and at the server, verifying the validity of the request parameter in the step S2, acquiring license data, which is issued to the caller by the corresponding gateway and is stored by the server, according to the app id in the step S2, verifying the validity and the service invocation authority of the license data after acquiring corresponding data, and obfuscating the secret in the license data and the ciphertext in the parameter by using the algorithm generated in S1 to generate signature data. Finally, the generated signature data is compared with the signature data generated by the client in step S1, and the validity of the signature data is verified.

and according to the secret key corresponding to the algorithm in the license, the algorithm is applied to decrypt the secret key ciphertext in the parameter to obtain the secret key, the generated secret key and the corresponding algorithm are applied to perform secondary decryption, and the service parameter plaintext is generated after decryption. And transmitting the decrypted service parameter plaintext to a transaction core of the server, acquiring response result data transmitted to the transaction core, encrypting the response result data by applying the key generated in the step and a corresponding algorithm, generating ciphertext data of the response result data, and transmitting the ciphertext data to the client.

S5, the client acquires the ciphertext data of the response result, and decrypts the ciphertext data by applying the secret key and the algorithm generated in the step S1 to generate plaintext data;

specifically, as shown in fig. 2, the step S1 further includes the following steps:

in this embodiment, the first algorithm is AES algorithm, and the AES algorithm may be used to protect electronic data. Specifically, AES is an iterative, symmetric key-block cipher that can encrypt and decrypt data using 128, 192, and 256 bit keys and in 128 bit (16 byte) blocks. Symmetric key ciphers use the same key to encrypt and decrypt data, as opposed to public key ciphers using a key pair. The number of bits of the encrypted data returned by the block cipher is the same as the input data. Iterative encryption uses a loop structure in which input data is repeatedly replaced and replaced. In step S101, the interface caller at the client invokes an interface provided by the server to generate an AES key, and generates an AES algorithm according to the generated key.

in this embodiment, the UTF-8 code of the service parameter to be encrypted is obtained, where the UTF-8 code is a variable length character code for Unicode (Unicode, universal code, Unicode), also called universal code, and an AES algorithm is applied to perform encryption operation to encrypt the service parameter, so as to generate a corresponding service parameter ciphertext.

in this embodiment, the public key issued by the gateway selects an RSA public key, and the second algorithm selects an RSA algorithm. Specifically, the RSA algorithm generates a pair of RSA keys, one of which is a secret key, i.e., a private key, stored by the user, and the other of which is a public key, i.e., a public key, that can be made public. The public key is publishable and available for anyone, and the private key is owned by itself for decryption. The decryptor owns the private key and issues a public key generated by the private key calculation to the encryptor. When in encryption, the public key is used for encryption, the ciphertext is sent to a decryptor, and the decryptor decrypts the ciphertext into plaintext by using the private key. In the step S103, an RSA algorithm is generated according to the public key issued by the gateway, and the RSA algorithm is applied to perform an encryption operation on the AES key to generate a corresponding key ciphertext.

in this embodiment, when the interface caller of the client calls the interface provided by the server, the gateway issues a corresponding secret as a suffix of the service parameter ciphertext generated in step S102.

In this embodiment, the SHA256 algorithm is used as the third algorithm, and specifically, the SHA256 algorithm generates 32-byte length data, called a message digest, for a message with any length (calculated by bits). When a message is received, this message digest can be used to verify that the data has changed, i.e., to verify its integrity. In step S105, the algorithm is applied to digest the data to generate signature data of the present request.

Specifically, as shown in fig. 3, the step S2 further includes the following steps:

s201: performing character encoding again on the service parameter ciphertext generated in the step S102, the key ciphertext generated in the step S103 and the signature data generated in the step S105 by applying a Base64 encoding mode, and generating a new character string after processing; s202: and the generated new character string and the AppID issued by the gateway are used as request parameters together, the request parameters are sent to the server through data transmission, and a gateway interface of the server is called to verify the request parameters.

