CN108156112B - Data encryption method, electronic equipment and network side equipment - Google Patents
Data encryption method, electronic equipment and network side equipmentDownload PDFInfo
- Publication number
- CN108156112B CN108156112BCN201611096712.3ACN201611096712ACN108156112BCN 108156112 BCN108156112 BCN 108156112BCN 201611096712 ACN201611096712 ACN 201611096712ACN 108156112 BCN108156112 BCN 108156112B
- Authority
- CN
- China
- Prior art keywords
- key
- session key
- root
- session
- kdc
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034methodMethods0.000titleclaimsabstractdescription68
- 238000012545processingMethods0.000claimsabstractdescription24
- 230000006854communicationEffects0.000abstractdescription28
- 238000004891communicationMethods0.000abstractdescription27
- 238000010586diagramMethods0.000description6
- 230000000694effectsEffects0.000description6
- 238000005516engineering processMethods0.000description2
- 238000011161developmentMethods0.000description1
- 238000012986modificationMethods0.000description1
- 230000004048modificationEffects0.000description1
- 230000003287optical effectEffects0.000description1
- 238000003672processing methodMethods0.000description1
- 238000006467substitution reactionMethods0.000description1
Images
Classifications
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/161—Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields
- H04L69/162—Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields involving adaptations of sockets based mechanisms
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/166—Implementing security features at a particular protocol layer at the transport layer
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
- Mobile Radio Communication Systems (AREA)
- Telephonic Communication Services (AREA)
- Storage Device Security (AREA)
Abstract
Description
Technical Field
The present invention relates to communications technologies, and in particular, to a data encryption method, an electronic device, and a network side device.
Background
With the development of communication technology, the requirements of people on the safety performance of communication are more strict. For example: in the communication process, the communication content needs to be encrypted to ensure the safety of communication and ensure that the communication content is not stolen by others.
In the prior art, before each communication, a Key Distribution Center (KDC) sends a key for encrypting data of the communication to a sending end and a receiving end of the communication, the sending end encrypts the communication data by using the key and sends the encrypted communication data, and the receiving end decrypts the received encrypted data by using the key to obtain the communication data, thereby ensuring the security of the communication.
By adopting the prior art, if the secret key of the communication data is leaked or intercepted, the performance of the encryption of the communication data is influenced, and the safety of the communication is reduced.
Disclosure of Invention
The invention provides a data encryption method, electronic equipment and network side equipment, and communication safety is improved.
The invention provides a data encryption method, which comprises the following steps:
receiving a second session key sent by a key management distribution center KDC, wherein the second session key is obtained by encrypting the first session key by the KDC;
decrypting the second session key according to a root key to obtain the first session key, wherein the root key uniquely corresponds to the electronic equipment, the root key is stored in the electronic equipment, and the KDC is distributed to the electronic equipment when the root key is registered by the electronic equipment;
and processing the data of the electronic equipment according to the first session key.
In an embodiment of the present invention, the second session key is obtained by the KDC encrypting the first session key according to a first service key;
the receiving of the second session key sent by the KDC further includes:
receiving a second service key sent by the KDC, wherein the second service key is obtained by encrypting the first service key by the KDC according to the root key;
the decrypting the second session key according to the root key to obtain the first session key comprises:
decrypting the second service key according to the root key to obtain the first service key;
and decrypting the second session key according to the first service key to obtain the first session key.
In an embodiment of the present invention, the electronic device stores the root key, the first service key, the second service key, the first session key, and the second session key in a trusted execution environment operating system TeeOS of the electronic device;
the decrypting the second session key according to the root key to obtain the first session key comprises:
decrypting the second session key in the TeeOS according to a root key to obtain the first session key.
In an embodiment of the present invention, the processing data according to the first session key includes:
encrypting the first data through the first session key to obtain second data;
transmitting the second data;
before the receiving the second session key sent by the key management distribution center KDC, the method further includes:
sending a data encryption request to the KDC.
In an embodiment of the present invention, the processing data according to the first session key includes:
receiving second data;
and decrypting the second data by the first session key to obtain first data.
In an embodiment of the present invention, the root key is an asymmetric encryption key, after the KDC generates a public key of the root key and a private key of the root key, the KDC stores the public key of the root key, and the KDC sends the private key of the root key to the electronic device;
the decrypting the second session key according to the root key to obtain the first session key comprises:
and decrypting the second session key according to the private key of the root key to obtain the first session key.
In an embodiment of the present invention, the KDS and the electronic device communicate with each other through a secure socket layer SSL.
The invention provides a data encryption method, which comprises the following steps:
encrypting the first session key to obtain a second session key;
and sending a second session key to the electronic equipment so that the electronic equipment decrypts the second session key according to a root key to obtain the first session key, wherein the root key uniquely corresponds to the electronic equipment, the root key is stored in the electronic equipment, the root key is distributed to the electronic equipment by a key management distribution center KDC when the electronic equipment is registered, and the electronic equipment processes data according to the first session key.
