CN112637166B

Movatterモバイル変換

Info

Publication number: CN112637166B
Application number: CN202011476863.8A
Authority: CN
Inventors: 徐志文
Original assignee: Ping An Technology Shenzhen Co Ltd
Current assignee: Ping An Technology Shenzhen Co Ltd
Priority date: 2020-12-15
Filing date: 2020-12-15
Publication date: 2022-07-22
Anticipated expiration: 2040-12-15
Also published as: WO2022126980A1; CN112637166A

Abstract

The invention discloses a data transmission method, a data transmission device, a terminal and a storage medium, which are applied to a first client side, wherein the method comprises the following steps: loading a pre-configured asymmetric encryption algorithm table when plaintext data to be transmitted is detected; acquiring the priority of each asymmetric encryption algorithm in the asymmetric encryption algorithm table, and determining the optimal asymmetric encryption algorithm based on the priority; detecting whether data communication among a plurality of internal chips is invaded or not, collecting a current face image for authority authentication when the data communication among the plurality of internal chips is not invaded, and extracting private key data from a preset key database after the authentication is successful; encrypting plaintext data based on an optimal asymmetric encryption algorithm and private key data to generate ciphertext data; and sending the ciphertext data to the second client through a pre-established data sharing network. By adopting the embodiment of the application, the data transmission method and the data transmission device, the data transmission can be prevented from being tampered, and the risk of data leakage is reduced. Meanwhile, the invention is also suitable for the block chain technology.

Description

Data transmission method, device, terminal and storage medium

Technical Field

The present invention relates to the field of information security, and in particular, to a data transmission method, apparatus, terminal, and storage medium.

Background

Data encryption transmission is an important technology in the field of data security, and with the advent of the big data era, the data security problem is more and more emphasized by people, especially in the financial field, for example: sensitive information of a client, access authority of a financial information system, encryption of transaction quantitative sensitive information and the like. The leakage of sensitive information can not only cause loss to the operation of enterprises, but also influence the reputation of the enterprises, so that the encryption and the quick transmission of sensitive data are very important in the modern internet industry, particularly the financial insurance industry.

In the existing data transmission, the data transmission method mainly comprises the steps that a transmitter and a receiver jointly establish a data transmission secure channel, and the transmitter and the receiver perform data exchange processing operation in the secure channel to ensure the data security.

Disclosure of Invention

Based on this, it is necessary to provide a data transmission method, an apparatus, a terminal, and a storage medium for solving the problem that there may be a risk of tampering in the data transmission process.

A data transmission method is applied to a first client, and comprises the following steps: when plaintext data to be transmitted is detected, loading a pre-configured asymmetric encryption algorithm table; acquiring the priority of each asymmetric encryption algorithm in the asymmetric encryption algorithm table, and determining the optimal asymmetric encryption algorithm based on the high-low sequence of the priority; detecting whether data communication among a plurality of internal chips is invaded, collecting a current face image to carry out authority authentication when the data communication among the plurality of internal chips is not invaded, and extracting private key data from a preset key database after the authentication is successful; encrypting the plaintext data to be transmitted based on the optimal asymmetric encryption algorithm and the private key data to generate ciphertext data; and sending the ciphertext data to a second client through a pre-established data sharing network.

In one embodiment, the obtaining the priority of each asymmetric encryption algorithm in the asymmetric encryption algorithm table, and determining an optimal asymmetric encryption algorithm based on the high-low order of the priority includes: analyzing the plaintext data to be transmitted, and determining the security level of the plaintext data to be transmitted; and acquiring the asymmetric encryption algorithm corresponding to the current moment from the asymmetric encryption algorithm table based on the security level.

In one embodiment, detecting plaintext data to be transmitted comprises: when the transmission mode of the plaintext data to be transmitted is detected to be a hardware mode, acquiring the plaintext data to be transmitted in real time through a flow probe; or when the transmission mode of the plaintext data to be transmitted is detected to be a software mode, acquiring the message information generated currently in real time through an application programming interface; analyzing the message information, and searching whether an encryption identifier exists in the analyzed message information or not; and when the encrypted identifier exists in the analyzed message information, acquiring plaintext data to be transmitted corresponding to the encrypted identifier from the message information.

In one embodiment, obtaining the priority of each asymmetric encryption algorithm in the asymmetric encryption algorithm table includes: acquiring set time indicated by each asymmetric encryption algorithm in the asymmetric encryption algorithm table; and determining the priority of each asymmetric encryption algorithm based on the time length from the set time indicated by each asymmetric encryption algorithm to the current time.