Specifically, as shown in fig. 4, the step S3 further includes the following steps:

s301: calling a gateway interface of the server, verifying whether the types of the request parameters received by the server are complete, if so, judging that the parameters are legal, and carrying out the next step; if any one of the received request parameters is missing, judging the parameters to be illegal, and returning an error code; s302: acquiring license data which is stored by a server and issued to a calling party by a corresponding gateway according to the AppID of the calling party; s303: after license data corresponding to the AppID is obtained, the validity and the service calling authority of the license data are verified; s304: applying the SHA256 algorithm in the step S105 to confuse secret in the license data with ciphertext in the parameter to generate signature data; s305: and comparing the signature data generated in the step S304 with the signature data generated by the client in the step S105, and verifying the validity of the signature data.

Specifically, the step S304 includes the following steps:

s30401: increasing secret in license data to be used as a suffix on the ciphertext in the parameter, and performing confusion operation on the ciphertext in the parameter and the secret in the license data; s30402: after the obfuscation operation is performed, a third algorithm in step S105 is applied to perform a digest operation, and signature data to be verified is generated.

Specifically, as shown in fig. 5, the step S4 specifically includes the following steps:

s401: according to the RSA secret key corresponding to the RSA algorithm in the license, the RSA algorithm in the step S103 is applied, and the AES secret key ciphertext in the parameter is decrypted to obtain the AES secret key; s402: applying the generated AES secret key and a corresponding AES algorithm, and generating a service parameter plaintext after decryption; s403: transmitting the decrypted service parameter plaintext to a transaction core of a server side, and acquiring response result data transmitted to the transaction core;

s404: and encrypting the response result data by applying the AES secret key generated in the step and the corresponding AES algorithm to generate ciphertext data of the response result data, and sending the ciphertext data to the client.

Based on the same technical concept, the present invention also provides a secure communication apparatus, as shown in fig. 6, comprising:

the generation module is used for calling an interface provided by the server at an interface calling party of the client to generate a secret key and an algorithm, respectively carrying out encryption operation on the business parameters and the secret key to generate corresponding business parameter ciphertext and secret key ciphertext, carrying out confusion operation with a secret issued by the gateway, and carrying out abstract operation by applying the algorithm to generate signature data;

the coding module is used for performing character recoding on the ciphertext and the signature data to generate a new character string, sending the new character string and the AppID of the calling party as a request parameter to the server, calling the gateway interface and verifying the request parameter; each caller has an independent AppID;

the verification module is used for acquiring license data according to the AppID, verifying the validity and the service calling authority of the data, applying the algorithm in the generation module to confuse secret in the license data with cipher text in the parameters to generate signature data, and comparing the signature data with the signature data generated in the generation module to verify the validity of the signature data;

the acquisition module is used for decrypting the ciphertext in the parameters to obtain a secret key, then carrying out secondary decryption to generate a plaintext and transmitting the plaintext to the transaction core, acquiring response result data, encrypting the response result data, and generating ciphertext data to be sent to the client;

and the decryption module is used for acquiring the ciphertext data of the response result at the client, and decrypting the ciphertext data by using the secret key and the algorithm generated in the generation module to generate plaintext data.

Specifically, as shown in fig. 7, the generating module includes: the key generation module is used for calling an interface provided by the server side at an interface calling party of the client side to generate a key required by business operation; the algorithm generating module is used for generating an algorithm required by the business operation according to the generated secret key; the cipher text generation module is used for generating a corresponding business parameter cipher text after encrypting the character code of the business parameter to be encrypted by using the algorithm and carrying out encryption operation on the secret key by using the algorithm to generate a corresponding secret key cipher text; and the signature generation module is used for performing confusion operation on the generated business parameter ciphertext and the secret issued by the gateway, performing abstract operation by applying a third algorithm, and generating signature data required by business operation.

Based on the same technical concept, the present invention further provides a mobile terminal for implementing a secure communication method, as shown in fig. 8, for convenience of description, only a portion 20 related to the embodiment of the present invention is shown, and specific technical details are not disclosed, please refer to the method portion of the embodiment of the present invention. The terminal may be any terminal device including a mobile phone, a tablet computer, a PDA (Personal Digital Assistant), a POS (Point of Sales), a vehicle-mounted computer, etc., taking the mobile terminal as the mobile phone as an example:

fig. 8 is a block diagram illustrating a partial structure of a mobile phone related to a mobile terminal according to an embodiment of the present invention. Referring to fig. 8, the handset includes:baseband processing module 410,memory 420,input unit 430,display unit 440,sensor 450,audio circuit 460, Wireless Fidelity (WiFi)module 470,processor 480, andpower supply 490. Those skilled in the art will appreciate that the handset configuration shown in fig. 8 is not intended to be limiting and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components.