In an embodiment of the present invention, the encrypting the first session key to obtain the second session key includes:
encrypting the first session key according to a first service key to obtain a second session key;
before the encrypting the first session key to obtain the second session key, the method further includes:
encrypting the first service key according to the root key of the electronic equipment to obtain a second service key;
after the encrypting the first session key to obtain the second session key, the method further includes:
and sending the second service key to the electronic equipment.
In an embodiment of the present invention, the root key is an asymmetric encryption key, after the KDC generates a public key of the root key and a private key of the root key, the KDC stores the public key of the root key, and the KDC sends the private key of the root key to the electronic device;
the encrypting the first service key according to the root key of the electronic device to obtain a second service key comprises:
and encrypting the first service key according to the public key of the root key of the electronic equipment to obtain a second service key.
The present invention provides an electronic device, including:
the receiving module is used for receiving a second session key sent by a key management distribution center KDC, and the second session key is obtained by encrypting the first session key by the KDC;
the decryption module is used for decrypting the second session key according to a root key to obtain the first session key, the root key uniquely corresponds to the electronic equipment, the root key is stored in the electronic equipment, and the KDC is distributed to the electronic equipment when the root key is registered for the electronic equipment;
and the processing module is used for processing the data of the electronic equipment according to the first session key.
In an embodiment of the present invention, the second session key is obtained by the KDC encrypting the first session key according to a first service key;
the receiving module is further configured to receive a second service key sent by the KDC, where the second service key is obtained by encrypting the first service key by the KDC according to the root key;
the decryption module is specifically configured to:
decrypting the second service key according to the root key to obtain the first service key;
and decrypting the second session key according to the first service key to obtain the first session key.
In an embodiment of the present invention, the electronic device stores the root key, the first service key, the second service key, the first session key, and the second session key in a trusted execution environment operating system TeeOS of the electronic device;
the decryption module is specifically configured to decrypt, in the TeeOS, the second session key according to a root key to obtain the first session key.
In an embodiment of the present invention, the processing module is specifically configured to:
encrypting the first data through the first session key to obtain second data;
transmitting the second data;
the electronic device further includes: a sending module, configured to send a data encryption request to the KDC.
In an embodiment of the present invention, the root key is an asymmetric encryption key, after the KDC generates a public key of the root key and a private key of the root key, the KDC stores the public key of the root key, and the KDC sends the private key of the root key to the electronic device;
the decryption module is specifically configured to decrypt the second session key according to a private key of the root key to obtain the first session key.
In an embodiment of the present invention, the processing module is specifically configured to:
receiving second data;
and decrypting the second data by the first session key to obtain first data.
In an embodiment of the present invention, the KDS and the electronic device communicate with each other through a secure socket layer SSL.
The invention provides a network side device, comprising:
the encryption module is used for encrypting the first session key to obtain a second session key;
the sending module is used for sending a second session key to the electronic equipment so that the electronic equipment decrypts the second session key according to a root key to obtain the first session key, the root key uniquely corresponds to the electronic equipment, the root key is stored in the electronic equipment, the root key is distributed to the electronic equipment by a key management distribution center KDC when the electronic equipment is registered, and the electronic equipment processes data according to the first session key.
In an embodiment of the present invention, the encryption module is specifically configured to encrypt the first session key according to a first service key to obtain the second session key;
the encryption module is further used for encrypting the first service key according to the root key of the electronic equipment to obtain a second service key;
the sending module is further configured to send the second service key to the electronic device.
In an embodiment of the present invention, the root key is an asymmetric encryption key, after the KDC generates a public key of the root key and a private key of the root key, the KDC stores the public key of the root key, and the KDC sends the private key of the root key to the electronic device;
the encryption module is specifically configured to encrypt the first service key according to a public key of a root key of the electronic device to obtain a second service key.
The invention provides a data encryption method, electronic equipment and network side equipment, wherein the data encryption method comprises the following steps: receiving a second session key sent by a key management distribution center KDC, wherein the second session key is obtained by encrypting the first session key by the KDC; decrypting the second session key according to the root key to obtain a first session key, wherein the root key uniquely corresponds to the electronic equipment, the root key is stored in the electronic equipment, and the KDC is distributed to the electronic equipment when the root key is registered for the electronic equipment; and processing the data of the electronic equipment according to the first session key. According to the data encryption method, the electronic equipment and the network side equipment, the root key which is stored in the electronic equipment and uniquely corresponds to the electronic equipment is used as the first session key for encryption, so that the security of the first session key is guaranteed, and the security of communication is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a schematic flow chart of a data encryption method according to a first embodiment of the present invention;
FIG. 2 is a flowchart illustrating a second embodiment of a data encryption method according to the present invention;
FIG. 3 is a flowchart illustrating a third embodiment of a data encryption method according to the present invention;
FIG. 4 is a flowchart illustrating a fourth embodiment of a data encryption method according to the present invention;
FIG. 5 is a flowchart illustrating a fifth embodiment of a data encryption method according to the present invention;
FIG. 6 is a flowchart illustrating a sixth embodiment of a data encryption method according to the present invention;
FIG. 7 is a schematic structural diagram of an electronic device according to a first embodiment of the invention;
FIG. 8 is a schematic structural diagram of a second electronic device according to an embodiment of the invention;
fig. 9 is a schematic structural diagram of an embodiment of a network side device according to the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terms "first," "second," "third," "fourth," and the like in the description and in the claims, as well as in the drawings, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are, for example, capable of operation in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The technical solution of the present invention will be described in detail below with specific examples. The following several specific embodiments may be combined with each other, and details of the same or similar concepts or processes may not be repeated in some embodiments.