In one embodiment, obtaining the priority of each asymmetric encryption algorithm in the asymmetric encryption algorithm table includes: acquiring the use frequency of each asymmetric encryption algorithm in the asymmetric encryption algorithm table; and determining the priority of each asymmetric encryption algorithm based on the use frequency of each asymmetric encryption algorithm.

In one embodiment, the method further comprises: when a response of the second client to the ciphertext data sent by the first client is received, acquiring the ciphertext data sent by the second client to the first client; acquiring a public key of the second client, decrypting the ciphertext data sent by the second client aiming at the first client based on the public key of the second client, and obtaining decrypted data after the decryption is successful; and secondarily decrypting the decrypted data based on the extracted private key data to generate plaintext data.

A data transmission method is applied to a second client side, and comprises the following steps: when a data access request sent by a first client aiming at a second client is received, acquiring ciphertext data sent by the first client aiming at the second client; acquiring a public key of the first client, decrypting the ciphertext data based on the public key of the first client, and generating plaintext data after decryption is successful; acquiring data information required by a first client based on the plaintext data, and loading an asymmetric encryption algorithm table; determining the security level corresponding to the data information required by the first client; acquiring an asymmetric encryption algorithm corresponding to the current moment from the asymmetric encryption algorithm table based on the security level; encrypting the data information required by the first client based on the public key of the first client and the asymmetric encryption algorithm corresponding to the current moment to generate encrypted data information; detecting whether data communication among a plurality of internal chips is invaded or not, collecting a current face image for authority authentication when the data communication among the plurality of internal chips is not invaded, and extracting second private key data from a preset key database after the authority authentication is successful; encrypting the encrypted data information again based on the second private key data and the asymmetric encryption algorithm corresponding to the current moment to generate ciphertext data after secondary encryption; and responding the encrypted ciphertext data subjected to the secondary encryption to the first client through a pre-established data sharing network.

A data transmission device is applied to a first client, and comprises: the device comprises a to-be-transmitted data detection module, a data transmission module and a data transmission module, wherein the to-be-transmitted data detection module is used for loading a pre-configured asymmetric encryption algorithm table when plaintext data to be transmitted is detected; the optimal asymmetric encryption algorithm determining module is used for acquiring the priority of each asymmetric encryption algorithm in the asymmetric encryption algorithm table and determining the optimal asymmetric encryption algorithm based on the high-low sequence of the priority; the private key data extraction module is used for detecting whether data communication among a plurality of chips in the private key data extraction module is invaded, collecting a current face image for authority authentication when the data communication is not invaded, and extracting private key data from a preset key database after the authentication is successful; the data encryption module is used for encrypting the plaintext data to be transmitted based on the optimal asymmetric encryption algorithm and the private key data to generate ciphertext data; and the ciphertext data sending module is used for sending the ciphertext data to a second client through a pre-established data sharing network.

A terminal comprising a memory and a processor, the memory having stored therein computer readable instructions which, when executed by the processor, cause the processor to perform the steps of the above-described data transmission method.

A storage medium having stored thereon computer-readable instructions which, when executed by one or more processors, cause the one or more processors to perform the steps of the above-described data transmission method.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the invention and together with the description, serve to explain the principles of the invention.

Fig. 1 is a diagram of an implementation environment of a data transmission method provided in an embodiment of the present application;

fig. 2 is a schematic diagram of an internal structure of a terminal according to an embodiment of the present application;

fig. 3 is a schematic diagram of a data transmission method provided in an embodiment of the present application;

fig. 4 is a schematic diagram of another data transmission method provided in an embodiment of the present application;

fig. 5 is a schematic device diagram of a data transmission device according to an embodiment of the present application.

Detailed Description

In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.

It will be understood that, as used herein, the terms "first," "second," and the like may be used herein to describe various elements, but these elements are not limited by these terms. These terms are only used to distinguish one element from another.

Fig. 1 is a diagram of an implementation environment of a data transmission method provided in an embodiment, as shown in fig. 1, in the implementation environment, including afirst client 110 and asecond client 120.

Thefirst client 110 is a computer device, for example, a computer device for encrypting sensitive data to be transmitted, and the data encryption tool is installed on thefirst client 110. Thesecond client 120 is installed with an application that needs to perform operations such as decryption on data corresponding to a task to be transmitted, when data encryption is needed, sensitive data to be transmitted can be subjected to data encryption at thefirst client 110, thefirst client 110 detects plaintext data to be transmitted, and thefirst client 110 loads a preconfigured asymmetric encryption algorithm table when detecting that the plaintext data to be transmitted exists; thefirst client 110 obtains the priority of each asymmetric encryption algorithm in the asymmetric encryption algorithm table, and thefirst client 110 determines the optimal asymmetric encryption algorithm based on the high-low order of the priority; thefirst client 110 detects whether data communication among a plurality of internal chips is invaded, acquires a current face image to carry out authority authentication when the data communication is not invaded, and extracts private key data from a preset key database after the authentication is successful; thefirst client 110 encrypts the plaintext data to be transmitted based on the optimal asymmetric encryption algorithm and the private key data to generate ciphertext data; thefirst client 110 sends the ciphertext data to thesecond client 120 through a pre-established data sharing network.