Thebaseband processing module 410 may be used to synthesize a baseband signal to be transmitted or decode a received baseband signal. Specifically, the audio signal is compiled into a baseband code for transmission when being transmitted; upon reception, the received baseband code is interpreted as an audio signal. Meanwhile, the system is also responsible for compiling address information (mobile phone numbers, website addresses), text information (short message texts and website texts) and picture information (multimedia messages).

Thememory 420 may be used to store software programs and modules, and theprocessor 480 executes various functional applications and data processing of the mobile phone by operating the software programs and modules stored in thememory 420. Thememory 420 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data (such as audio data, a phonebook, etc.) created according to the use of the cellular phone, and the like. Further, thememory 420 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device.

Theinput unit 430 may be used to receive input numeric or character information and generate key signal inputs related to user settings and function control of the cellular phone. Specifically, theinput unit 430 may include atouch panel 431 andother input devices 432. Thetouch panel 431, also called a touch screen, may collect touch operations of a user on or near the touch panel 431 (e.g., operations of the user on or near thetouch panel 431 using any suitable object or accessory such as a finger or a stylus) and drive the corresponding connection device according to a preset program. Alternatively, thetouch panel 431 may include two parts of a touch detection device and a touch controller. The touch detection device detects the touch direction of a user, detects a signal brought by touch operation and transmits the signal to the touch controller; the touch controller receives touch information from the touch sensing device, converts the touch information into touch point coordinates, sends the touch point coordinates to theprocessor 480, and receives and executes commands sent from theprocessor 480. In addition, thetouch panel 431 may be implemented in various types, such as a resistive type, a capacitive type, an infrared ray, and a surface acoustic wave. Theinput unit 430 may includeother input devices 432 in addition to thetouch panel 431. In particular,other input devices 432 may include, but are not limited to, one or more of a physical keyboard, function keys (such as volume control keys, switch keys, etc.), a trackball, a mouse, a joystick, and the like.

Thedisplay unit 440 may be used to display information input by the user or information provided to the user and various menus of the cellular phone. TheDisplay unit 440 may include aDisplay panel 441, and optionally, theDisplay panel 441 may be configured in the form of a Liquid Crystal Display (LCD), an Organic Light-Emitting Diode (OLED), or the like. Further, thetouch panel 431 may cover thedisplay panel 441, and when thetouch panel 431 detects a touch operation on or near thetouch panel 431, the touch panel is transmitted to theprocessor 480 to determine the type of the touch event, and then theprocessor 480 provides a corresponding visual output on thedisplay panel 441 according to the type of the touch event. Although in fig. 8, thetouch panel 431 and thedisplay panel 441 are two independent components to implement the input and output functions of the mobile phone, in some embodiments, thetouch panel 431 and thedisplay panel 441 may be integrated to implement the input and output functions of the mobile phone.

The handset may also include at least onesensor 450, such as a light sensor, motion sensor, and other sensors. Specifically, the light sensor may include an ambient light sensor that adjusts the brightness of thedisplay panel 441 according to the brightness of ambient light, and a proximity sensor that turns off thedisplay panel 441 and/or the backlight when the mobile phone is moved to the ear. As one of the motion sensors, the accelerometer sensor can detect the magnitude of acceleration in each direction (generally, three axes), can detect the magnitude and direction of gravity when stationary, and can be used for applications of recognizing the posture of a mobile phone (such as horizontal and vertical screen switching, related games, magnetometer posture calibration), vibration recognition related functions (such as pedometer and tapping), and the like; as for other sensors such as a gyroscope, a barometer, a hygrometer, a thermometer, and an infrared sensor, which can be configured on the mobile phone, further description is omitted here.

Audio circuit 460, speaker 461, microphone 462 may provide an audio interface between the user and the cell phone. Theaudio circuit 460 may transmit the electrical signal converted from the received audio data to the speaker 461, and convert the electrical signal into a sound signal for output by the speaker 461; on the other hand, the microphone 462 converts the collected sound signal into an electrical signal, which is received by theaudio circuit 460 and converted into audio data, which is then processed by the audiodata output processor 480 and then transmitted to, for example, another cellular phone via theRF circuit 410, or output to thememory 420 for further processing.