Fig. 1 is a flowchart illustrating a data encryption method according to a first embodiment of the present invention. The execution subject of the data encryption method in this embodiment is an electronic device having a communication function and capable of accessing a communication network, such as: mobile terminals, tablet computers, notebook computers, and the like. As shown in fig. 1, the data encryption method of the present embodiment includes the following steps:
s101: and receiving a second session key sent by a Key Distribution Center (KDC), wherein the second session key is obtained by encrypting the first session key by the KDC.
Specifically, in order to implement communication data encryption, the KDC needs to distribute a first session key to encrypt data of the electronic device, because the first session key is a symmetric key, the electronic device serving as a data sending party encrypts the data through the first session key and sends the encrypted data to the electronic device serving as a data receiving party, and the electronic device receiving the data decrypts the encrypted data through the first session key to obtain original data, thereby implementing data encryption communication. In S101, the KDC allocates the first session key for the electronic device and then does not directly send the first session key to the electronic device, but encrypts the first session key into a second session key, and the electronic device receives the first session key in the form of the second session key.
S102: and decrypting the second session key according to the root key to obtain a first session key, wherein the root key uniquely corresponds to the electronic equipment, the root key is stored in the electronic equipment, and the KDC is distributed to the electronic equipment when the root key is registered for the electronic equipment.
After receiving the second session key sent by the KDC in S101, the electronic device decrypts the second session key according to the root key to obtain the first session key in order to obtain the first session key used for encrypting data. The root key is uniquely corresponding to the electronic equipment, the root key is stored in the electronic equipment, and the KDC is distributed to the electronic equipment when the root key is registered by the electronic equipment.
When the electronic device registers, it means that the electronic device uses a service for the first time when accessing a network, for example: when a Subscriber Identity Module (SIM) card for accessing a network is inserted into the mobile device and first accesses to an operator network to which the SIM card belongs, the electronic device may actively apply for a root key to the KDC, or the KDC may actively allocate the root key to the electronic device. Optionally, the root key is stored in a Trusted Execution Environment operating system (TeeOS) of the electronic device.
Specifically, the root key is allocated to the electronic device by the KDC, and since the root key corresponds to the electronic device uniquely, the KDC may allocate the unique root key to the electronic device, and may also use codes capable of distinguishing identities of the electronic device, such as an International Mobile Equipment Identity (IMEI) and an International Mobile Subscriber Identity (IMSI), as the root key.
S103: and processing the data of the electronic equipment according to the first session key.
After S101 and S102, the electronic device obtains the first session key for encrypting data distributed by the KDC, and the electronic device processes the data of the electronic device according to the first session key, where the processing method includes: if the electronic device is a data sending end, the data is encrypted by the first session key, and if the electronic device is a data receiving end, the data is decrypted by the first session key, which is not limited in S103. Optionally, this step is performed in a TeeOS of the electronic device.
The embodiment provides a data encryption method, wherein a second session key sent by a key management distribution center KDC is received, and the second session key is obtained by encrypting a first session key by the KDC; decrypting the second session key according to the root key to obtain a first session key, wherein the root key uniquely corresponds to the electronic equipment, the root key is stored in the electronic equipment, and the KDC is distributed to the electronic equipment when the root key is registered for the electronic equipment; and processing the data of the electronic equipment according to the first session key. According to the data encryption method provided by the embodiment, the root key which is stored in the electronic equipment and uniquely corresponds to the electronic equipment is used as the first session key for encryption so as to ensure the security of the first session key, and therefore, the security of communication is improved.
Fig. 2 is a flowchart illustrating a second embodiment of a data encryption method according to the present invention. As shown in fig. 2, on the basis of the first embodiment shown in fig. 1, the data encryption method of this embodiment includes the following steps:
s201: and receiving a second service key sent by the KDC, wherein the second service key is obtained by encrypting the first service key by the KDC according to the root key.
Specifically, the first service key is a key assigned by the KDC for different services of the electronic device, different services use different keys to distinguish the different services during data encryption, and a specific encryption form of the first service key is not limited in this step. And the electronic equipment receives a second service key sent by the KDC, wherein the KDC distributes the first service key for the electronic equipment and then does not directly send the first service key to the electronic equipment, but encrypts the first service key into the second service key, and the electronic equipment receives the first service key in the form of the second service key.
S202: and receiving a second session key sent by the KDC, wherein the second session key is obtained by encrypting the first session key by the KDC according to the first service key.
Specifically, in order to implement communication data encryption, the KDC needs to distribute a first session key to encrypt data of the electronic device, because the first session key is a symmetric key, the electronic device serving as a data sending party encrypts the data through the first session key and sends the encrypted data to the electronic device serving as a data receiving party, and the electronic device receiving the data decrypts the encrypted data through the first session key to obtain original data, thereby implementing data encryption communication. In this step, the KDC allocates the first session key to the electronic device and then does not directly send the first session key to the electronic device, but encrypts the first session key into the second session key through the first service key, where the first service key is allocated to the electronic device by the KDC in S201, and the electronic device receives the first session key in the form of the second session key.