When receiving a data access request sent by a first client to a second client, thesecond client 120 acquires ciphertext data sent to the second client; thesecond client 120 acquires the public key of the first client, decrypts the ciphertext data based on the public key of the first client, and generates plaintext data after decryption is successful; thesecond client 120 acquires data information required by the first client based on plaintext data, and determines an optimal asymmetric encryption algorithm based on the priority order of the asymmetric encryption algorithms in the asymmetric encryption algorithm table; thesecond client 120 encrypts the data information required by the first client based on the public key of the first client and the optimal asymmetric encryption algorithm to generate encrypted data information; thesecond client 120 detects whether data communication among a plurality of internal chips is invaded, acquires a current face image for authority authentication when the data communication is not invaded, and extracts private key data from a preset key database after the authentication is successful; thesecond client 120 encrypts the encrypted data information again based on the private key data and the optimal asymmetric encryption algorithm to generate secondarily encrypted data information; thesecond client 120 responds the secondarily encrypted data information to thefirst client 110 through a pre-established data sharing network.

When thefirst client 110 receives a data response sent by the second client to the first client, thefirst client 110 obtains ciphertext data sent to the first client; thefirst client 110 obtains the public key of the second client, decrypts the ciphertext data sent by the first client based on the public key of the second client, and obtains decrypted data after the decryption is successful; thefirst client 110 decrypts the decrypted data twice based on the extracted private key data, and generates plaintext data.

It should be noted that theclient 120 may be a smart phone, a tablet computer, a notebook computer, a desktop computer, and the like, but is not limited thereto. Theserver 110 and theclient 120 may be connected through bluetooth, USB (Universal Serial Bus), or other communication connection manners, which is not limited herein.

Fig. 2 is a schematic diagram of an internal structure of the terminal in one embodiment. As shown in fig. 2, the terminal includes a processor, a nonvolatile storage medium, a memory, and a network interface, which are connected through a system bus. The non-volatile storage medium of the terminal stores an operating system, a database and computer readable instructions, the database can store control information sequences, and the computer readable instructions can enable the processor to realize a data transmission method when being executed by the processor. The processor of the terminal is used to provide computing and control capabilities to support the operation of the entire terminal. The memory of the terminal may have stored therein computer readable instructions that, when executed by the processor, may cause the processor to perform a data transmission method. The network interface of the terminal is used for connecting and communicating with the terminal. Those skilled in the art will appreciate that the configuration shown in fig. 2 is a block diagram of only a portion of the configuration associated with the present application and does not constitute a limitation on the terminal to which the present application is applied, and that a particular terminal may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.

The data transmission method provided in the embodiments of the present application will be described in detail below with reference to fig. 3 to fig. 4. The method may be implemented in dependence on a computer program, operable on a data transmission device based on the von neumann architecture. The computer program may be integrated into the application or may run as a separate tool-like application.

Referring to fig. 3, a schematic flow chart of a data transmission method applied to a first client is provided in the embodiment of the present application. As shown in fig. 3, the method of the embodiment of the present application may include the following steps:

s101, when plaintext data to be transmitted is detected to exist, loading a pre-configured asymmetric encryption algorithm table;

generally, when a plurality of clients perform data transmission, the data sharing network is pre-established, and the data sharing network can be regarded as an internally established local area network, and the network only provides data transmission service for the clients which successfully join the data sharing network. The data sharing network can also be regarded as an intranet of a company, only provides network transmission service for the client of the company, other external clients cannot access the host added into the data sharing network, the establishment of the data sharing network can guarantee the security of the host inside the company, and meanwhile, data transmission among all hosts of the company can be monitored, so that the security level of the data of the company is further improved.

Further, the shared network is in communication connection with a blockchain network deployed by the cloud service, and the blockchain stores a private key for data encryption of the current host. The private key is stored in the block chain network, so that the security of the private key can be further improved.

Further, after the data sharing network is established, after the plurality of hosts join the data sharing network, the plurality of hosts can perform data transmission based on the network.