WiFi belongs to short-distance wireless transmission technology, and the mobile phone can help a user to receive and send e-mails, browse webpages, access streaming media and the like through theWiFi module 470, and provides wireless broadband Internet access for the user. Although fig. 8 shows theWiFi module 470, it is understood that it does not belong to the essential constitution of the handset, and can be omitted entirely as needed within the scope not changing the essence of the invention.

Theprocessor 480 is a control center of the mobile phone, connects various parts of the entire mobile phone by using various interfaces and lines, and performs various functions of the mobile phone and processes data by operating or executing software programs and/or modules stored in thememory 420 and calling data stored in thememory 420, thereby integrally monitoring the mobile phone. Optionally,processor 480 may include one or more processing units; in one embodiment,processor 480 may integrate an application processor, which primarily handles operating systems, user interfaces, applications, etc., and a modem processor, which primarily handles wireless communications. It will be appreciated that the modem processor described above may not be integrated intoprocessor 480.

The handset also includes a power supply 490 (e.g., a battery) for powering the various components, which may be logically coupled to theprocessor 480 via a power management system in one embodiment, such that the power management system may be used to manage charging, discharging, and power consumption.

Although not shown, the mobile phone may further include a camera, a bluetooth module, etc., which are not described herein.

In the embodiment of the present invention, theprocessor 480 included in the terminal may execute the steps of the secure communication method in the above-described embodiment.

Based on the same technical concept, the present invention also provides a storage medium storing computer-readable instructions, which when executed by one or more processors, cause the one or more processors to perform the steps of the secure communication method in the above embodiments.

Those skilled in the art will appreciate that all or part of the steps in the methods of the above embodiments may be implemented by associated hardware instructed by a program, which may be stored in a computer-readable storage medium, and the storage medium may include: read Only Memory (ROM), Random Access Memory (RAM), magnetic or optical disks, and the like.

It will be understood by those skilled in the art that all or part of the steps in the method for implementing the above embodiments may be implemented by hardware that is instructed to implement by a program, and the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.

The above-mentioned embodiments only express some exemplary embodiments of the present invention, and the description thereof is more specific and detailed, but not construed as limiting the scope of the present invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the inventive concept, which falls within the scope of the present invention. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims

1. A secure communication method, characterized in that the secure communication method comprises:

s1: calling an interface provided by a server at an interface calling party of a client to generate a first secret key, selecting a first algorithm according to the first secret key and selecting a second algorithm according to a public key issued by a gateway, respectively performing encryption operation on a business parameter and the first secret key according to the first algorithm and the second algorithm to generate a corresponding business parameter ciphertext and a secret key ciphertext, performing obfuscation operation on the business parameter ciphertext and a secret issued by the gateway, and performing summary operation on a result of the obfuscation operation by using a third algorithm to generate signature data;

s2: performing character recoding on the service parameter ciphertext, the secret key ciphertext and the signature data to generate a new character string, sending the new character string and the AppID issued by the gateway as a request parameter to a server, calling a gateway interface, and verifying the request parameter; each caller has an independent AppID;

s3: acquiring license data according to the AppID, verifying the validity and the service calling authority of the license data, obfuscating secret in the license data and the service parameter ciphertext, performing summary operation on an obfuscated result by using a third algorithm to generate signature data to be verified, comparing the signature data to be verified with the signature data generated in S1, and verifying the validity of the signature data to be verified;

s4: decrypting the secret key ciphertext to obtain a secret key, secondarily decrypting the business parameter ciphertext by using the secret key, transmitting the decrypted business parameter plaintext to a transaction core, acquiring response result data, encrypting the response result data, generating ciphertext data and transmitting the ciphertext data to a client;

s5: the client acquires the ciphertext data of the response result, and decrypts the ciphertext data by applying the first key and the first algorithm generated in step S1 to generate plaintext data.