S203: and decrypting the second service key according to the root key to obtain the first service key.
After receiving the second service key sent by the KDC in S201, the electronic device decrypts the second service key according to the root key to obtain the first service key in order to obtain the first service key used for encrypting the first session key. The root key is uniquely corresponding to the electronic equipment, the root key is stored in the electronic equipment, and the KDC is distributed to the electronic equipment when the root key is registered by the electronic equipment. Optionally, this step is performed in a TeeOS of the electronic device.
S204: and decrypting the second session key according to the first service key to obtain the first session key.
Specifically, the electronic device decrypts the second session key by using the first service key obtained in S203 to obtain the first session key, where the second session key is obtained by the KDC encrypting the first session key according to the first service key. Optionally, this step is performed in a TeeOS of the electronic device.
S205: and processing the data of the electronic equipment according to the first session key.
The principle and specific implementation of this step are the same as S103, and are not described again.
Optionally, in the second embodiment, the electronic device stores the root key, the first service key, the second service key, the first session key, and the second session key in the trusted execution environment operating system TeeOS of the electronic device. S203 includes: decrypting the second session key in the TeeOS according to the root key to obtain a first session key, S204 comprising: and decrypting the second session key according to the first service key in the TeeOS to obtain the first session key. That is, the electronic devices all perform all the steps of encryption and decryption in the TeeOS.
Fig. 3 is a flowchart illustrating a third embodiment of a data encryption method according to the present invention. As shown in fig. 3, on the basis of the second embodiment shown in fig. 2, the execution subject of the present embodiment is an electronic device for sending data, and the data encryption method of the present embodiment includes the following steps:
s301: a data encryption request is sent to the KDC.
Specifically, when the first electronic device needs to send data to the second electronic device, after the connection between the first electronic device and the second electronic device is established, the first electronic device sends a data encryption request to the KDC to request a first session key for encrypting the data.
Specifically, when the data sent between the first electronic device and the second electronic device is voice call data, the first electronic device is a calling device, and the second electronic device is a called device, that is, the calling device sends a data encryption request to the KDC.
S302: and receiving a second service key sent by the KDC, wherein the second service key is obtained by encrypting the first service key by the KDC according to the root key.
The principle and specific implementation of this step are the same as S201, and are not described again.
S303: and receiving a second session key sent by the KDC, wherein the second session key is obtained by encrypting the first session key by the KDC according to the first service key.
The principle and specific implementation of this step are the same as S202, and are not described again.
S304: and decrypting the second service key according to the root key to obtain the first service key.
The principle and specific implementation of this step are the same as S203, and are not described again.
S305: decrypting the second session key according to the first service key to obtain a first session key
The principle and specific implementation of this step are the same as S204, and are not described again.
S306: the first data is encrypted by the first session key to obtain second data.
Specifically, the electronic device encrypts first data to be sent by the electronic device by using the first session key obtained by the multi-stage decryption in S304 to S305 to obtain second data. Optionally, this step is performed in a TeeOS of the electronic device.
S307: and sending the second data.
Specifically, the electronic device transmits the first data in the form of encrypted second data. The sending mode can be directly sent to the electronic equipment at the receiving end, or sent to the operator network and then sent to other electronic equipment through the operator network.
Fig. 4 is a flowchart illustrating a fourth data encryption method according to the present invention. As shown in fig. 4, on the basis of the second embodiment shown in fig. 2, the execution subject of the present embodiment is an electronic device for receiving data, and the data encryption method of the present embodiment includes the following steps:
s401: and receiving a second service key sent by the KDC, wherein the second service key is obtained by encrypting the first service key by the KDC according to the root key.
The principle and specific implementation of this step are the same as S201, and are not described again.
S402: and receiving a second session key sent by the KDC, wherein the second session key is obtained by encrypting the first session key by the KDC according to the first service key.
The principle and specific implementation of this step are the same as S202, and are not described again.
S403: and decrypting the second service key according to the root key to obtain the first service key.
The principle and specific implementation of this step are the same as S203, and are not described again.
S404: and decrypting the second session key according to the first service key to obtain the first session key.
The principle and specific implementation of this step are the same as S204, and are not described again.
S405: second data is received.
Specifically, the electronic device receives second data, wherein the second data is first data encrypted by a first session key.
S406: and decrypting the second data through the first session key to obtain the first data.
Specifically, the electronic device decrypts the second data received by the electronic device by using the first session key obtained by the multi-stage decryption in S403 to S404 to obtain the first data. Optionally, this step is performed in a TeeOS of the electronic device.
Optionally, the root key is an asymmetric encryption key. The root key generated by the KDC includes a public key and a private key, after the KDC generates the public key of the root key and the private key of the root key, the KDC stores the public key of the root key, and the KDC sends the private key of the root key to the electronic device. S203 includes: and decrypting the second session key according to the private key of the root key to obtain the first session key.
