latency; by using the first virtual switch to extract key information such as the destination network address, transport layer port, and virtual LAN identifier from the initial data header for forwarding decisions, the initial data can be accurately forwarded across virtual switches while maintaining its encrypted form, thereby avoiding the security risks and performance overhead caused by cross-device decryption.
[0018] According to an embodiment of this application, an initial virtual machine is set on a first host, and a target virtual machine is set on a second host. The network data encryption method further includes: a first back-end processing module sending initial data to an initial physical network card set on the first host; a physical switch determining a second host corresponding to the packet data and sending the initial data received via the initial physical network card to a target physical network card corresponding to the second host; and a virtual switch determining a target virtual machine corresponding to the packet data and sending the initial data received via the target physical network card to a second back-end processing module corresponding to the target virtual machine.
[0019] According to the embodiments of this application, by sending the encrypted initial data via the physical network card, forwarding it across machines by an external physical switch based on the plaintext header information in the initial data, and then sending it to the corresponding second back-end processing module for decryption by the virtual switch of the second host, the initial data is kept in ciphertext form throughout the entire cross-physical host transmission path. This avoids the security risks caused by decryption by intermediate devices, and is compatible with the normal forwarding function of existing physical network devices. No modifications to the physical network are required, thus achieving end-to-end encryption protection for virtual machine cross-host communication.
[0020] According to a second aspect of this application, a network data decryption method is provided, comprising: detecting state changes and inference logs of a target virtual node during the inference process of a target task, and obtaining detection results; and restarting the inference process of the target task if the detection results are abnormal.
[0021] According to embodiments of this application, the first backend processing module is always deployed between the data egress of the initial virtual machine and the virtual switch, while the second backend processing module is always deployed between the virtual switch and the data ingress of the target virtual machine. Therefore, plaintext packets sent by the initial virtual machine are encrypted by the first backend processing module into initial data after leaving the initial virtual machine and before entering the virtual switch. The initial data flows through the virtual switch and the host network path in ciphertext form until it reaches the second backend processing module on the target virtual machine side, where it is decrypted and restored to plaintext packet data before being sent to the target virtual machine. This mechanism ensures that encryption occurs at the very beginning of the initial virtual machine's egress and decryption occurs at the very end of the target virtual machine's ingress, thus ensuring that the packet data always exists in ciphertext form throughout the entire host network link, reducing the risk of capturing plaintext traffic of the virtual machine on the host side.
[0022] A third aspect of this application provides an electronic device comprising: one or more processors; and a memory for storing one or more computer programs, wherein the one or more processors execute the one or more computer programs to implement the steps of the method described above. Attached Figure Description
[0023] The above-mentioned contents, other objects, features and advantages of this application will become clearer from the following description of embodiments of this application with reference to the accompanying drawings.
[0024] Figure 1 The diagram illustrates an application scenario of the network data encryption method and the network data decryption method according to embodiments of this application.
[0025] Figure 2 A flowchart of a network data encryption method according to an embodiment of this application is shown.
[0026] Figure 3 A schematic diagram showing the deployment location of the first backend processing module under different virtualization network strategies according to embodiments of this application is illustrated.
[0027] Figure 4 A schematic diagram of message data according to an embodiment of this application is shown.
[0028] Figure 5 A flowchart of a network data decryption method according to an embodiment of this application is shown.
[0029] Figure 6 A block diagram of an electronic device suitable for implementing a network data encryption method and a network data decryption method according to an embodiment of this application is shown. Detailed Implementation
[0030] The embodiments of this application will now be described with reference to the accompanying drawings. However, it should be understood that these descriptions are exemplary only and are not intended to limit the scope of this application. In the following detailed description, numerous specific details are set forth to provide a thorough understanding of the embodiments of this application for ease of explanation. However, it will be apparent that one or more embodiments may be implemented without these specific details. Furthermore, descriptions of well-known structures and technologies are omitted in the following description to avoid unnecessarily obscuring the concepts of this application.
[0031] The terminology used herein is for the purpose of describing particular embodiments only and is not intended to limit the scope of this application. The terms “comprising,” “including,” etc., as used herein indicate the presence of features, steps, operations, and / or components, but do not exclude the presence or addition of one or more other features, steps, operations, or components.
[0032] All terms used herein (including technical and scientific terms) have the meanings commonly understood by those skilled in the art, unless otherwise defined. It should be noted that the terms used herein are to be interpreted in a manner consistent with the context of this specification, and not in an idealized or overly rigid way.
[0033] When using expressions such as "at least one of A, B and C", they should generally be interpreted in accordance with the meaning that is commonly understood by those skilled in the art (e.g., "a system having at least one of A, B and C" should include, but is not limited to, a system having A alone, a system having B alone, a system having C alone, a system having A and B, a system having A and C, a system having B and C, and / or a system having A, B and C, etc.).
[0034] Transmission Control Protocol (TCP) messages are connection-oriented, reliable, byte-stream-based transport layer protocol messages. A connection must be established before data can be sent, and mechanisms such as acknowledgment, retransmission, and flow control are provided.
[0035] Internet Protocol (IP) packets are used to address and route data packets across a network, enabling cross-network transmission from a source host to a destination host.
[0036] User Datagram Protocol (UDP) packets are connectionless and unreliable transport layer protocol packets. They do not establish connections or provide acknowledgment and retransmission mechanisms, making them suitable for application scenarios with high real-time requirements and a tolerance for a small amount of packet loss.
[0037] HyperText Transfer Protocol (HTTP) is an application layer protocol used to transfer hypertext, such as web pages, images, and videos, between browsers and servers.
[0038] Ethernet is a local area network (LAN) communication technology standard that defines the transmission specifications for the data link layer and the physical layer. It is a commonly used frame encapsulation and transmission protocol in wired networks.