2. The secure communication method according to claim 1, wherein the step S1 includes:

s101: calling an interface provided by a server at an interface calling party of a client to generate a first secret key, and selecting a first algorithm according to the generated first secret key;

s103: selecting a second algorithm according to the public key issued by the gateway, and encrypting the first secret key by using the second algorithm to generate a corresponding secret key ciphertext;

s105: and performing abstract operation on the result of the confusion operation by applying a third algorithm to generate signature data of the request, wherein the signature data is used for verifying the validity of the service parameters.

3. The secure communication method according to claim 2, wherein the step S2 includes:

4. The secure communication method according to claim 3, wherein the step S3 includes:

s302: acquiring license data which is stored by a server and corresponds to the license issued by the gateway to the caller according to the AppID issued by the gateway;

s304: obfuscating the secret in the license data and the business parameter ciphertext, and performing summary operation on an obfuscated result by applying a third algorithm in the step S105 to generate signature data to be verified;

s305: and comparing the signature data to be verified generated in the step S304 with the signature data carried in the request parameters, and verifying the validity of the signature data to be verified.

5. The secure communication method according to claim 4, wherein the step S304 comprises:

s30401: increasing secret in license data as suffix on the business parameter cryptograph, and performing confusion operation on the business parameter cryptograph and secret in the license data;

s30402: after the obfuscating operation is performed, the third algorithm in step S105 is applied to digest the obfuscated result, and generate signature data to be verified.

6. The secure communication method according to claim 4, wherein the step S4 includes:

s402: decrypting the business parameter ciphertext by using the generated first secret key and a corresponding first algorithm, and generating a business parameter plaintext after decryption;

7. A secure communications device, comprising:

the generation module is used for calling an interface provided by a server at an interface calling party of a client to generate a first secret key, selecting a first algorithm according to the first secret key and a second algorithm according to a public key issued by a gateway, respectively encrypting a business parameter and the first secret key according to the first algorithm and the second algorithm to generate a corresponding business parameter ciphertext and a secret key ciphertext, then performing confusion operation on the business parameter ciphertext and a secret issued by the gateway, and performing summary operation on a result of the confusion operation by applying a third algorithm to generate signature data;

the coding module is used for performing character recoding on the service parameter ciphertext, the secret key ciphertext and the signature data to generate a new character string, sending the new character string and the AppID issued by the gateway as a request parameter to the server, calling a gateway interface and verifying the request parameter; each caller has an independent AppID;

the verification module is used for acquiring license data according to the AppID, verifying the validity and the service calling authority of the license data, obfuscating secret in the license data and the service parameter ciphertext, performing summary operation on an obfuscated result by applying a third algorithm to generate signature data to be verified, comparing the signature data to be verified with signature data generated in the generation module, and verifying the validity of the signature data to be verified;

the obtaining module is used for decrypting the secret key ciphertext to obtain a secret key, then secondarily decrypting the business parameter ciphertext by using the secret key, transmitting the decrypted business parameter plaintext to the transaction core, obtaining response result data, encrypting the response result data, generating ciphertext data and transmitting the ciphertext data to the client;

and the decryption module is used for acquiring the ciphertext data of the response result at the client, and decrypting the ciphertext data by applying the first secret key and the first algorithm generated in the generation module to generate plaintext data.

8. The secure communications apparatus of claim 7, wherein the generation module comprises:

the key generation module is used for calling an interface provided by the server side at an interface calling party of the client side to generate a first key required by business operation;

the algorithm generating module is used for selecting a first algorithm according to the generated first secret key and selecting a second algorithm according to a public key issued by the gateway;

the cipher text generation module is used for encrypting the character codes of the business parameters to be encrypted by applying a first algorithm to generate corresponding business parameter cipher texts, and encrypting the first secret key by applying a second algorithm to generate corresponding secret key cipher texts;

and the signature generation module is used for performing obfuscation operation on the generated business parameter ciphertext and the secret issued by the gateway, and then performing summary operation on the result of the obfuscation operation by using a third algorithm to generate signature data.

9. A mobile terminal, comprising:

a touch-sensitive display;

a memory;

one or more processors;

the one or more processors are configured for performing the steps of the secure communication method of any of claims 1 to 6.

10. A storage medium having stored thereon computer-readable instructions which, when executed by one or more processors, cause the one or more processors to perform the steps of the secure communications method of any one of claims 1 to 6.