Specifically, the public key and the private key of the root key are paired keys, and when one is used for encryption, the other is correspondingly used for decryption. In this embodiment, the KDC encrypts the first service key with the public key of the root key to obtain the second service key, and the electronic device decrypts the second service key with the private key of the root key to obtain the first service key.
Optionally, in the above embodiment, the KDS and the electronic device communicate with each other through a Secure Sockets Layer (SSL) to ensure security between the electronic device and the KDS.
Fig. 5 is a flowchart illustrating a fifth embodiment of a data encryption method according to the present invention. The execution subject of this embodiment is a KDC in the network side device. As shown in fig. 5, the data encryption method of this embodiment includes the following steps:
s501: the first session key is encrypted to obtain a second session key.
Specifically, in order to implement communication data encryption of the electronic device, the KDC assigns a first session key to the electronic device to encrypt data of the electronic device. In S501, the KDC assigns the first session key to the electronic device and then does not directly send the first session key to the electronic device, but encrypts the first session key into the second session key. Optionally, this step is performed in a TeeOS of the electronic device.
S502: and sending the second session key to the electronic equipment so that the electronic equipment decrypts the second session key according to the root key to obtain the first session key, wherein the root key uniquely corresponds to the electronic equipment, the root key is stored in the electronic equipment, the root key is distributed to the electronic equipment by a key management distribution center KDC when the root key is registered for the electronic equipment, and the electronic equipment processes data according to the first session key.
Specifically, the KDC sends the first session key to the electronic device in the form of the second session key encrypted in S501. After the electronic device receives the second session key, in order to obtain the first session key for encrypting data, the second session key is decrypted according to the root key to obtain the first session key. The root key is uniquely corresponding to the electronic equipment, the root key is stored in the electronic equipment, and the KDC is distributed to the electronic equipment when the root key is registered by the electronic equipment.
When the electronic device registers, it means that the electronic device uses a service for the first time when accessing a network, for example: when the mobile device is inserted with the network of the operator to which the SIM card belongs for accessing the SIM card for the first time, the electronic device can actively apply for the root key to the KDC, and the KDC can also actively distribute the root key to the electronic device. Optionally, the root key is stored in the TeeOS of the electronic device.
Specifically, the root key is allocated to the electronic device by the KDC, and since the root key uniquely corresponds to the electronic device, the KDC may allocate a unique root key to the electronic device, and may also use a code capable of distinguishing the identity of the electronic device, such as the IMEI and the IMSI of the electronic device, as the root key.
Fig. 6 is a flowchart illustrating a sixth embodiment of a data encryption method according to the present invention. As shown in fig. 6, on the basis of the first embodiment shown in fig. 5, the data encryption method of this embodiment includes the following steps:
s601: and encrypting the first service key according to the root key of the electronic equipment to obtain a second service key.
Specifically, the first service key is a key assigned by the KDC for different services of the electronic device, different services use different keys to distinguish the different services during data encryption, and a specific encryption form of the first service key is not limited in this step. The KDC distributes a first service key for the electronic equipment and then does not directly send the first service key to the electronic equipment, but encrypts the first service key into a second service key according to a root key of the electronic equipment.
S602: and encrypting the first session key according to the first service key to obtain a second session key.
In this step, the KDC allocates the first session key to the electronic device, and then does not directly send the first session key to the electronic device, but encrypts the first session key into the second session key through the first service key, where the first service key is allocated to the electronic device by the KDC in S601.
S603: and sending the second service key to the electronic equipment.
Specifically, the first traffic key is sent to the electronic device in the form of the second traffic key.
S604: the second session key is sent to the electronic device.
In particular, the KDC sends the first session key to the electronic device in the form of a second session key.
Optionally, the root key is an asymmetric encryption key. The root key generated by the KDC includes a public key and a private key, after the KDC generates the public key of the root key and the private key of the root key, the KDC stores the public key of the root key, and the KDC sends the private key of the root key to the electronic device. S601 includes: and encrypting the first service key according to the public key of the root key of the electronic equipment to obtain a second service key.
Specifically, the public key and the private key of the root key are paired keys, and when one is used for encryption, the other is correspondingly used for decryption. In this embodiment, the KDC encrypts the first service key with the public key of the root key to obtain the second service key, and the electronic device decrypts the second service key with the private key of the root key to obtain the first service key.
Fig. 7 is a schematic structural diagram of an electronic device according to a first embodiment of the invention. As shown in fig. 7, the electronic device of the present embodiment includes: a receivingmodule 701, adecryption module 702 and aprocessing module 703. The receiving module is configured to receive a second session key sent by the key management distribution center KDC, where the second session key is obtained by encrypting the first session key by the KDC, thedecrypting module 702 is configured to decrypt the second session key according to a root key to obtain the first session key, the root key uniquely corresponds to the electronic device, the root key is stored in the electronic device, and the KDC is distributed to the electronic device when the root key is registered for the electronic device. Theprocessing module 703 is configured to process data of the electronic device according to the first session key.
The apparatus of this embodiment may be correspondingly used to implement the technical solution of the method embodiment shown in fig. 1, and the implementation principle and the technical effect are similar, which are not described herein again.