In the embodiment of the present application, the preconfigured asymmetric cryptographic algorithm table is an asymmetric cryptographic algorithm library set by an administrator, the asymmetric cryptographic algorithm library stores a plurality of different asymmetric cryptographic algorithms, and each of the plurality of different asymmetric cryptographic algorithms has a priority. When the client encrypts the plaintext data, the encryption algorithm can be acquired from the asymmetric encryption algorithm library for encryption. Because the asymmetric encryption algorithm library is managed by an administrator, the asymmetric encryption algorithms in the asymmetric encryption algorithm library can be updated in real time along with the change of time. When the operations such as adding, deleting, modifying, checking and the like are performed on the algorithms in the asymmetric encryption algorithm library, the parameter information is recorded corresponding to the operation time, the operation times and the like.

In a possible implementation manner, when two clients in a data sharing network are added to perform data transmission, the clients detect whether plaintext data to be transmitted exists in real time, the detection manner can be a hardware detection manner or a software detection manner, for example, the hardware detection manner can be detection by a flow probe, the software detection manner can be detection by a manner of detecting an identifier in a message, when plaintext data to be transmitted is detected, the clients are connected with a pre-created asymmetric encryption algorithm library, and a pre-configured asymmetric encryption algorithm table is loaded from the asymmetric encryption algorithm library.

Further, when detecting whether plaintext data to be transmitted exists or not in a software detection mode, all message data generated by a current client are acquired in real time, the message data comprise a data encryption instruction generated by a user through a key, and the instruction comprises an identifier set in advance in a software system, for example, the identifier of the data encryption instruction is 'encryption'. When a user generates a data encryption instruction through a client key, a message in the instruction is in a form of plaintext data plus an identifier, and the plaintext data is detected by the identifier when the message is found to have the identifier.

S102, acquiring the priority of each asymmetric encryption algorithm in the asymmetric encryption algorithm table, and determining the optimal asymmetric encryption algorithm based on the high-low sequence of the priority;

generally, the priority of each asymmetric encryption algorithm is preset by an administrator, and the setting of the priority can be defined in various ways.

For example, in a possible implementation manner, the client first obtains algorithm setting time indicated by each asymmetric encryption algorithm in the asymmetric encryption algorithm table, and then determines the priority of each encryption algorithm based on the time length from the algorithm setting time to the current time. In a possible implementation manner, the priority of each algorithm in the preset algorithm table is determined according to the set time, namely the shorter the set time is, the algorithm is added newly, and the newly added algorithm indicates that the encryption strength is higher.

Specifically, when the priority order of each algorithm in the algorithm table is determined, the setting time of each encryption algorithm in the encryption algorithm table is firstly obtained, the time interval set by each algorithm is obtained by making a difference between the setting time and the current time, and the encryption algorithm with the minimum time interval is selected as the most optimal encryption algorithm to perform encryption operation. The optimal encryption algorithm is selected by calculating the set time of each algorithm in the encryption algorithm table, so that the encryption strength is guaranteed to be higher.

For example, in another possible implementation manner, the client first obtains the use frequency of each asymmetric encryption algorithm in the asymmetric encryption algorithm table, and finally determines the priority of each asymmetric encryption algorithm based on the use frequency of each asymmetric encryption algorithm. In another possible implementation manner, the application defines that the determination of the priority of the algorithm is determined according to the frequency of use, and the less frequency of use of the algorithm indicates that the algorithm is not cracked less risk, i.e. the encryption strength of the encryption algorithm is higher.

Specifically, when the priority order of each encryption algorithm in the encryption algorithm table is determined, the use frequency of each encryption algorithm in the encryption algorithm table is firstly obtained, the encryption algorithm with the minimum use frequency is determined according to the use frequency data of each encryption algorithm, and finally the encryption algorithm with the minimum use frequency is determined as the current optimal encryption algorithm. According to the method and the device, the optimal encryption algorithm is selected according to the using frequency of each algorithm in the encryption algorithm table, and the higher encryption strength is guaranteed.

It should be noted that the priority may also be set according to other manners, which is not described herein again.

S103, detecting whether data communication among a plurality of internal chips is invaded, collecting a current face image for authority authentication when the data communication among the plurality of internal chips is not invaded, and extracting private key data from a preset key database after the authority authentication is successful;

generally, the internal multiple chips are communication chip devices used in data transmission in the data sharing network, and the internal multiple communication chips are detected to determine whether the current data sharing network is invaded by external intrusion, for example, an attack initiated by an external computer device for obtaining a private key stored in the computer device in the data sharing network, so that the data transmission can be stopped in time and the security of the data transmission can be ensured when the private key stored in the computer device in the data sharing network is leaked.

