In conventional TCP/UDP communication, IP datagrams are transmitted in plaintext over the network, which poses significant security risks. Attackers can easily intercept the transmitted content using tools like Wireshark. To address this issue, our team has designed a network packet encryption and transmission system that runs in the Linux kernel space. It encrypts the data using a hook function registered on the netfilter framework's hook point and delivers the ciphertext to the recipient. We employ asymmetric RSA encryption method and exchange public keys during the communication establishment to ensure the security of the key and prevent attackers from decrypting the ciphertext.

The required operating environment for this system is as follows:

• Operating System: Linux distribution such as Ubuntu, Debian, CentOS, etc.
• Kernel Version: Linux kernel version 2.6.14 or above.
• Software Dependencies: The system requires the installation of libpcap and libnetfilter_queue.
• Hardware Requirements: At least one network interface card (NIC) is needed.
• System Privileges: The system should be run with root user privileges.

To run our system, you may need to execute the shell communication script we have written for key distribution. The command to run is as follows:

sh ./socket.sh <server/client> <TCP/UDP> <目标IP> <端口号>

Please make sure you have the necessary permissions and dependencies in place before running the script. Afterward, you need to insert the compiled encryption and decryption module into the system kernel and provide the required configuration rules. Here are the steps to follow:

1. Insert the module into the kernel:

insmod encryption_module.ko

Replace encryption_module.ko with the actual name of your compiled module.

2. Configure the necessary rules:

./configure -p tcp/udp -x src_addr -y des_addr/-m srcport -n desport

Please note that inserting a module into the kernel and configuring system rules require root privileges. Make sure you have the necessary permissions before executing these commands.

Please ensure that the parameters entered are correct, and then you can communicate to test the encryption effect. For more details,you can refer to the source code or our system test folder introduced in Chinese.

Our Team
@ChubbyChenJK
@cyChen2003
@Zichuan-c
@vagueeee
@SJTUzeroking

lk_crypto_test From alekseymmm's repository on GitHub

Linux的SOCKET编程详解 From hguisu's blog on CSDN

信息安全课程9：raw socket编程 From ustcsse308 on Zhihu

Linux 网络层收发包流程及 Netfilter 框架浅析 From Tencent-tech on Zhihu

信息安全技术解析与开发实践
訾小超 薛质 姚立红 蒋兴浩 潘理编著 李建华主审 清华大学出版社.2011

深入理解计算机系统
Bryant,R.E.等编著 龚奕利 贺莲译 机械工业出版社.2016

计算机网络：自顶向下方法
James，F.Kurose，Keith，W.Ross编著 陈鸣译 机械工业出版社.2018