Further, in the above embodiment, the second session key is obtained by the KDC encrypting the first session key according to the first service key, and then the receivingmodule 701 is further configured to receive the second service key sent by the KDC, where the second service key is obtained by the KDC encrypting the first service key according to the root key. The decryption module is specifically configured to decrypt the second service key according to the root key to obtain a first service key, and decrypt the second session key according to the first service key to obtain a first session key.
The apparatus of this embodiment may be correspondingly used to implement the technical solution of the method embodiment shown in fig. 2, and the implementation principle and the technical effect are similar, which are not described herein again.
Optionally, in the foregoing embodiment, the electronic device stores the root key, the first service key, the second service key, the first session key, and the second session key in a TeeOS of an operating system of a trusted execution environment of the electronic device, and thedecryption module 702 is specifically configured to decrypt, in the TeeOS, the second session key according to the root key to obtain the first session key.
Optionally, in the foregoing embodiment, theprocessing module 703 is specifically configured to receive the second data, and decrypt the second data with the first session key to obtain the first data.
The apparatus of this embodiment may be correspondingly used to implement the technical solution of the method embodiment shown in fig. 4, and the implementation principle and the technical effect are similar, which are not described herein again.
Fig. 8 is a schematic structural diagram of a second electronic device according to an embodiment of the invention. As shown in fig. 8, the electronic device of this embodiment, on the basis of the first embodiment shown in fig. 7, includes: a receivingmodule 701, adecryption module 702, aprocessing module 703 and a sendingmodule 801. Theprocessing module 703 is specifically configured to encrypt the first data by using the first session key to obtain second data, and send the second data. The sendingmodule 801 is configured to send a data encryption request to the KDC.
The apparatus of this embodiment may be correspondingly used to implement the technical solution of the method embodiment shown in fig. 3, and the implementation principle and the technical effect are similar, which are not described herein again.
Further, in the above embodiment, the root key is an asymmetric encryption key, after the KDC generates a public key of the root key and a private key of the root key, the KDC stores the public key of the root key, and the KDC sends the private key of the root key to the electronic device. Thedecryption module 702 is specifically configured to decrypt the second session key according to the private key of the root key to obtain the first session key.
Optionally, in the above embodiment, the KDS and the electronic device communicate with each other through a secure socket layer SSL, so as to ensure security between the electronic device and the KDS.
Fig. 9 is a schematic structural diagram of an embodiment of a network side device according to the present invention. As shown in fig. 9, the electronic device of the present embodiment includes: anencryption module 901 and a sendingmodule 902. Theencryption module 901 is configured to encrypt the first session key to obtain a second session key. The sendingmodule 902 is configured to send the second session key to the electronic device, so that the electronic device decrypts the second session key according to the root key to obtain the first session key, where the root key uniquely corresponds to the electronic device, the root key is stored in the electronic device, the root key is distributed to the electronic device by the key management distribution center KDC when the electronic device registers, and the electronic device processes data according to the first session key.
The apparatus of this embodiment may be correspondingly used to implement the technical solution of the method embodiment shown in fig. 5, and the implementation principle and the technical effect are similar, which are not described herein again.
Further, in the foregoing embodiment, theencryption module 901 is specifically configured to encrypt the first session key according to the first service key to obtain a second session key, and theencryption module 901 is further configured to encrypt the first service key according to a root key of the electronic device to obtain the second service key. The sendingmodule 902 is further configured to send the second service key to the electronic device.
The apparatus of this embodiment may be correspondingly used to implement the technical solution of the method embodiment shown in fig. 6, and the implementation principle and the technical effect are similar, which are not described herein again.
Optionally, in the above embodiment, the root key is an asymmetric encryption key, after the KDC generates a public key of the root key and a private key of the root key, the KDC stores the public key of the root key, and the KDC sends the private key of the root key to the electronic device, so that theencryption module 901 is specifically configured to encrypt the first service key according to the public key of the root key of the electronic device to obtain the second service key.
Those of ordinary skill in the art will understand that: all or a portion of the steps of implementing the above-described method embodiments may be performed by hardware associated with program instructions. The program may be stored in a computer-readable storage medium. When executed, the program performs steps comprising the method embodiments described above; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.
Claims (16)
1. A method for data encryption, comprising:
receiving a second session key sent by a key management distribution center KDC, wherein the second session key is obtained by encrypting the first session key by the KDC;
decrypting the second session key according to a root key to obtain the first session key, wherein the root key uniquely corresponds to the electronic equipment, the root key is stored in the electronic equipment, and the KDC is distributed to the electronic equipment when the root key is registered by the electronic equipment;
processing data of the electronic equipment according to the first session key;
the second session key is obtained by encrypting the first session key by the KDC according to a first service key;
the receiving of the second session key sent by the KDC further includes:
receiving a second service key sent by the KDC, wherein the second service key is obtained by encrypting the first service key by the KDC according to the root key;
the decrypting the second session key according to the root key to obtain the first session key comprises:
decrypting the second service key according to the root key to obtain the first service key;
and decrypting the second session key according to the first service key to obtain the first session key.