Specifically, when detecting whether data communication among a plurality of internal chips is invaded, two-way non-homogeneous communication modes among a plurality of communication chips in a shared data network are generally subjected to protocol analysis, comparison and analysis processing, if the communication data volume is the same as the communication data content, invasion is considered to be not suffered, and if the communication data volume is different from the communication data content, invasion is considered to be suffered.

The method comprises the steps of detecting whether computer equipment in a data sharing network is implanted with viruses or not, acquiring private key file data stored in the computer equipment in a virus implantation mode, wherein the virus implantation mode comprises self-checking and/or checking by a third-party trusted security company, the self-checking checks the capacity of a program storage area of the self-checking, when the capacity is increased, a newly added program file is searched in a traversal mode, parameters carried by the program file are analyzed, and when the analyzed parameters are unidentified parameter information, early warning is carried out, and the program is automatically deleted.

Further, when the intrusion is not found, the face image of the current user is collected through a camera of the current computer equipment to be encrypted for identification, after the identification passes the authority verification, the computer equipment is connected with the block chain network through the data sharing network, the current user information is sent to the block chain network for re-authentication, and after the authentication is successful, the block chain network responds the private key of the current computer equipment to the computer equipment through the sharing network, is connected with a database for storing the key file, and automatically acquires the private key data in the key file.

By checking whether the current shared data network is invaded, whether viruses exist in the current computer equipment, and whether the current user is a person with authority. When the three kinds of verification pass, the computer equipment can be connected with the key database to obtain the private key, the security during data transmission is further guaranteed by the mode, and data is prevented from being hijacked and tampered by people in the transmission process due to the fact that the private key is leaked.

S104, encrypting the plaintext data to be transmitted based on the optimal asymmetric encryption algorithm and the private key data to generate ciphertext data;

in a possible implementation manner, after the optimal asymmetric encryption algorithm is obtained based on step S102 and the private key data is obtained according to step S103, the plaintext data and the private key data to be transmitted are input into the optimal asymmetric encryption algorithm for encryption, and after the encryption is finished, ciphertext data is generated.

For example, a is plaintext data to be transmitted, and a is encrypted by an asymmetric encryption algorithm and a public key ek to obtain a ciphertext s ═ Eek (a), where Eek () is a public key encryption operation of the asymmetric encryption algorithm.

The asymmetric encryption Algorithm in the asymmetric encryption Algorithm table used in the embodiment of the present application may include a Hash Algorithm, an MD5(Message Digest Algorithm 5) Algorithm, a sha (secure Hash Algorithm) Algorithm, and the like, and preferably, during encryption, if the optimal asymmetric encryption Algorithm is RSA, 1024-bit private key numbers are preferably used, if the optimal asymmetric encryption Algorithm is ECC, 160-bit private keys are preferably used, and if the optimal asymmetric encryption Algorithm is AES, 128-bit private key data are preferably used.

And S105, sending the ciphertext data to a second client through a pre-established data sharing network.

Typically, the second client is a client that receives the ciphertext data.

For example, if the host a needs to query a certain data on the host B, the host a first encrypts the data to be queried into a through its own private key, and the host a sends a to the host B.

Further, step S102 further includes: the optimal encryption algorithm can be selected by calculating the data volume of the plaintext data to be encrypted, and the encryption algorithm can also be selected by the data importance degree of the data to be encrypted, and the encryption algorithm is specifically determined according to the actual data information to be transmitted, which is not limited here.

Further, in step S103, the key database generation method includes: the current computer equipment can generate private keys with different digits according to a plurality of set modes, then generate public key data according to the private key data with different digits, and finally send the generated private keys with different digits and the public keys corresponding to the private keys with different digits to a key database for storage. The method for generating the private key includes not only generating the private key by generating a random number, but also generating the private key by a current time plus the random number, and the specific generation method can be set by itself according to an actual application scenario and is not limited here.

Further, in order to ensure faster data transmission and save time, the encrypted data can be optimized by compression, and the currently commonly used algorithm is to transmit changed data items and ignore unchanged data items. When the amount of data variation is not large, the number of transmitted redundant bits is large, which results in a slow transmission speed. Thus, the variable bit and the non-variable bit are clearly separated, and compression is performed on a bit-by-bit level, so that an extremely high compression rate can be achieved even with an extremely simple run-length encoding compression algorithm.

Further, a data transmission method of the TCP/IP protocol is preferable in data transmission.

Further, when a data response sent by a second client to a first client is received, firstly ciphertext data sent to the first client is obtained, then a public key of the second client is obtained, the ciphertext data sent to the first client is decrypted based on the public key of the second client, decrypted data is obtained after the decryption is successful, and finally the decrypted data is decrypted for the second time based on the extracted private key data to generate plaintext data.

In the embodiment of the application, a first client side loads a pre-configured asymmetric encryption algorithm table when plaintext data to be transmitted is detected to exist, the priority of each asymmetric encryption algorithm in the asymmetric encryption algorithm table is obtained, an optimal asymmetric encryption algorithm is determined based on the sequence of the priority, whether data communication among a plurality of chips in the first client side is invaded or not is detected, a current face image is collected to conduct authority authentication when the data communication is not invaded, private key data are extracted from a preset key database after the authentication is successful, the plaintext data to be transmitted are encrypted based on the optimal asymmetric encryption algorithm and the private key data to generate ciphertext data, and the ciphertext data are transmitted to a second client side through a pre-established data sharing network. According to the method and the device, the optimal asymmetric encryption algorithm is selected from the preset asymmetric encryption algorithm table according to the priority level and the data is encrypted and decrypted by combining the prestored asymmetric encryption public key and private key file during data transmission, so that the data can be prevented from being tampered in the data transmission process, and the possibility of data leakage is further reduced.

Referring to fig. 4, a schematic flow chart of a data transmission method applied to a first client is provided in the embodiment of the present application. As shown in fig. 4, the method of the embodiment of the present application may include the following steps:

s201, when a data access request sent by a first client aiming at a second client is received, acquiring ciphertext data sent by the first client aiming at the second client;

s202, acquiring a public key of the first client, decrypting the ciphertext data based on the public key of the first client, and generating plaintext data after decryption is successful;

s203, determining a security level corresponding to the data information required by the first client, and acquiring an asymmetric encryption algorithm corresponding to the current moment from the asymmetric encryption algorithm table based on the security level;

s204, encrypting the data information required by the first client based on the public key of the first client and the asymmetric encryption algorithm corresponding to the current moment to generate encrypted data information;

s205, detecting whether data communication among a plurality of internal chips is invaded, collecting a current face image to carry out authority authentication when the data communication among the plurality of internal chips is not invaded, and extracting second private key data from a preset key database after the authentication is successful;

s206, encrypting the encrypted data information again based on the second private key data and the asymmetric encryption algorithm corresponding to the current moment to generate ciphertext data after secondary encryption;

and S207, responding the encrypted ciphertext data subjected to the secondary encryption to the first client through a pre-established data sharing network.

In the embodiment of the application, a first client loads a preconfigured asymmetric encryption algorithm table when plaintext data to be transmitted is detected to exist, the priority of each asymmetric encryption algorithm in the asymmetric encryption algorithm table is obtained, an optimal asymmetric encryption algorithm is determined based on the priority sequence, whether data communication among a plurality of chips in the first client is invaded or not is detected, a current face image is collected to perform authority authentication when the data communication is not invaded, private key data is extracted from a preset key database after the authentication is successful, the plaintext data to be transmitted is encrypted based on the optimal asymmetric encryption algorithm and the private key data to generate ciphertext data, and the ciphertext data is transmitted to a second client through a pre-established data sharing network. According to the method and the device, the optimal asymmetric encryption algorithm is selected from the preset asymmetric encryption algorithm table according to the priority level and the data is encrypted and decrypted by combining the prestored asymmetric encryption public key and private key file during data transmission, so that the data can be prevented from being tampered in the data transmission process, and the possibility of data leakage is further reduced.

The following are embodiments of the apparatus of the present invention that may be used to perform embodiments of the method of the present invention. For details which are not disclosed in the embodiments of the apparatus of the present invention, reference is made to the embodiments of the method of the present invention.

Referring to fig. 5, a schematic structural diagram of a data transmission apparatus according to an exemplary embodiment of the present invention is shown, which is applied to a first client. The data transmission system may be implemented as all or part of a terminal, in software, hardware or a combination of both. Thedevice 1 comprises adata detection module 10 to be transmitted, an optimal asymmetric encryptionalgorithm determination module 20, a private keydata extraction module 30, adata encryption module 40 and a ciphertextdata sending module 50.

The data transmission device comprises a to-be-transmitteddata detection module 10, a data transmission module and a data transmission module, wherein the to-be-transmitted data detection module is used for loading a pre-configured asymmetric encryption algorithm table when plaintext data to be transmitted is detected to exist;

an optimal asymmetric encryptionalgorithm determining module 20, configured to obtain priorities of the asymmetric encryption algorithms in the asymmetric encryption algorithm table, and determine an optimal asymmetric encryption algorithm based on a high-low order of the priorities;

the private keydata extraction module 30 is used for detecting whether data communication among a plurality of chips in the private key data extraction module is invaded, collecting a current face image for authority authentication when the data communication is not invaded, and extracting private key data from a preset private key database after the authentication is successful;

thedata encryption module 40 is configured to encrypt the plaintext data to be transmitted based on the optimal asymmetric encryption algorithm and the private key data to generate ciphertext data;

and the ciphertextdata sending module 50 is configured to send the ciphertext data to the second client through a pre-established data sharing network.

It should be noted that, when the data transmission system provided in the foregoing embodiment executes the data transmission method, only the division of each functional module is illustrated, and in practical applications, the function distribution may be completed by different functional modules according to needs, that is, the internal structure of the device is divided into different functional modules, so as to complete all or part of the functions described above. In addition, the data transmission system and the data transmission method provided by the above embodiments belong to the same concept, and details of implementation processes thereof are referred to in the method embodiments and are not described herein again.

The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.

In one embodiment, when the first client executed by the processor detects plaintext data to be transmitted, the following steps are further executed: the first client connects to a pre-created data sharing network.

In one embodiment, when the processor detects plaintext data to be transmitted, the following steps are specifically performed: when the mode of detecting the plaintext data to be transmitted is a hardware mode, the first client acquires the plaintext data to be transmitted in real time through a flow probe; or when the mode of detecting the plaintext data to be transmitted is a software mode, acquiring the message information generated currently in real time through an application programming interface; analyzing the message information, and searching for an encryption identifier in the analyzed message information; and when the encryption identifier exists, acquiring plaintext data to be transmitted corresponding to the encryption identifier.

In one embodiment, when the processor executes the first client to obtain the priority of each asymmetric encryption algorithm in the asymmetric encryption algorithm table, the following steps are specifically executed: the first client acquires the set time indicated by each asymmetric encryption algorithm in the asymmetric encryption algorithm table; and determining the priority of each asymmetric encryption algorithm based on the time length from the set time to the current time.

In one embodiment, when the processor executes the first client to obtain the priority of each asymmetric encryption algorithm in the asymmetric encryption algorithm table, the following steps are specifically executed: the first client acquires the use frequency of each asymmetric encryption algorithm in the asymmetric encryption algorithm table; the priority of each asymmetric encryption algorithm is determined based on the frequency of use of each asymmetric encryption algorithm.

In one embodiment, when the processor detects plaintext data to be transmitted, the following steps are specifically performed: when the mode of detecting the plaintext data to be transmitted is a hardware mode, the first client acquires the plaintext data to be transmitted in real time through a flow probe; or when the mode of detecting the plaintext data to be transmitted is a software mode, acquiring the message information generated currently in real time through an application programming interface; analyzing the message information, and searching the encrypted identifier in the analyzed message information; and when the encryption identifier exists, acquiring the plaintext data to be transmitted corresponding to the encryption identifier.

It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above may be implemented by a computer program, which may be stored in a computer readable storage medium, and when executed, may include the processes of the embodiments of the methods described above. The storage medium may be a non-volatile storage medium such as a magnetic disk, an optical disk, a Read-Only Memory (ROM), or a Random Access Memory (RAM).

All possible combinations of the technical features in the above embodiments may not be described for the sake of brevity, but should be considered as being within the scope of the present disclosure as long as there is no contradiction between the combinations of the technical features.

The above examples only show several embodiments of the present invention, and the description thereof is specific and detailed, but not to be construed as limiting the scope of the present invention. It should be noted that various changes and modifications can be made by those skilled in the art without departing from the spirit of the invention, and these changes and modifications are all within the scope of the invention. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims

1. A data transmission method is applied to a first client, and is characterized in that the method comprises the following steps:

when plaintext data to be transmitted is detected, loading a pre-configured asymmetric encryption algorithm table;

acquiring the priority of each asymmetric encryption algorithm in the asymmetric encryption algorithm table, and determining the optimal asymmetric encryption algorithm based on the high-low sequence of the priority;

detecting whether data communication among a plurality of internal chips is invaded or not, collecting a current face image for authority authentication when the data communication among the plurality of internal chips is not invaded, and extracting private key data from a preset key database after the authentication is successful;

encrypting the plaintext data to be transmitted based on the optimal asymmetric encryption algorithm and the private key data to generate ciphertext data;

sending the ciphertext data to a second client through a pre-established data sharing network; wherein,

the data sharing network is in communication connection with a block chain network, and the private key data is stored in the block chain network;

the method further comprises the following steps:

when a response of the second client to the ciphertext data sent by the first client is received, acquiring the ciphertext data sent by the second client to the first client;

acquiring a public key of the second client, decrypting the ciphertext data sent by the second client aiming at the first client based on the public key of the second client, and obtaining decrypted data after the decryption is successful;

and secondarily decrypting the decrypted data based on the extracted private key data to generate plaintext data.

2. The method according to claim 1, wherein the obtaining the priority of each asymmetric encryption algorithm in the asymmetric encryption algorithm table, and determining the optimal asymmetric encryption algorithm based on the high-low order of the priority comprises:

analyzing the plaintext data to be transmitted, and determining the security level of the plaintext data to be transmitted;

and acquiring the asymmetric encryption algorithm corresponding to the current moment from the asymmetric encryption algorithm table based on the security level.

3. The method according to claim 1, wherein the manner of detecting the plaintext data to be transmitted comprises hardware detection or software detection;

detecting the plaintext data to be transmitted, including:

when the transmission mode of the plaintext data to be transmitted is detected to be a hardware mode, acquiring the plaintext data to be transmitted in real time through a flow probe; or alternatively

When detecting that the transmission mode of the plaintext data to be transmitted is a software mode, acquiring currently generated message information in real time through an application programming interface;

analyzing the message information, and searching whether an encryption identifier exists in the analyzed message information or not;

and when the encrypted identifier exists in the analyzed message information, acquiring plaintext data to be transmitted corresponding to the encrypted identifier from the message information.

4. The method of claim 1, wherein obtaining the priority of each asymmetric encryption algorithm in the asymmetric encryption algorithm table comprises:

acquiring the set time indicated by each asymmetric encryption algorithm in the asymmetric encryption algorithm table;

and determining the priority of each asymmetric encryption algorithm based on the time length from the set time indicated by each asymmetric encryption algorithm to the current time.

5. The method of claim 1, wherein obtaining the priority of each asymmetric encryption algorithm in the asymmetric encryption algorithm table comprises:

acquiring the use frequency of each asymmetric encryption algorithm in the asymmetric encryption algorithm table;

determining the priority of each asymmetric encryption algorithm based on the using frequency of each asymmetric encryption algorithm.

6. A data transmission method applied to a second client, the method comprising:

when a data access request sent by a first client aiming at a second client is received, acquiring ciphertext data sent by the first client aiming at the second client;

acquiring a public key of the first client, decrypting the ciphertext data based on the public key of the first client, and generating plaintext data after decryption is successful;

acquiring data information required by a first client based on the plaintext data, and loading an asymmetric encryption algorithm table;

determining a security level corresponding to the data information required by the first client;

acquiring an asymmetric encryption algorithm corresponding to the current moment from the asymmetric encryption algorithm table based on the security level;

encrypting the data information required by the first client based on the public key of the first client and the asymmetric encryption algorithm corresponding to the current moment to generate encrypted data information;

detecting whether data communication among a plurality of internal chips is invaded or not, collecting a current face image for authority authentication when the data communication among the plurality of internal chips is not invaded, and extracting second private key data from a preset key database after the authority authentication is successful;

encrypting the encrypted data information again based on the second private key data and the asymmetric encryption algorithm corresponding to the current moment to generate ciphertext data after secondary encryption;

responding the encrypted ciphertext data subjected to the secondary encryption to a first client through a pre-established data sharing network; wherein,

the data sharing network is in communication connection with the block chain network, and the private key data is stored in the block chain network.

7. A data transmission apparatus, applied to a first client, the apparatus comprising:

the device comprises a to-be-transmitted data detection module, a data transmission module and a data transmission module, wherein the to-be-transmitted data detection module is used for loading a pre-configured asymmetric encryption algorithm table when plaintext data to be transmitted is detected;

the optimal asymmetric encryption algorithm determining module is used for acquiring the priority of each asymmetric encryption algorithm in the asymmetric encryption algorithm table and determining the optimal asymmetric encryption algorithm based on the high-low sequence of the priority;

the private key data extraction module is used for detecting whether data communication among a plurality of chips in the private key data extraction module is invaded, collecting a current face image for authority authentication when the data communication is not invaded, and extracting private key data from a preset key database after the authentication is successful;

the data encryption module is used for encrypting the plaintext data to be transmitted based on the optimal asymmetric encryption algorithm and the private key data to generate ciphertext data;

the ciphertext data sending module is used for sending the ciphertext data to a second client through a pre-established data sharing network; wherein,

the apparatus is further specifically configured to:

acquiring a public key of the second client, decrypting the ciphertext data sent by the second client aiming at the first client on the basis of the public key of the second client, and obtaining decrypted data after the decryption is successful;

8. A terminal comprising a memory and a processor, the memory having stored therein computer readable instructions which, when executed by the processor, cause the processor to carry out the steps of the data transmission method according to any one of claims 1 to 6.

9. A storage medium having computer-readable instructions stored thereon which, when executed by one or more processors, cause the one or more processors to perform the steps of data transmission according to any one of claims 1 to 6.