[0039] A virtual switch (vSwitch) is a software-based network switching device used to forward packet data between virtual machines, containers, or physical network interfaces. It supports network functions such as Layer 2 / Layer 3 switching, Virtual Local Area Network (VLAN), Network Address Translation (NAT), and tunneling.
[0040] Virtual Input / Output Network (virtio-net) is a standard semi-virtualized network card strategy. The virtual machine uses the virtio-net front-end driver, while the host side uses hardware virtualization software (QuickEmulator, QEMU) to simulate the back-end device. The packet sending and receiving path goes through the QEMU process, and there is switching between user mode and kernel mode and data copying.
[0041] The Virtual Host Network (vhost-net) offloads backend processing from QEMU to the vhost-net backend driver process in the host kernel, reducing user-mode and kernel-mode switching and data copying, and improving network throughput.
[0042] Virtual Host User (vhost-user) network interface cards migrate backend processing to user-space processes. For example, in backend data plane development (DPDK), zero-copy is achieved through shared memory, resulting in high-performance network input / output close to that of physical network interface cards.
[0043] Related virtualization network security methods typically deploy encryption on virtual switches, causing raw plaintext packets sent by virtual machines to pass through a data communication link between the virtual machine and the virtual switch before reaching the virtual switch. If an attacker gains access to the host operating system, they can capture plaintext traffic in this data communication link using packet sniffing tools, thereby obtaining sensitive communication content. Furthermore, if full packet encryption is used, the packet header (such as IP address, TCP / UDP port number, etc.) is completely encrypted, causing intermediate network nodes (such as load balancers and NAT devices) to be unable to properly parse the packet header information, thus failing to complete traffic distribution or address translation. Intermediate nodes must decrypt the packet before forwarding it, and then re-encrypt and send it, resulting in significant performance degradation, reduced security, and increased transmission latency.
[0044] On the other hand, conventional tunnel encryption techniques add an extra header or alter the original message length after encryption, causing the overall message length to exceed the Maximum Transmission Unit (MTU) supported by physical network devices (such as network interface cards and physical switches). If the MTU values of intermediate nodes in the network are not adjusted synchronously, excessively long messages will be discarded, leading to communication interruptions or frequent retransmissions. Adjusting the MTU usually requires reconfiguring physical network devices, which is complex and has a wide impact in large virtualization environments, limiting the flexible deployment of encryption technology in virtual networks.
[0045] To address at least one of the aforementioned problems, embodiments of this application provide a network data encryption method. A first backend processing module encrypts the message data to be sent to obtain initial data, and sends the initial data to a virtual switch running in the kernel space or user space of the host. The first backend processing module and the virtual switch communicate via shared memory or shared kernel path. The virtual switch determines the target virtual machine corresponding to the message data and sends the initial data to a second backend processing module corresponding to the target virtual machine. The second backend processing module and the virtual switch communicate via shared memory or shared kernel path.
[0046] In scenarios involving automated decision-making using personal information, the methods, devices, and systems provided in this application all offer users corresponding entry points for choosing to agree to or reject the automated decision-making results. If the user chooses to reject, the process proceeds to the expert decision-making stage. Here, "automated decision-making" refers to the activity of automatically analyzing and evaluating an individual's behavioral habits, interests, or economic, health, and credit status through computer programs, and then making a decision. Here, "expert decision-making" refers to the activity of making decisions by personnel who specialize in a particular field, possess specialized experience, knowledge, and skills, and have reached a certain level of professional expertise.
[0047] Figure 1 The diagram illustrates an application scenario of the network data encryption method and the network data decryption method according to embodiments of this application.
[0048] like Figure 1 As shown, the message data sent by the source virtual machine 110 is sent to the corresponding encryption module 120, which encrypts the message data. The encrypted message data is then sent to the virtual switch 130 running on the source host. The virtual switch 130 determines the target virtual machine 140 to be forwarded based on the forwarding information in the message and sends the encrypted message data to the virtual switch 150 on the target host via the network. The virtual switch 150 receives the encrypted message data and sends it to the decryption module 160 corresponding to the target virtual machine 140. The decryption module 160 decrypts and restores the encrypted message data, and finally sends the restored message data to the target virtual machine 140.
[0049] Figure 2 A flowchart of a network data encryption method according to an embodiment of this application is shown.
[0050] like Figure 2 As shown, the network data encryption method of this embodiment includes operations S210 to S220.
[0051] During operation of S210, the first back-end processing module encrypts the message data to be sent to obtain initial data, and sends the initial data to the virtual switch running in the kernel space or user space of the host.
[0052] During operation of S220, the virtual switch determines the target virtual machine corresponding to the packet data and sends the initial data to the second back-end processing module corresponding to the target virtual machine.
[0053] The message data is the raw data packet sent by the source virtual machine over the network, such as TCP / IP messages, UDP messages, or other application layer data.
[0054] The first backend processing module is located on the host side where the source virtual machine is located. It is used to perform preprocessing operations such as encryption, encapsulation or format conversion on the packet data sent by the source virtual machine before it enters the virtual switch. It runs in the backend service process provided by the host under the semi-virtualized network architecture.
[0055] The location of the first backend processing module is determined based on the network interface card (NIC) backend type used by the source virtual machine. For example, if the source virtual machine uses the virtio-net NIC, the first backend processing module is located in the packet transmission and reception path monitoring section of the QEMU process (Library for Virtualization, libvirt), and performs encryption processing on the packet data sent by the source virtual machine within the QEMU process.
[0056] The first backend processing module encrypts the message data using a preset encryption algorithm and key to obtain the initial data. The initial data is the data obtained after encryption processing by the first backend processing module.
[0057] When the virtual machine's semi-virtualized network interface card (NIC) is of type virtio-net, the corresponding virtual switch can run in the host's kernel space, such as the Open vSwitch kernel module. The first backend processing module is the host-side QEMU user-space process. After receiving packet data, the QEMU user-space process sends the packet data through the interface. After the packet data enters the kernel space, it calls an encryption algorithm to encrypt the packet data to obtain the initial data, which is then copied to the virtual switch located in the kernel space. The first backend processing module of the user-space process and the virtual switch in the kernel space communicate using shared memory.
[0058] Shared memory communication is used for data exchange between the user-mode first back-end processing module and the user-mode virtual switch or the kernel-mode virtual switch. The two communicating parties exchange data by accessing the same physical memory area, avoiding data copying and system calls, and improving transmission efficiency.
[0059] When the virtual machine's semi-virtualized network interface card (NIC) is of type vhost-net, the virtual switch corresponding to the virtual machine can run in the host's kernel space. For example, in the Open vSwitch kernel module, the first back-end processing module in kernel mode communicates with the virtual switch in kernel mode using a shared kernel path.
[0060] Shared kernel path communication is used for data exchange between the first back-end processing module in kernel mode and the virtual switch in kernel mode. The first back-end processing module and the virtual switch transmit messages through a shared data channel in the kernel, reducing the copying of data between different address spaces.
[0061] When the virtual machine's semi-virtualized network interface card (NIC) is of type vhost-user, the virtual switch runs in the host's user space. For example, in DPDK, the first back-end processing module in user space communicates with the virtual switch in user space using shared memory. By using a polling method, the switching between kernel and user space is reduced, thereby improving throughput.
[0062] The target virtual machine characterization determines the virtual machine instance receiving the packet data by querying the forwarding table of the virtual switch based on the destination information in the packet data, such as the port address.
[0063] The second backend processing module is functionally symmetrical to the first backend processing module. It is located in the virtualization driver backend of the host where the target virtual machine is located. It is responsible for receiving initial data from the virtual switch, performing decryption, decapsulation and other recovery processing on the initial data, and finally sending the recovered message data to the target virtual machine.
[0064] The second back-end processing module communicates with the virtual switch via shared memory or shared kernel path.
[0065] According to embodiments of this application, the first backend processing module is located between the virtual machine data exit and the virtual switch entry. The second backend processing module is a module with the same function as the first backend processing module, located in the virtualization driver backend of the host where the target virtual machine resides. It performs encryption processing based on the first backend processing module, ensuring that the message data only enters the virtual switch or network channel in its initial encrypted form after leaving the first backend processing module. Since the encryption operation occurs within the backend driver or virtualization process on the host side, the message data exists only within the initial virtual machine and the target virtual machine. Therefore, the host operating system and any process / thread running on the host cannot obtain the plaintext message, effectively preventing malicious attackers with host access rights or unauthorized administrators from stealing sensitive virtual machine data, thus achieving isolation and security protection for virtual machine network communication.
[0066] According to an embodiment of this application, the network data encryption method further includes: determining a first backend processing module corresponding to the initial virtual machine based on a virtualization network policy configured for the initial virtual machine, wherein the virtualization network policy of the initial virtual machine is the same as that of the target virtual machine, and the initial virtual machine is used to send message data.
[0067] The initial virtual machine is the source virtual machine instance that sends message data in the communication session.
[0068] Virtualization network policies are network access rules and security policies configured for virtual machines, including but not limited to encryption algorithms, keys, allowed communication peers, bandwidth limits, access control lists, etc.
[0069] The initial virtual machine uses the same virtualization network policy as the target virtual machine.
[0070] The system locates and binds the first backend processing module corresponding to the virtualization network policy pre-configured for the initial virtual machine. Simultaneously, the target virtual machine must be configured with the same virtualization network policy to ensure that the security parameters at both ends match, thereby enabling subsequent encrypted communication to be established correctly.
[0071] In one implementation, the management platform configures virtualization network policy P1 for the initial virtual machine VM-A, specifying the use of the vhost-user network interface card as the first backend processing module. Based on policy P1, the system determines that the first backend processing module corresponding to the initial virtual machine VM-A is the DPDK vhost-user backend instance. Simultaneously, the management platform ensures that the target virtual machine VM-B is also configured with the same virtualization network policy P1, thereby guaranteeing that the second backend processing module corresponding to VM-B can correctly decrypt the initial data from VM-A and complete secure communication.
[0072] According to embodiments of this application, by determining the corresponding first backend processing module based on the virtualization network policy configured in the initial virtual machine, and ensuring that the initial virtual machine and the target virtual machine have the same virtualization network policy, consistency of network policies and secure communication between virtual machines can be achieved. In addition, by moving the encryption and decryption processing from the virtual switch to the first backend processing module directly associated with the initial virtual machine, and dynamically determining the first backend processing module according to the virtualization network policy, the message data sent by the initial virtual machine is encrypted into initial data before entering the virtual switch. The message data always exists in ciphertext form. Even if an attacker obtains access to the host operating system, they cannot capture the plaintext messages of the initial virtual machine on the host side, thereby improving network security.
[0073] According to an embodiment of this application, a first backend processing module corresponding to the initial virtual machine is determined based on the virtualization network policy configured for the initial virtual machine, including: when the virtualization network policy is a semi-virtualized input / output network policy, the first backend processing module is determined to be an execution unit associated with the virtual machine monitor process in the user space on the host side; when the virtualization network policy is a backend driver acceleration policy, the first backend processing module is determined to be a backend driver thread on the host side.
[0074] When the virtualization network policy is configured to use the standard paravirtualized I / O network policy for network communication, the first back-end processing module is handled by the user-space virtual machine monitor process, such as the QEMU process.
[0075] The host-side user-mode virtual machine monitor process is a software process that runs in the host user space and is responsible for managing virtual machine hardware emulation and I / O processing. The hardware virtualization software (Quick Emulator, QEMU) runs in the host-side user-mode virtual machine monitor process and is responsible for emulating hardware devices such as network cards and disks for virtual machines, and handling I / O requests issued by virtual machines, such as receiving and sending network packet data.
[0076] In one embodiment, if the semi-virtualized I / O network policy is to use a standard semi-virtualized virtio-net front-end driver network card inside the initial virtual machine, and the policy type is semi-virtualized I / O network policy, then the first back-end processing module is determined to be an execution unit within the QEMU process, such as a callback function or a dedicated thread.
[0077] When the initial virtual machine sends out message data, the message data first arrives at the packet receiving and sending path managed by libvirt in the QEMU process to complete the encryption of the message data, generate the initial data, and then send it to the virtual switch through system calls or shared memory.
[0078] The backend driver acceleration strategy is configured to use high-performance backend drivers, such as vhost-net and vhost-user, to improve network throughput. The first backend processing module is handled by a separate driver thread or process.
[0079] According to embodiments of this application, by automatically determining the first backend processing module based on the virtualization network policy type, without manual intervention or hard-coded configuration, the flexibility and scalability of the system under different virtualization network scenarios are significantly improved. In addition, for semi-virtualized input / output network policies, the first backend processing module responsible for encryption and decryption is executed in the packet sending and receiving path of the QEMU user-space process, ensuring universal compatibility. For backend driver acceleration policies that require high-performance acceleration, the first backend processing module responsible for encryption and decryption is handled by an independent backend thread on the host side, avoiding additional switching and copying between user-space processes and kernel space, thereby maximizing network throughput.
[0080] According to an embodiment of this application, when the virtualization network policy is a backend driver acceleration policy, determining the first backend processing module as a host-side backend driver thread includes: when the backend driver acceleration policy is a virtual host network policy, determining the first backend processing module as a host-side kernel-mode backend driver thread; and when the backend driver acceleration policy is a virtual host user-mode policy, determining the first backend processing module as a host-side user-mode backend driver thread.
[0081] Virtual host network policy is a subtype of backend driver acceleration policy. The initial virtual machine is configured to use the virtual host network card vhost-net, and the backend driver of the virtual host network card runs in the host kernel mode.
[0082] When the backend driver acceleration strategy is a virtual host network strategy, the first backend processing module is the vhost-net backend driver thread running in the Linux kernel space of the operating system, which is responsible for handling the virtual machine's network I / O and encryption / decryption operations.
[0083] In one embodiment, the backend driver acceleration strategy is a virtual host network strategy. Packet data is encrypted within the vhost-net backend driver thread and then directly transmitted to the virtual switch, which also resides in kernel mode, via a shared kernel path. Because encryption occurs within the vhost-net kernel driver, the packet data is already initially encrypted before reaching the virtual Ethernet Tap or virtual switch. Therefore, even if the host captures the tap network card or virtual switch port, plaintext packet data cannot be obtained.
[0084] Virtual host user-space policies are a subtype of backend driver acceleration policies. Initially, the virtual machine is configured to use the virtual host user-space network interface card vhost-user. The backend driver thread runs in a dedicated thread in the host user-space space (such as the DPDK vhost-user polling thread), which is responsible for handling the virtual machine's network I / O and encryption / decryption operations.
[0085] In one embodiment, the backend driver acceleration strategy is a virtual host user-space strategy. Packet data is encrypted within the DPDKvhost-user user-space backend driver thread, and then directly transmitted via shared memory to the virtual switch, which also resides in user-space. Encryption occurs within the user-space backend driver; the packet data is already initially encrypted before entering any host-observable path (such as the kernel protocol stack or tap device). Therefore, even on the host, plaintext packet data cannot be obtained.
[0086] Figure 3 A schematic diagram showing the deployment location of the first backend processing module under different virtualization network strategies according to embodiments of this application is illustrated.
[0087] like Figure 3As shown, when the virtualization network policy for the initial virtual machine 310 is configured as a semi-virtualized I / O policy, the first back-end processing module 320 corresponding to the initial virtual machine 310 is implemented as a QEMU process running in user space, encrypting the packet data of the initial virtual machine 310 using the virtio-net network card. When the virtualization network policy for the initial virtual machine 330 is configured as a virtual host network policy, the first back-end processing module 340 corresponding to the initial virtual machine 330 is deployed in the vhost-net driver back-end thread in kernel space. When the virtualization network policy for the initial virtual machine 350 is configured as a virtual host user-space policy, the first back-end processing module 360 corresponding to the initial virtual machine 350 is deployed in the vhost-user back-end driver thread in user space. The encryption engine is located in the first back-end processing module and uses software or hardware methods based on the central processing unit (CPU) for encryption and decryption, ensuring that the packet data is encrypted before entering the virtual switch, thereby avoiding the capture of plaintext traffic on the host side.
[0088] According to the embodiments of this application, for the three pre-configured virtual host user-space policies, virtual host network policies, and semi-virtualized input / output network policies, the first back-end processing module is always located between the initial virtual machine data exit and the virtual switch, ensuring that the packet data is encrypted before entering the virtual switch, thereby reducing the risk of the host side (such as a virtual Ethernet probe device or inside the virtual switch) capturing the virtual machine plaintext traffic and improving the confidentiality of communication in a multi-tenant environment.
[0089] According to an embodiment of this application, the first backend processing module encrypts the message data to be sent, including: determining the target matching field in the header data of the message data that matches a preset field based on the target field matching rule; performing bit operations on the target matching field and the payload data in the message data respectively using a preset key stream sequence to complete the encryption processing of the target matching field and the payload data, and the initial data is obtained by combining the encrypted payload data, the encrypted target matching field and the header data.
[0090] The message data includes header data and payload data. The header data contains control information used for routing, forwarding, and identification, such as Ethernet address, IP address, TCP / UDP address, etc.
[0091] The target field matching rule is a predefined matching condition used to specify the fields to be extracted from the header data of the message as the matching objects. For example, the preset fields can be highly confidential IP addresses, port numbers, etc.
[0092] The preset fields are pre-defined field types or values in the target field matching rules, used to compare with the header data to determine the target matching fields that need to be encrypted.
[0093] Payload data is the actual transmitted data portion of the message data after removing the header data, i.e., application layer data or user data.
[0094] For header data, the system extracts the target matching field from the header data of the message data according to the target field matching rules, and then uses the preset key stream sequence to encrypt only the target matching field; if there is no target matching field that matches the preset field, there is no need to encrypt the header data.
[0095] The payload data is encrypted by bitwise operations using a preset keystream sequence. Finally, the encrypted target matching field, the encrypted payload data, and the unencrypted header data are combined to form the initial data.
[0096] Figure 4 A schematic diagram of message data according to an embodiment of this application is shown.
[0097] like Figure 4 As shown, different encryption strategies are employed for message data from different protocols. For each type of message data, the payload data (Data) is encrypted and decrypted to protect real user data without affecting related network services. For example, for HTTP message data, only the payload data (Data) is encrypted, while the HTTP header and TCP fields are not encrypted, ensuring that Layer 3 forwarding and load balancing in the virtual switch are performed normally based on the HTTP header. For TCP / UDP message data, the TCP / UDP header information is left unencrypted, while the remaining information is encrypted, enabling Layer 4 load balancing in the virtual switch based on protocol type and port, reducing the impact on surrounding network services.
[0098] A preset key stream sequence can be generated using the SM4 Block Cipher Algorithm Output Feedback Mode (SM4 OFB). Bitwise operations are then performed on the target matching field and the payload data in the message data based on the preset key stream sequence. The result of the bitwise operation is the encrypted result.
[0099] Bitwise operations are logical operations, such as AND, OR, NOT, XOR, etc.
[0100] According to embodiments of this application, by employing a local encryption mechanism based on target field matching rules, only the target matching field and payload data in the packet header data that match preset fields are encrypted, while the remaining header fields, such as unmatched IP addresses and TCP / UDP port numbers, remain in plaintext. This ensures the confidentiality of the core packet content while guaranteeing that network intermediate devices (such as virtual switches, routers, and load balancers) can correctly parse the key information used for forwarding and traffic distribution in the packet header. Since fields such as IP addresses and TCP / UDP port numbers in the header data are not encrypted or are only partially encrypted and do not affect routing decisions, Layer 2 forwarding of virtual switches, Layer 3 forwarding based on IP addresses, NAT address translation based on IP and port mapping, and Layer 4 load balancing based on IP and port distribution can all work normally. This avoids the network service unavailability problem caused by full packet encryption, achieves the unification of encryption requirements and network function compatibility, and solves the technical problem of rapid performance degradation and increased latency caused by decryption and re-encryption in intermediate devices in the scenario of full packet encryption.
[0101] According to an embodiment of this application, the network data encryption method further includes: encrypting an initial factor in groups based on a preset key to obtain an initial key stream, wherein the initial factor is generated based on a random number generator; iteratively encrypting the initial key stream using the preset key to obtain multiple iterative key streams; and obtaining a preset key stream sequence using the initial key stream and the multiple iterative key streams.
[0102] The preset key is a fixed symmetric key that is pre-configured and stored in the system and is used to drive the block cipher algorithm.
[0103] The initial factor is a random number or non-repeating value generated by a random number generator, such as an initialization vector, to ensure that a different key stream sequence is generated for each encryption session.
[0104] The initial keystream is the first encrypted result output after the preset key performs block encryption on the initial factor, serving as the starting block of the entire keystream sequence; the iterative keystream is the subsequent keystream blocks generated after the preset key continuously encrypts the previous round of keystream, with each round's output serving as the input for the next round.
[0105] The preset key stream sequence is a fixed-length or streaming pseudo-random sequence formed by concatenating the initial key stream with multiple iterative key streams, used for bitwise encryption.
[0106] The SM4 OFB algorithm iteratively encrypts an initial factor, generates an iterative key stream independent of the message data, combines the initial key stream and multiple iterative key streams to obtain a preset key stream sequence, and performs bitwise operations on the preset key stream sequence with the message data to obtain encrypted data.
[0107] According to the embodiments of this application, a preset key stream sequence is generated based on the SM4 OFB algorithm. Encryption based on the preset key stream sequence can ensure that the message length does not change before and after encryption, so as not to affect the configuration of the associated network card and virtual switch.
[0108] According to an embodiment of this application, the virtual switch includes a first virtual switch and a second virtual switch, with the initial virtual machine and the target virtual machine located on the same host; wherein, the virtual switch determines the target virtual machine corresponding to the packet data and sends the initial data to the second back-end processing module corresponding to the target virtual machine, including: the first virtual switch extracting keywords from the header data to obtain target keywords, the target keywords including at least one of the destination network address, transport layer port, and virtual LAN identifier; determining the target virtual machine corresponding to the target keywords and sending the initial data to the second virtual switch; the second virtual switch sending the initial data to the second back-end processing module corresponding to the target virtual machine.
[0109] The virtual switch is divided into a first virtual switch and a second virtual switch, and the initial virtual machine and the target virtual machine reside on the same physical host. The first virtual switch is responsible for receiving initial data from the first backend processing module and performing key information extraction and forwarding decisions for the packets; the second virtual switch is responsible for finally delivering the initial data to the second backend processing module corresponding to the target virtual machine.
[0110] After receiving the initial data, the first virtual switch does not forward it directly. Instead, it parses and extracts keywords from the header data. The first virtual switch extracts target keywords from the header data. These target keywords include, but are not limited to, at least one of the following: destination network address, transport layer port, and virtual LAN identifier. The keyword points to the destination virtual machine identified by the network forwarding device as the one receiving the packet data.
[0111] For example, target keywords include the destination IP address, TCP / UDP destination port number, and virtual LAN identifier.
[0112] The first virtual switch queries the internally maintained forwarding table or flow table based on the extracted target keyword to determine the target virtual machine that matches the target keyword.
[0113] For example, if the target keyword is the destination IP address "192.168.1.10", the forwarding table records the target virtual machine identifier corresponding to the destination IP address "192.168.1.10" and the corresponding second virtual switch port. After the target virtual machine is determined, the first virtual switch sends the initial data to the second virtual switch associated with the target virtual machine.
[0114] After receiving the initial data from the first virtual switch, the second virtual switch does not need to perform complex keyword extraction or route lookup again. Instead, it directly sends the initial data to the second backend processing module corresponding to the target virtual machine through an internal port or channel, based on the obtained target virtual machine identifier.
[0115] The second backend processing module then performs post-processing such as decryption on the initial data to recover the original message data and send it to the target virtual machine.
[0116] According to the embodiments of this application, since the target virtual machine and the initial virtual machine are located on the same host, communication does not require the participation of a physical network card, further reducing forwarding latency; by using the first virtual switch to extract key information such as the destination network address, transport layer port, and virtual LAN identifier from the initial data header for forwarding decisions, the initial data can be accurately forwarded across virtual switches while maintaining its encrypted form, thereby avoiding the security risks and performance overhead caused by cross-device decryption.
[0117] According to an embodiment of this application, an initial virtual machine is set on a first host, and a target virtual machine is set on a second host. The network data encryption method further includes: a first back-end processing module sending initial data to an initial physical network card set on the first host; a physical switch determining a second host corresponding to the packet data and sending the initial data received via the initial physical network card to a target physical network card corresponding to the second host; and a virtual switch determining a target virtual machine corresponding to the packet data and sending the initial data received via the target physical network card to a second back-end processing module corresponding to the target virtual machine.
[0118] The initial virtual machine is deployed on the first host, which is the source physical server. The target virtual machine is deployed on the second host, which is the destination physical server. The two are located on different physical nodes.
[0119] After the first backend processing module encrypts the message data, the problem of encrypted data transmission across physical hosts needs to be further addressed. This process involves the initial physical network card of the first host, the external physical switch, and the target physical network card of the second host. Ultimately, the transmission to the target virtual machine is completed by the virtual switch inside the second host.
[0120] The first backend processing module encrypts the message data sent by the initial virtual machine, generates initial data, and then sends the initial data to the initial physical network interface card (NIC) set up on the first host. The initial physical NIC is the network interface device connecting the first host to the external physical network, such as an Ethernet card, thereby bridging the initial data from the virtualized internal network to the physical network.
[0121] After receiving the initial data from the initial physical network interface card (NIC) of the first host, the external physical switch determines the second host corresponding to the packet data by querying its internal forwarding table or routing table based on the network layer or link layer information in the header. The physical switch then forwards the initial data received via the initial NIC to the target NIC of the second host through the physical network link. The physical switch forwards the data based solely on the plaintext header, without needing to decrypt the encrypted payload, thus ensuring forwarding efficiency.
[0122] After the target physical network interface card of the second host receives the initial data from the physical switch, it sends the initial data to the virtual switch running inside the second host. The virtual switch parses the header data in the initial data, extracts keywords such as the destination network address and transport layer port, queries the internal forwarding table, and determines the target virtual machine corresponding to the packet data.
[0123] A virtual switch can be a single instance of a virtual switch.
[0124] The virtual switch receives the initial data via the target physical network card and sends it to the second backend processing module corresponding to the target virtual machine. The second backend processing module performs decryption and other post-processing on the initial data to recover the packet data, which is then sent to the target virtual machine, completing the secure transmission and delivery of encrypted packets across physical hosts.
[0125] According to the embodiments of this application, by sending the encrypted initial data via the physical network card, forwarding it across machines by an external physical switch based on the plaintext header information in the initial data, and then sending it to the corresponding second back-end processing module for decryption by the virtual switch of the second host, the initial data is kept in ciphertext form throughout the entire cross-physical host transmission path. This avoids the security risks caused by decryption by intermediate devices, and is compatible with the normal forwarding function of existing physical network devices. No modifications to the physical network are required, thus achieving end-to-end encryption protection for virtual machine cross-host communication.
[0126] Figure 5 A flowchart of a network data decryption method according to an embodiment of this application is shown.
[0127] like Figure 5 As shown, the network data decryption method of this embodiment includes operations S510 to S520.
[0128] When operating the S510, it receives initial data from the virtual switch.
[0129] The S520 is used to decrypt the initial data to obtain the target data, and then the target data is sent to the target virtual machine.
[0130] The second backend processing module is functionally symmetrical to the first backend processing module. It is located in the virtualization driver backend of the host where the target virtual machine is located. It is responsible for receiving initial data from the virtual switch, performing decryption, decapsulation and other recovery processing on the initial data, and finally sending the recovered message data to the target virtual machine.
[0131] Based on the virtualization network policy configured for the target virtual machine, determine the second backend processing module corresponding to the target virtual machine.
[0132] The second back-end processing module communicates with the virtual switch via shared memory or a shared kernel path. The virtual switch runs in the host's kernel space or user space.
[0133] The virtual switch encrypts the message data to be sent using the first backend processing module corresponding to the initial virtual machine to obtain initial data. The virtual switch then sends this initial data to the second backend processing module corresponding to the target virtual machine. The second backend processing module performs decryption and other post-processing on the initial data to obtain the target data, which is then finally sent to the target virtual machine.
[0134] The target data is the decrypted plaintext data.
[0135] According to embodiments of this application, the first backend processing module is always deployed between the data egress of the initial virtual machine and the virtual switch, while the second backend processing module is always deployed between the virtual switch and the data ingress of the target virtual machine. Therefore, plaintext packets sent by the initial virtual machine are encrypted by the first backend processing module into initial data after leaving the initial virtual machine and before entering the virtual switch. The initial data flows through the virtual switch and the host network path in ciphertext form until it reaches the second backend processing module on the target virtual machine side, where it is decrypted and restored to plaintext packet data before being sent to the target virtual machine. This mechanism ensures that encryption occurs at the very beginning of the initial virtual machine's egress and decryption occurs at the very end of the target virtual machine's ingress, thus ensuring that the packet data always exists in ciphertext form throughout the entire host network link, reducing the risk of capturing plaintext traffic of the virtual machine on the host side.
[0136] Figure 6 A block diagram of an electronic device suitable for implementing a network data encryption method and a network data decryption method according to an embodiment of this application is shown.
[0137] like Figure 6As shown, an electronic device 600 according to an embodiment of this application includes a processor 601, which can perform various appropriate actions and processes according to a program stored in a read-only memory (ROM) 602 or a program loaded from a storage portion 608 into a random access memory (RAM) 603. The processor 601 may include, for example, a general-purpose microprocessor (e.g., a CPU), an instruction set processor and / or an associated chipset and / or a special-purpose microprocessor (e.g., an application-specific integrated circuit (ASIC)), etc. The processor 601 may also include onboard memory for caching purposes. The processor 601 may include a single processing unit or multiple processing units for performing different actions of the method flow according to an embodiment of this application.
[0138] RAM 603 stores various programs and data required for the operation of electronic device 600. Processor 601, ROM 602, and RAM 603 are interconnected via bus 604. Processor 601 executes various operations of the method flow according to embodiments of this application by executing programs in ROM 602 and / or RAM 603. It should be noted that programs may also be stored in one or more memories other than ROM 602 and RAM 603. Processor 601 may also execute various operations of the method flow according to embodiments of this application by executing programs stored in one or more memories.
[0139] According to embodiments of this application, the electronic device 600 may further include an input / output (I / O) interface 605, which is also connected to a bus 604. The electronic device 600 may also include one or more of the following components connected to the input / output (I / O) interface 605: an input section 606 including a keyboard, mouse, etc.; an output section 607 including a cathode ray tube (CRT), liquid crystal display (LCD), etc., and a speaker, etc.; a storage section 608 including a hard disk, etc.; and a communication section 609 including a network interface card such as a LAN card, modem, etc. The communication section 609 performs communication processing via a network such as the Internet. A drive 610 is also connected to the input / output (I / O) interface 605 as needed. A removable medium 611, such as a disk, optical disk, magneto-optical disk, semiconductor memory, etc., is installed on the drive 610 as needed so that computer programs read from it can be installed into the storage section 608 as needed.
[0140] This application also provides a computer-readable storage medium, which may be included in the device / apparatus / system described in the above embodiments; or it may exist independently and not assembled into the device / apparatus / system. The computer-readable storage medium carries one or more programs, which, when executed, implement the network data encryption method according to the embodiments of this application.
[0141] According to embodiments of this application, the computer-readable storage medium can be a non-volatile computer-readable storage medium, such as including but not limited to: portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination thereof. In this application, the computer-readable storage medium can be any tangible medium containing or storing a program that can be used by or in conjunction with an instruction execution system, apparatus, or device. For example, according to embodiments of this application, the computer-readable storage medium may include ROM 602 and / or RAM 603 and / or one or more memories other than ROM 602 and RAM 603 described above.
[0142] Embodiments of this application also include a computer program product comprising a computer program containing program code for performing the methods shown in the flowchart. When the computer program product is run on a computer system, the program code enables the computer system to implement the network data encryption method provided in the embodiments of this application.
[0143] When the computer program is executed by the processor 601, it performs the functions defined in the system / apparatus of this application embodiment. According to the embodiments of this application, the systems, apparatuses, modules, units, etc., described above can be implemented by computer program modules.
[0144] In one embodiment, the computer program may rely on a tangible storage medium such as an optical storage device or a magnetic storage device. In another embodiment, the computer program may also be transmitted and distributed in the form of signals over a network medium, and downloaded and installed via the communication section 609, and / or installed from the removable medium 611. The program code contained in the computer program can be transmitted using any suitable network medium, including but not limited to: wireless, wired, etc., or any suitable combination thereof.
[0145] In such an embodiment, the computer program can be downloaded and installed from a network via the communication section 609, and / or installed from the removable medium 611. When the computer program is executed by the processor 601, it performs the functions defined in the system of this application embodiment. According to the embodiments of this application, the systems, devices, apparatuses, modules, units, etc., described above can be implemented by computer program modules.
[0146] According to embodiments of this application, program code for executing the computer programs provided in the embodiments of this application can be written in any combination of one or more programming languages. Specifically, these computational programs can be implemented using high-level procedural and / or object-oriented programming languages, and / or assembly / machine languages. Programming languages include, but are not limited to, languages such as Java, C++, Python, "C", or similar programming languages. The program code can be executed entirely on the user's computing device, partially on the user's device, partially on a remote computing device, or entirely on a remote computing device or server. In cases involving remote computing devices, the remote computing device can be connected to the user's computing device via any type of network, including a local area network (LAN) or a wide area network (WAN), or it can be connected to an external computing device (e.g., via the Internet using an Internet service provider).
[0147] The flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of this application. In this regard, each block in a flowchart or block diagram may represent a module, segment, or portion of code containing one or more executable instructions for implementing a specified logical function. It should also be noted that in some alternative implementations, the functions indicated in the blocks may occur in a different order than those indicated in the drawings. For example, two consecutively indicated blocks may actually be executed substantially in parallel, and they may sometimes be executed in reverse order, depending on the functions involved. It should also be noted that each block in a block diagram or flowchart, and combinations of blocks in a block diagram or flowchart, may be implemented using a dedicated hardware-based system that performs the specified function or operation, or using a combination of dedicated hardware and computer instructions.
[0148] Those skilled in the art will understand that the features described in the various embodiments of this application can be combined and / or combined in various ways, even if such combinations or combinations are not explicitly described in this application. In particular, the features described in the various embodiments of this application can be combined and / or combined in various ways without departing from the spirit and teachings of this application. All such combinations and / or combinations fall within the scope of this application.
Claims
1. A network data encryption method, characterized by, The method includes: The first back-end processing module encrypts the message data to be sent to obtain initial data, and sends the initial data to the virtual switch running in the kernel space or user space of the host. The first back-end processing module and the virtual switch communicate via shared memory or shared kernel path. The virtual switch determines the target virtual machine corresponding to the packet data and sends the initial data to the second back-end processing module corresponding to the target virtual machine. The second back-end processing module and the virtual switch communicate via shared memory or shared kernel path.
2. The method according to claim 1, characterized in that, The method further includes: Based on the virtualization network policy configured for the initial virtual machine, the first backend processing module corresponding to the initial virtual machine is determined. The virtualization network policy of the initial virtual machine is the same as that of the target virtual machine. The initial virtual machine is used to send the message data.
3. The method according to claim 2, characterized in that, The step of determining the first backend processing module corresponding to the initial virtual machine based on the virtualization network policy configured for the initial virtual machine includes: When the virtualization network policy is a semi-virtualized input / output network policy, the first back-end processing module is determined to be an execution unit associated with the virtual machine monitor process in the user space on the host side. When the virtualization network policy is a backend driver acceleration policy, the first backend processing module is determined to be the backend driver thread on the host side.
4. The method according to claim 3, characterized in that, When the virtualization network policy is a backend driver acceleration policy, determining that the first backend processing module is a host-side backend driver thread includes: When the backend driver acceleration strategy is a virtual host network strategy, the first backend processing module is determined to be a backend driver thread in the host-side kernel mode. When the backend driver acceleration strategy is a virtual host user-mode strategy, the first backend processing module is determined to be a host-side user-mode backend driver thread.
5. The method according to claim 1, characterized in that, The first backend processing module encrypts the message data to be sent, including: Based on the target field matching rules, determine the target matching field in the header data of the message data that matches the preset field; The target matching field and the payload data in the message data are encrypted by performing bit operations on the target matching field and the payload data respectively using a preset key stream sequence. The initial data is obtained by combining the encrypted payload data, the encrypted target matching field and the header data.
6. The method according to claim 5, characterized in that, The method further includes: The initial factors are encrypted in groups based on a preset key to obtain an initial key stream, wherein the initial factors are generated based on a random number generator. The initial key stream is iteratively encrypted using a preset key to obtain multiple iterative key streams; The preset key stream sequence is obtained using the initial key stream and multiple iterative key streams.
7. The method according to claim 1, characterized in that, The virtual switch includes a first virtual switch and a second virtual switch, and the initial virtual machine and the target virtual machine are located on the same host. The virtual switch determines the target virtual machine corresponding to the packet data and sends the initial data to the second backend processing module corresponding to the target virtual machine, including: The first virtual switch extracts keywords from the header data to obtain target keywords, which include at least one of the following: destination network address, transport layer port, and virtual LAN identifier. Identify the target virtual machine corresponding to the target keyword, and send the initial data to the second virtual switch; The second virtual switch sends the initial data to the second backend processing module corresponding to the target virtual machine.
8. The method according to claim 2, characterized in that, The initial virtual machine is set on the first host, the target virtual machine is set on the second host, and the method further includes: The first backend processing module sends the initial data to the initial physical network card set in the first host; The physical switch determines the second host corresponding to the packet data and sends the initial data received via the initial physical network card to the target physical network card corresponding to the second host; The virtual switch determines the target virtual machine corresponding to the packet data and sends the initial data received via the target physical network card to the second back-end processing module corresponding to the target virtual machine.
9. A method for decrypting network data, characterized in that, The method, applied to the second backend processing module corresponding to the target virtual machine, includes: The second back-end processing module receives initial data from the virtual switch. The second back-end processing module communicates with the virtual switch via shared memory or a shared kernel path. The virtual switch runs in the host's kernel space or user space. The initial data is decrypted to obtain the target data, and the target data is sent to the target virtual machine. The initial data is obtained by encrypting the message data to be sent based on the first back-end processing module corresponding to the initial virtual machine. The first back-end processing module and the virtual switch communicate using shared memory or shared kernel path.
10. An electronic device, comprising: One or more processors; Memory, used to store one or more computer programs. The characteristic feature is that the one or more processors execute the one or more computer programs to implement the steps of the method according to any one of claims 1 to 9.