2. The method of claim 1, wherein the electronic device stores the root key, the first traffic key, the second traffic key, the first session key, and the second session key in a trusted execution environment operating system (TeeOS) of the electronic device;
the decrypting the second session key according to the root key to obtain the first session key comprises:
decrypting the second session key in the TeeOS according to a root key to obtain the first session key.
3. The method of claim 2,
the processing data according to the first session key comprises:
encrypting the first data through the first session key to obtain second data;
transmitting the second data;
before the receiving the second session key sent by the key management distribution center KDC, the method further includes:
sending a data encryption request to the KDC.
4. The method of claim 2, wherein the processing data according to the first session key comprises:
receiving second data;
and decrypting the second data by the first session key to obtain first data.
5. The method according to claim 3 or 4,
the KDC stores the public key of the root key after generating the public key of the root key and the private key of the root key, and the KDC sends the private key of the root key to the electronic equipment;
the decrypting the second session key according to the root key to obtain the first session key comprises:
and decrypting the second session key according to the private key of the root key to obtain the first session key.
6. The method of claim 5,
and the KDC and the electronic equipment communicate through a Secure Socket Layer (SSL).
7. A method for data encryption, comprising:
encrypting the first session key to obtain a second session key;
sending a second session key to the electronic equipment so that the electronic equipment decrypts the second session key according to a root key to obtain the first session key, wherein the root key uniquely corresponds to the electronic equipment, the root key is stored in the electronic equipment, the root key is distributed to the electronic equipment by a key management distribution center KDC when the electronic equipment is registered, and the electronic equipment processes data according to the first session key;
the encrypting the first session key to obtain a second session key comprises:
encrypting the first session key according to a first service key to obtain a second session key;
before the encrypting the first session key to obtain the second session key, the method further includes:
encrypting the first service key according to the root key of the electronic equipment to obtain a second service key;
after the encrypting the first session key to obtain the second session key, the method further includes:
and sending the second service key to the electronic equipment.
8. The method of claim 7,
the KDC stores the public key of the root key after generating the public key of the root key and the private key of the root key, and the KDC sends the private key of the root key to the electronic equipment;
the encrypting the first service key according to the root key of the electronic device to obtain a second service key comprises:
and encrypting the first service key according to the public key of the root key of the electronic equipment to obtain a second service key.
9. An electronic device, comprising:
the receiving module is used for receiving a second session key sent by a key management distribution center KDC, and the second session key is obtained by encrypting the first session key by the KDC;
a decryption module, configured to decrypt, according to a root key, the second session key to obtain the first session key, where the root key uniquely corresponds to the electronic device, the root key is stored in the electronic device, and the KDC is assigned to the electronic device when the root key is registered in the electronic device;
the processing module is used for processing the data of the electronic equipment according to the first session key;
the second session key is obtained by encrypting the first session key by the KDC according to a first service key;
the receiving module is further configured to receive a second service key sent by the KDC, where the second service key is obtained by encrypting the first service key by the KDC according to the root key;
the decryption module is specifically configured to:
decrypting the second service key according to the root key to obtain the first service key;
and decrypting the second session key according to the first service key to obtain the first session key.
10. The electronic device of claim 9, wherein the electronic device stores the root key, the first traffic key, the second traffic key, the first session key, and the second session key in a trusted execution environment operating system (TeeOS) of the electronic device;
the decryption module is specifically configured to decrypt, in the TeeOS, the second session key according to a root key to obtain the first session key.
11. The electronic device of claim 10, wherein the processing module is specifically configured to:
encrypting the first data through the first session key to obtain second data;
transmitting the second data;
the electronic device further includes: a sending module, configured to send a data encryption request to the KDC.
12. The electronic device of claim 10, wherein the processing module is specifically configured to:
receiving second data;
and decrypting the second data by the first session key to obtain first data.
13. The electronic device of claim 11 or 12,
the KDC stores the public key of the root key after generating the public key of the root key and the private key of the root key, and the KDC sends the private key of the root key to the electronic equipment;
the decryption module is specifically configured to decrypt the second session key according to a private key of the root key to obtain the first session key.
14. The electronic device of claim 13,
and the KDC and the electronic equipment communicate through a Secure Socket Layer (SSL).
15. A network-side device, comprising:
the encryption module is used for encrypting the first session key to obtain a second session key;
the sending module is used for sending a second session key to the electronic equipment so that the electronic equipment decrypts the second session key according to a root key to obtain the first session key, the root key uniquely corresponds to the electronic equipment, the root key is stored in the electronic equipment, the root key is distributed to the electronic equipment by a key management distribution center KDC when the electronic equipment is registered, and the electronic equipment processes data according to the first session key;
the encryption module is specifically configured to encrypt the first session key according to a first service key to obtain the second session key;
the encryption module is further used for encrypting the first service key according to the root key of the electronic equipment to obtain a second service key;
the sending module is further configured to send the second service key to the electronic device.
16. The network-side device of claim 15, wherein the root key is an asymmetric encryption key, and after the KDC generates a public key of the root key and a private key of the root key, the KDC stores the public key of the root key, and the KDC sends the private key of the root key to the electronic device;
the encryption module is specifically configured to encrypt the first service key according to a public key of a root key of the electronic device to obtain a second service key.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611096712.3ACN108156112B (en) | 2016-12-02 | 2016-12-02 | Data encryption method, electronic equipment and network side equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611096712.3ACN108156112B (en) | 2016-12-02 | 2016-12-02 | Data encryption method, electronic equipment and network side equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108156112A CN108156112A (en) | 2018-06-12 |
| CN108156112Btrue CN108156112B (en) | 2021-06-22 |
Family
ID=62470414
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611096712.3AActiveCN108156112B (en) | 2016-12-02 | 2016-12-02 | Data encryption method, electronic equipment and network side equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108156112B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112422487A (en)* | 2019-08-23 | 2021-02-26 | 北京小米移动软件有限公司 | Data transmission method, device, system and computer readable storage medium |
| CN115048656A (en)* | 2021-03-09 | 2022-09-13 | 成都鼎桥通信技术有限公司 | Session processing method, device, system and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1389042A (en)* | 2000-06-15 | 2003-01-01 | 索尼公司 | Information processing system and method using encryption key group |
| US7366900B2 (en)* | 1997-02-12 | 2008-04-29 | Verizon Laboratories, Inc. | Platform-neutral system and method for providing secure remote operations over an insecure computer network |
| CN101282211A (en)* | 2008-05-09 | 2008-10-08 | 西安西电捷通无线网络通信有限公司 | A key distribution method |
| CN101364866A (en)* | 2008-09-24 | 2009-02-11 | 西安西电捷通无线网络通信有限公司 | A system and method for establishing entity encrypted sessions based on multiple key distribution centers |
| CN101867898A (en)* | 2010-07-02 | 2010-10-20 | 中国电信股份有限公司 | Short message encrypting communication system, method and secret key center |
| CN105792190A (en)* | 2014-12-25 | 2016-07-20 | 成都鼎桥通信技术有限公司 | Data encryption, decryption and transmission method in communication system |
- 2016
- 2016-12-02CNCN201611096712.3Apatent/CN108156112B/enactiveActive
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7366900B2 (en)* | 1997-02-12 | 2008-04-29 | Verizon Laboratories, Inc. | Platform-neutral system and method for providing secure remote operations over an insecure computer network |
| CN1389042A (en)* | 2000-06-15 | 2003-01-01 | 索尼公司 | Information processing system and method using encryption key group |
| CN101282211A (en)* | 2008-05-09 | 2008-10-08 | 西安西电捷通无线网络通信有限公司 | A key distribution method |
| CN101364866A (en)* | 2008-09-24 | 2009-02-11 | 西安西电捷通无线网络通信有限公司 | A system and method for establishing entity encrypted sessions based on multiple key distribution centers |
| CN101867898A (en)* | 2010-07-02 | 2010-10-20 | 中国电信股份有限公司 | Short message encrypting communication system, method and secret key center |
| CN105792190A (en)* | 2014-12-25 | 2016-07-20 | 成都鼎桥通信技术有限公司 | Data encryption, decryption and transmission method in communication system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108156112A (en) | 2018-06-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11240218B2 (en) | Key distribution and authentication method and system, and apparatus | |
| JP6641029B2 (en) | Key distribution and authentication method and system, and device | |
| CN101340443B (en) | Session key negotiating method, system and server in communication network | |
| CN106506161B (en) | Privacy protection method and privacy protection device in vehicle communication | |
| CN105764058B (en) | Method, device and system for accessing a network | |
| CN103458400B (en) | A kind of key management method in voice encryption communication system | |
| CN105634737B (en) | Data transmission method, terminal and system | |
| CN101635924B (en) | CDMA port-to-port encryption communication system and key distribution method thereof | |
| CN103986723B (en) | A kind of secret communication control, secret communication method and device | |
| CN105007577A (en) | Virtual SIM card parameter management method, mobile terminal and server | |
| CN101917710A (en) | Method, system and related device for mobile internet encryption communication | |
| CN101889421A (en) | End-to-end encrypted communication | |
| US10237731B2 (en) | Communication system with PKI key pair for mobile terminal | |
| CN103997405B (en) | A kind of key generation method and device | |
| CN104917718A (en) | Method and terminal for fast authentication of mobile terminal user and application server | |
| CN114630290A (en) | Key agreement method, device, equipment and storage medium for voice encryption communication | |
| US9479334B2 (en) | Method, system, and terminal for communication between cluster system encryption terminal and encryption module | |
| CN108156112B (en) | Data encryption method, electronic equipment and network side equipment | |
| CN117675235A (en) | A secure communication processing method, first terminal and storage medium | |
| CN102377758B (en) | A kind of authentication method and system of personal network equipment being carried out to certification | |
| CN112822021B (en) | Key management method and related device | |
| CN112054905B (en) | Secure communication method and system of mobile terminal | |
| Yoon et al. | Security enhancement scheme for mobile device using H/W cryptographic module | |
| KR101329789B1 (en) | Encryption Method of Database of Mobile Communication Device | |
| WO2016176902A1 (en) | Terminal authentication method, management terminal and application terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |