CN114095156B - Data protection method for rail transit mobile terminal - Google Patents
Data protection method for rail transit mobile terminalDownload PDFInfo
- Publication number
- CN114095156B CN114095156BCN202111244907.9ACN202111244907ACN114095156BCN 114095156 BCN114095156 BCN 114095156BCN 202111244907 ACN202111244907 ACN 202111244907ACN 114095156 BCN114095156 BCN 114095156B
- Authority
- CN
- China
- Prior art keywords
- data
- mobile terminal
- key
- encryption
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034methodMethods0.000titleclaimsabstractdescription39
- 230000008569processEffects0.000claimsabstractdescription12
- 238000012423maintenanceMethods0.000claimsdescription16
- 238000012795verificationMethods0.000claimsdescription15
- 230000008676importEffects0.000claimsdescription6
- 238000013500data storageMethods0.000claimsdescription4
- 230000002457bidirectional effectEffects0.000claimsdescription3
- 238000004364calculation methodMethods0.000claimsdescription3
- 230000002452interceptive effectEffects0.000claimsdescription3
- 238000012216screeningMethods0.000claimsdescription3
- 238000005336crackingMethods0.000abstractdescription2
- 230000007246mechanismEffects0.000abstractdescription2
- 230000005540biological transmissionEffects0.000description7
- 238000004891communicationMethods0.000description3
- 238000010586diagramMethods0.000description3
- 238000005516engineering processMethods0.000description3
- 238000007405data analysisMethods0.000description1
- 230000007547defectEffects0.000description1
- 238000011161developmentMethods0.000description1
Images
Classifications
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/045—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0863—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/70—Reducing energy consumption in communication networks in wireless communication networks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
Description
Technical Field
The invention relates to the technical field of rail transit data protection, in particular to a method for protecting data of a rail transit mobile terminal.
Background
With the development of urban smart subways, mobile technology in rail transit is also increasingly widely applied, such as mobile terminal equipment used in intelligent operation and maintenance and intelligent operation and maintenance APP application programs developed on the mobile terminal equipment, and the mobile terminal equipment exchanges data with internet connection in real time.
In the intelligent operation and maintenance APP, the data on the mobile terminal equipment needs to be stored safely, and meanwhile, the data also needs to be transmitted back to the background server for data analysis, and the data storage of the mobile application adopts an encryption mode which is the safest method, but because the open wireless network communication is used during data back transmission, the safe call between the mobile terminal equipment and the hardware encryption machine cannot be realized.
Namely, under the use environment of the mobile terminal device, the data of the intelligent operation and maintenance APP application program is stored in a plaintext mode, and the mobile terminal device and the server side interact through a public or wireless network, and in this case, the user is worried about whether the data of the user are safely protected, are used or modified by unauthorized parties and are illegally leaked. Therefore, for the safety consideration, a typical technical solution in the prior art is to use an encryption technology to encrypt and store data, and transmit back a copy to a server to store the encrypted data and a password, namely, develop a software encryption and decryption module in a mobile terminal device, and use the encryption and decryption module to encrypt and transmit back the data, however, the rail transit operation data is very easy to be stolen or tampered by an attacker in the transmission process of the public network with higher network security risk, once the data is hijacked and tampered, important operation data of the rail transit operation system is leaked, and the operation security of the rail transit system is further affected.
Therefore, when the mobile terminal device is adopted to transmit the rail transit data in the public network, the public network needs to be ensured by an encryption technology with good anti-hijacking and anti-decoding functions.
Disclosure of Invention
The invention aims at solving the problem of insufficient safety in the process of data transmission in the public network of the existing mobile terminal equipment, and provides a data protection method which optimizes encryption and decryption processes in the process of storing and transmitting mobile application data, adopts a one-machine-one-encryption mechanism when data of a plurality of mobile terminals are transmitted back to a server, namely, realizes that one mobile terminal uses a pair of public and private keys of the mobile terminal and a public key of the server, greatly improves the difficulty of acquiring and cracking the secret key, stores and transmits back the mobile application data of rail transit through selecting a domestic encryption algorithm and ensures the safety of the mobile application data.
The invention aims at realizing the following technical scheme:
a data protection method of a rail transit mobile terminal comprises the following steps:
the method comprises the steps of running a server side, running a server side program of an intelligent operation and maintenance APP application program, collecting various track traffic operation data, calling an encryption platform to generate a random symmetric key, encrypting the track traffic operation data by using an SM4 symmetric algorithm in a domestic encryption algorithm and using the symmetric key, and storing the encrypted track traffic operation data in a local database, meanwhile, calculating an abstract of a client side program of the intelligent operation and maintenance APP application program by using an SM3 in the domestic encryption algorithm by the server side, storing the abstract by the server side, and then publishing the client side program to mobile terminal equipment by the server side.
In the operation step of the server side, the encryption platform is called to generate a random symmetric key, specifically, the intelligent operation and maintenance APP application program calls an SDK interface function of the encryption platform adopting a domestic cryptographic algorithm and executes a random session key negotiation flow to generate the random symmetric key.
A mobile terminal initializing step, namely running the client program released in the server running step in the mobile terminal equipment, randomly generating a pair of symmetric keys by the mobile terminal equipment and encrypting and uploading the symmetric keys to the server by mk, correspondingly generating another group of public and private key pairs by the server, sending the public keys to the mobile terminal equipment as the public keys of subsequent digital envelopes, completing one-machine-one-secret key initialization, then carrying out copyright verification on the client program, and carrying out copyright verification so as to complete mutual trust authentication between the mobile terminal equipment and the server, thereby preventing the secondary packaged village APP from stealing data;
later, in the mobile terminal initializing step, one-machine-one-secret key initialization is completed, and the method specifically comprises the following steps:
step 1, in the initialization process of running a client program, a mobile terminal device creates an MSK library, generates a master key Mk and encrypts with an initial public key of an intelligent operation and maintenance APP application program;
step 2, the mobile terminal equipment randomly generates a pair of asymmetric keys, stores the private key of the asymmetric keys in a secure storage area, and uploads the public key PK_APP of the asymmetric keys, the master key MK encrypted by the initial public key in the step 1 and the ID of the mobile terminal equipment to a server side;
step 3, the server side calls a private key in a random symmetric key generated by an encryption platform, decrypts the master key Mk and converts the private key to be encrypted by a master key Lmk of the server side, and stores the encrypted private key in the encryption platform, and the server side calls the encryption platform to store the public key PK_APP;
step 4, the mobile terminal equipment randomly generates a pair of symmetric keys, encrypts the symmetric keys by the master key MK and then sends the encrypted symmetric keys to a server;
step 5, the server side calls the encryption platform to import the symmetric key in the step 4 into the encryption platform for storage;
step 6, the server side calls the encryption platform to generate another group of public and private key pairs, encrypts the public key PK_ESSC by using the public key PK_APP and returns the encrypted public key PK_ESSC to the mobile terminal equipment;
step 7, the mobile terminal equipment decrypts to obtain the public key PK_ESSC, stores the PK_ESSC and serves as the public key of the subsequent digital envelope, and meanwhile, the public key also provides key guarantee for bidirectional authentication;
step 8, the server side calls the encryption platform to generate seeds and returns the seeds to the mobile terminal equipment;
and 9, the mobile terminal equipment imports the seeds to finish one-machine-one-password of the mobile terminal.
In this process, pk_app is randomly generated by mobile terminals, and is unique in that each mobile terminal uses a different pk_app, while pk_essc is also generated for ID information of the mobile terminals, each mobile terminal uses a different pk_essc. The process thus completes one-machine-one-secret key initialization.
Preferably, in the mobile terminal initializing step, the performing the authentication on the client program includes the following steps:
step 1, a client program operated by mobile terminal equipment calls a legal verification interface of a mobile encryption module SMTP to obtain a dynamic signature and sends the dynamic signature to a server;
and step 2, the server side calls the encryption platform signature, and after the encryption platform signature passes, the user of the mobile terminal equipment can see the interactive interface.
A mobile terminal operation step, namely requesting the rail transit operation data from a server terminal through a client program operated by mobile terminal equipment, generating an SM2 public and private KEY pair and a random KEY SESSION_KEY of an SM4 algorithm and encrypting the data after the server terminal invokes the corresponding rail transit operation data in a local database of the server terminal, transmitting the encrypted data to the client program operated by the mobile terminal equipment, and displaying an operation state on the mobile terminal equipment; generating new operation data by a client program operated by mobile terminal equipment, calling a mobile encryption module SMTP to generate an SM2 public-private KEY pair (public KEY PUB_KEY_APP, private KEY PRI_KEY_APP), generating a random KEY SESSION_KEY of an SM4 algorithm and storing the KEY SESSION_KEY in a safe storage area, encrypting the new operation data by the random KEY SESSION_KEY and transmitting the new operation data back to a server, and classifying the new operation data and establishing a table by the server for encryption storage;
further, in the mobile terminal operation step, the new operation data includes user registration information, service data and operation log.
More specifically, in the mobile terminal operation step, after receiving encrypted rail transit operation data of the server, the mobile terminal device performs integrity verification by using a domestic encryption algorithm, decrypts a random key by using an asymmetric encryption algorithm SM2 to obtain a random key, and then performs data decryption on the rail transit operation data by using the random key.
More preferably, in the mobile terminal operation step, the server terminal classifies the new operation data and establishes a table for encryption storage, and specifically includes the following steps:
a table building step, wherein a table is built and stored, and the table comprises an encrypted column name and a non-encrypted column name;
a data defining step of classifying and defining data to be stored in new operation data, wherein the data to be stored comprises user information, service data and logs, the data belonging to secret information is defined to an encrypted column name, and the data belonging to common information is defined to a non-encrypted column name;
a data ID creation step of creating a corresponding data ID for each item of data belonging to the secret information or the data of the common information and storing the data in the data, wherein each data ID is a randomly generated encrypted column name or an unencrypted column name which is different from each other and is associated with the corresponding data ID;
a data encryption step of screening a data ID corresponding to an encryption column name from a table, and calling an encryption platform to encrypt secret information corresponding to the data ID and generate encrypted data by identifying the data ID in the data;
and data storage, namely according to the classification definition of the new operation data by the data definition step, taking the business data and the log as secret information, carrying out encryption storage by using a national secret SM4 algorithm, taking the user information as common information, and carrying out abstract calculation storage by using the national secret SM3 algorithm.
Compared with the prior art, the scheme has the following technical advantages:
the invention adopts the domestic encryption algorithm to safely store the data at the mobile terminal and the server terminal which are provided with the APP special for rail transit operation, calculates the abstract by using the SM3 based on the domestic encryption algorithm and completes the legal verification of the APP when the APP of the mobile terminal is initialized, thereby achieving the aims of resisting replay attack and resisting unauthorized user access.
After authentication is completed between the mobile terminal provided with the APP special for rail traffic operation and the service end of the rail traffic operation system, the mobile terminal randomly generates a pair of random public and private key pairs belonging to the mobile end (the private keys are placed in a safe storage area), and further obtains random and independent public keys belonging to the mobile end from the service end in a safe mode, so that a mobile terminal uses a pair of public and private keys of the mobile end and a public key of the service end to form a key characteristic of 'one machine one secret'. The secret key of 'one machine one secret' can effectively protect confidentiality of operation data of the rail transit system, and even if an attacker acquires a certain secret key, the secret key is randomly generated and belongs to only one mobile terminal, so that the risk of leakage of the operation data can be effectively reduced. Because the encrypted data message is filled with the message digest field for integrity check before being sent, the attack of malicious tampering of operation data can be effectively resisted.
The rail traffic mobile application can complete the secure communication and data transmission of APP data encryption storage and a server through the mobile secure terminal, and the method is based on a domestic cryptographic algorithm, overcomes the defects of an international standard encryption algorithm and realizes autonomous controllability; the home password is used for realizing the mobile APP authentication, preventing an attacker from replaying, and ensuring reliable communication; one machine is used for one cipher in the data transmission process, and a random symmetric key is used for encrypting data in each transmission, so that the confidentiality of the transmitted data is ensured; and after receiving the data, the integrity check is carried out, so that the data is prevented from being tampered in the middle, and the integrity of data transmission is ensured.
Drawings
The foregoing and the following detailed description of the invention will become more apparent when read in conjunction with the following drawings in which:
FIG. 1 is a schematic diagram of the overall technical scheme of the invention;
FIG. 2 is a schematic diagram of a mobile terminal device and a server according to the present invention;
FIG. 3 is a schematic diagram of the "one-machine-one-pad" logic of the present invention.
Detailed Description
The following embodiments are used to further illustrate the technical solution for achieving the object of the present invention, and it should be noted that the technical solution claimed in the present invention includes but is not limited to the following embodiments.
Example 1
As a specific implementation scheme of the invention, the embodiment provides a data protection method of a rail transit mobile terminal, which comprises a server-side operation step, a mobile-side initialization step and a mobile-side operation step.
Specifically, as shown in fig. 1 and 2, the server runs the steps, runs the server program of the intelligent operation and maintenance APP application program, collects various rail transit operation data, invokes the encryption platform to generate a random symmetric key, encrypts the rail transit operation data by using an SM4 symmetric algorithm in a domestic encryption algorithm and using the symmetric key, and stores the encrypted data in a local database, and meanwhile, the server calculates the abstract of the client program of the intelligent operation and maintenance APP application program by using an SM3 in the domestic encryption algorithm and stores the abstract by the server, and then the server issues the client program to the mobile terminal device.
The mobile terminal initializing step, in which the client program released in the server operating step is operated in the mobile terminal device, as shown in fig. 3, the mobile terminal device randomly generates a symmetric key and encrypts and uploads the symmetric key to the server in mk, the server correspondingly generates another public-private key pair, sends the public key to the mobile terminal device as the public key of a subsequent digital envelope, completes one-machine-one-secret key initialization, and then performs a legal verification on the client program, wherein the legal verification is performed for completing mutual trust authentication between the mobile terminal device and the server to prevent the secondary packaged village APP from stealing data;
the mobile terminal operation step, the server side generates an SM2 public and private KEY pair and a random KEY SESSION_KEY of an SM4 algorithm and encrypts the data after the server side calls the corresponding track traffic operation data in a local database thereof through a client program operated at the mobile terminal device to request the track traffic operation data from the server side, and the encrypted data are sent to the client program operated at the mobile terminal device and display the operation state on the mobile terminal device; generating new operation data by a client program operated by mobile terminal equipment, calling a mobile encryption module SMTP to generate an SM2 public-private KEY pair (public KEY PUB_KEY_APP, private KEY PRI_KEY_APP), generating a random KEY SESSION_KEY of an SM4 algorithm and storing the KEY SESSION_KEY in a safe storage area, encrypting the new operation data by the random KEY SESSION_KEY and transmitting the new operation data back to a server, and classifying the new operation data and establishing a table by the server for encryption storage;
in the technical scheme of the embodiment, the mobile terminal and the server terminal provided with the special APP for rail transit operation adopt the domestic encryption algorithm to safely store data, and when the APP application program of the mobile terminal is initialized, the SM3 based on the domestic encryption algorithm is used for calculating the abstract and completing the legal verification of the APP application program, so that the purposes of resisting replay attack and resisting unauthorized user access can be realized. After authentication is completed between the mobile terminal provided with the APP special for rail traffic operation and the service end of the rail traffic operation system, the mobile terminal randomly generates a pair of random public and private key pairs belonging to the mobile end (the private keys are placed in a safe storage area), and further obtains random and independent public keys belonging to the mobile end from the service end in a safe mode, so that a mobile terminal uses a pair of public and private keys of the mobile end and a public key of the service end to form a key characteristic of 'one machine one secret'. The secret key of 'one machine one secret' can effectively protect confidentiality of operation data of the rail transit system, and even if an attacker acquires a certain secret key, the secret key is randomly generated and belongs to only one mobile terminal, so that the risk of leakage of the operation data can be effectively reduced. Because the encrypted data message is filled with the message digest field for integrity check before being sent, the attack of malicious tampering of operation data can be effectively resisted.
Example 2
As a specific implementation manner of the present invention, this embodiment provides a method for protecting data of a rail transit mobile terminal, as shown in fig. 1 and 2, including the following steps:
the method comprises the steps of running an application APP program at a server, collecting various track traffic operation data, calling an encryption platform to generate a random symmetric key, encrypting the track traffic operation data by using an SM4 symmetric algorithm in a domestic encryption algorithm and using the symmetric key, and storing the encrypted track traffic operation data in a local database, meanwhile, calculating an abstract of the application APP program by using an SM3 in the domestic encryption algorithm at the server, storing the abstract by the server, and then issuing the running application APP program to mobile terminal equipment by the server.
In the operation step of the server side, the encryption platform is called to generate a random symmetric key, specifically, the intelligent operation and maintenance APP application program calls an SDK interface function of the encryption platform adopting a domestic cryptographic algorithm and executes a random session key negotiation flow to generate the random symmetric key.
A mobile terminal initializing step, namely running the client program released in the server running step in the mobile terminal equipment, randomly generating a pair of symmetric keys by the mobile terminal equipment and encrypting and uploading the symmetric keys to the server by mk, correspondingly generating another group of public and private key pairs by the server, sending the public keys to the mobile terminal equipment as the public keys of subsequent digital envelopes, completing one-machine-one-secret key initialization, then carrying out copyright verification on the client program, and carrying out copyright verification so as to complete mutual trust authentication between the mobile terminal equipment and the server, thereby preventing the secondary packaged village APP from stealing data;
later, in the mobile terminal initializing step, one-machine-one-secret key initialization is completed, specifically, as shown in fig. 3, the method comprises the following steps:
step 1, in the initialization process of running a client program, a mobile terminal device creates an MSK library, generates a master key Mk and encrypts with an initial public key of an intelligent operation and maintenance APP application program;
step 2, the mobile terminal equipment randomly generates a pair of asymmetric keys, stores the private key of the asymmetric keys in a secure storage area, and uploads the public key PK_APP of the asymmetric keys, the master key MK encrypted by the initial public key in the step 1 and the ID of the mobile terminal equipment to a server side;
step 3, the server side calls a private key in a random symmetric key generated by an encryption platform, decrypts the master key Mk and converts the private key to be encrypted by a master key Lmk of the server side, and stores the encrypted private key in the encryption platform, and the server side calls the encryption platform to store the public key PK_APP;
step 4, the mobile terminal equipment randomly generates a pair of symmetric keys, encrypts the symmetric keys by the master key MK and then sends the encrypted symmetric keys to a server;
step 5, the server side calls the encryption platform to import the symmetric key in the step 4 into the encryption platform for storage;
step 6, the server side calls the encryption platform to generate another group of public and private key pairs, encrypts the public key PK_ESSC by using the public key PK_APP and returns the encrypted public key PK_ESSC to the mobile terminal equipment;
step 7, the mobile terminal equipment decrypts to obtain the public key PK_ESSC, stores the PK_ESSC and serves as the public key of the subsequent digital envelope, and meanwhile, the public key also provides key guarantee for bidirectional authentication;
step 8, the server side calls the encryption platform to generate seeds and returns the seeds to the mobile terminal equipment;
and 9, the mobile terminal equipment imports the seeds to finish one-machine-one-password of the mobile terminal.
In this process, pk_app is randomly generated by mobile terminals, and is unique in that each mobile terminal uses a different pk_app, while pk_essc is also generated for ID information of the mobile terminals, each mobile terminal uses a different pk_essc. The process thus completes one-machine-one-secret key initialization.
Preferably, in the mobile terminal initializing step, the performing the authentication on the client program includes the following steps:
step 1, a client program operated by mobile terminal equipment calls a legal verification interface of a mobile encryption module SMTP to obtain a dynamic signature and sends the dynamic signature to a server;
and step 2, the server side calls the encryption platform signature, and after the encryption platform signature passes, the user of the mobile terminal equipment can see the interactive interface.
A mobile terminal operation step, namely requesting the rail transit operation data from a server terminal through a client program operated by mobile terminal equipment, generating an SM2 public and private KEY pair and a random KEY SESSION_KEY of an SM4 algorithm and encrypting the data after the server terminal invokes the corresponding rail transit operation data in a local database of the server terminal, transmitting the encrypted data to the client program operated by the mobile terminal equipment, and displaying an operation state on the mobile terminal equipment; generating new operation data by a client program operated by mobile terminal equipment, calling a mobile encryption module SMTP to generate an SM2 public-private KEY pair (public KEY PUB_KEY_APP, private KEY PRI_KEY_APP), generating a random KEY SESSION_KEY of an SM4 algorithm and storing the KEY SESSION_KEY in a safe storage area, encrypting the new operation data by the random KEY SESSION_KEY and transmitting the new operation data back to a server, and classifying the new operation data and establishing a table by the server for encryption storage;
further, in the mobile terminal operation step, the new operation data includes user registration information, service data and operation log.
More specifically, in the mobile terminal operation step, after receiving encrypted rail transit operation data of the server, the mobile terminal device performs integrity verification by using a domestic encryption algorithm, decrypts a random key by using an asymmetric encryption algorithm SM2 to obtain a random key, and then performs data decryption on the rail transit operation data by using the random key.
More preferably, in the mobile terminal operation step, the server terminal classifies the new operation data and establishes a table for encryption storage, and specifically includes the following steps:
a table building step, wherein a table is built and stored, and the table comprises an encrypted column name and a non-encrypted column name;
a data defining step of classifying and defining data to be stored in new operation data, wherein the data to be stored comprises user information, service data and logs, the data belonging to secret information is defined to an encrypted column name, and the data belonging to common information is defined to a non-encrypted column name;
a data ID creation step of creating a corresponding data ID for each item of data belonging to the secret information or the data of the common information and storing the data in the data, wherein each data ID is a randomly generated encrypted column name or an unencrypted column name which is different from each other and is associated with the corresponding data ID;
a data encryption step of screening a data ID corresponding to an encryption column name from a table, and calling an encryption platform to encrypt secret information corresponding to the data ID and generate encrypted data by identifying the data ID in the data;
and data storage, namely according to the classification definition of the new operation data by the data definition step, taking the business data and the log as secret information, carrying out encryption storage by using a national secret SM4 algorithm, taking the user information as common information, and carrying out abstract calculation storage by using the national secret SM3 algorithm.
Claims (7)
1. The data protection method of the rail transit mobile terminal is characterized by comprising the following steps of:
the method comprises the steps that a server side operates, a server side operates a server side program of an intelligent operation and maintenance APP application program, various track traffic operation data are collected, an encryption platform is called to generate a random symmetric key, the track traffic operation data are encrypted by an SM4 symmetric algorithm in a domestic encryption algorithm and then stored in a local database, meanwhile, the server side calculates an abstract of a client side program of the intelligent operation and maintenance APP application program by an SM3 in the domestic encryption algorithm and is stored by the server side, and then the server side issues the client side program to mobile terminal equipment;
a mobile terminal initializing step, namely running the client program released in the server running step in the mobile terminal equipment, randomly generating a pair of symmetric keys by the mobile terminal equipment, encrypting and uploading the symmetric keys to the server by mk, correspondingly generating another group of public and private key pairs by the server, sending the public keys to the mobile terminal equipment as the public keys of subsequent digital envelopes, completing one-machine-one-secret key initialization, and then carrying out copyright verification on the client program;
a mobile terminal operation step, namely requesting the rail transit operation data from a server terminal through a client program operated by mobile terminal equipment, generating an SM2 public and private KEY pair and a random KEY SESSION_KEY of an SM4 algorithm and encrypting the data after the server terminal invokes the corresponding rail transit operation data in a local database of the server terminal, transmitting the encrypted data to the client program operated by the mobile terminal equipment, and displaying an operation state on the mobile terminal equipment; the client program operated by the mobile terminal equipment generates new operation data, calls a mobile encryption module SMTP to generate SM2 public private KEY pairs (public KEY PUB_KEY_APP, private KEY PRI_KEY_APP), generates a random KEY SESSION_KEY of an SM4 algorithm and stores the random KEY SESSION_KEY in a safe storage area, encrypts the new operation data through the random KEY SESSION_KEY and transmits the new operation data back to a server, and the server classifies the new operation data and establishes a table for encryption storage.
2. The method for protecting the data of the rail transit mobile terminal according to claim 1, wherein the method comprises the following steps: and calling the encryption platform to generate a random symmetric key, specifically, calling an SDK interface function of the encryption platform adopting a domestic cryptographic algorithm by the intelligent operation and maintenance APP application program, and executing a random session key negotiation flow to generate the random symmetric key.
3. The method for protecting data of a mobile terminal for rail transit according to claim 1, wherein in the step of initializing the mobile terminal, one-machine-one-secret key initialization is completed, and the method specifically comprises the following steps:
step 1, in the initialization process of running a client program, a mobile terminal device creates an MSK library, generates a master key Mk and encrypts with an initial public key of an intelligent operation and maintenance APP application program;
step 2, the mobile terminal equipment randomly generates a pair of asymmetric keys, stores the private key of the asymmetric keys in a secure storage area, and uploads the public key PK_APP of the asymmetric keys, the master key MK encrypted by the initial public key in the step 1 and the ID of the mobile terminal equipment to a server side;
step 3, the server side calls a private key in a random symmetric key generated by an encryption platform, decrypts the master key Mk and converts the private key to be encrypted by a master key Lmk of the server side, and stores the encrypted private key in the encryption platform, and the server side calls the encryption platform to store the public key PK_APP;
step 4, the mobile terminal equipment randomly generates a pair of symmetric keys, encrypts the symmetric keys by the master key MK and then sends the encrypted symmetric keys to a server;
step 5, the server side calls the encryption platform to import the symmetric key in the step 4 into the encryption platform for storage;
step 6, the server side calls the encryption platform to generate another group of public and private key pairs, encrypts the public key PK_ESSC by using the public key PK_APP and returns the encrypted public key PK_ESSC to the mobile terminal equipment;
step 7, the mobile terminal equipment decrypts to obtain the public key PK_ESSC, stores the PK_ESSC and serves as the public key of the subsequent digital envelope, and meanwhile, the public key also provides key guarantee for bidirectional authentication;
step 8, the server side calls the encryption platform to generate seeds and returns the seeds to the mobile terminal equipment;
and 9, the mobile terminal equipment imports the seeds to finish one-machine-one-password of the mobile terminal.
4. The method for protecting data of a rail transit mobile terminal according to claim 1, wherein in the step of initializing the mobile terminal, the client program is authenticated, comprising the steps of:
step 1, a client program operated by mobile terminal equipment calls a legal verification interface of a mobile encryption module SMTP to obtain a dynamic signature and sends the dynamic signature to a server;
and step 2, the server side calls the encryption platform signature, and after the encryption platform signature passes, the user of the mobile terminal equipment can see the interactive interface.
5. The method for protecting the data of the rail transit mobile terminal according to claim 1, wherein the method comprises the following steps: in the mobile terminal operation step, the new operation data comprises user registration information, service data and operation logs.
6. The method for protecting the data of the rail transit mobile terminal according to claim 1, wherein the method comprises the following steps: in the mobile terminal operation step, after receiving encrypted rail transit operation data of a server terminal, the mobile terminal equipment performs integrity verification by utilizing a domestic encryption algorithm, adopts an asymmetric encryption algorithm SM2 to perform random key decryption to obtain a random key, and then performs data decryption on the rail transit operation data by using the random key.
7. The method for protecting data of a mobile terminal for rail transit according to claim 1, wherein in the step of operating the mobile terminal, the server classifies new operation data and establishes a table for encryption storage, specifically comprising the steps of:
a table building step, wherein a table is built and stored, and the table comprises an encrypted column name and a non-encrypted column name;
a data defining step of classifying and defining data to be stored in new operation data, wherein the data to be stored comprises user information, service data and logs, the data belonging to secret information is defined to an encrypted column name, and the data belonging to common information is defined to a non-encrypted column name;
a data ID creation step of creating a corresponding data ID for each item of data belonging to the secret information or the data of the common information and storing the data in the data, wherein each data ID is a randomly generated encrypted column name or an unencrypted column name which is different from each other and is associated with the corresponding data ID;
a data encryption step of screening a data ID corresponding to an encryption column name from a table, and calling an encryption platform to encrypt secret information corresponding to the data ID and generate encrypted data by identifying the data ID in the data;
and data storage, namely according to the classification definition of the new operation data by the data definition step, taking the business data and the log as secret information, carrying out encryption storage by using a national secret SM4 algorithm, taking the user information as common information, and carrying out abstract calculation storage by using the national secret SM3 algorithm.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111244907.9ACN114095156B (en) | 2021-10-26 | 2021-10-26 | Data protection method for rail transit mobile terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111244907.9ACN114095156B (en) | 2021-10-26 | 2021-10-26 | Data protection method for rail transit mobile terminal |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114095156A CN114095156A (en) | 2022-02-25 |
| CN114095156Btrue CN114095156B (en) | 2023-05-12 |
Family
ID=80297625
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111244907.9AActiveCN114095156B (en) | 2021-10-26 | 2021-10-26 | Data protection method for rail transit mobile terminal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114095156B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018074750A1 (en)* | 2016-10-18 | 2018-04-26 | 주식회사 유니온플레이스 | Train information managing device |
| CN109688585A (en)* | 2018-12-28 | 2019-04-26 | 卡斯柯信号有限公司 | Vehicle-ground wireless communication encryption method and device applied to train monitoring system |
| CN112020037A (en)* | 2020-09-25 | 2020-12-01 | 卡斯柯信号(郑州)有限公司 | A domestic communication encryption method suitable for rail transit |
| CN112020038A (en)* | 2020-09-25 | 2020-12-01 | 卡斯柯信号(郑州)有限公司 | Domestic encryption terminal suitable for rail transit mobile application |
| CN112565285A (en)* | 2020-12-16 | 2021-03-26 | 卡斯柯信号(成都)有限公司 | Communication encryption method suitable for rail transit |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP3248359A4 (en)* | 2015-01-22 | 2018-09-05 | Visa International Service Association | Method and system for establishing a secure communication tunnel |
- 2021
- 2021-10-26CNCN202111244907.9Apatent/CN114095156B/enactiveActive
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018074750A1 (en)* | 2016-10-18 | 2018-04-26 | 주식회사 유니온플레이스 | Train information managing device |
| CN109688585A (en)* | 2018-12-28 | 2019-04-26 | 卡斯柯信号有限公司 | Vehicle-ground wireless communication encryption method and device applied to train monitoring system |
| CN112020037A (en)* | 2020-09-25 | 2020-12-01 | 卡斯柯信号(郑州)有限公司 | A domestic communication encryption method suitable for rail transit |
| CN112020038A (en)* | 2020-09-25 | 2020-12-01 | 卡斯柯信号(郑州)有限公司 | Domestic encryption terminal suitable for rail transit mobile application |
| CN112565285A (en)* | 2020-12-16 | 2021-03-26 | 卡斯柯信号(成都)有限公司 | Communication encryption method suitable for rail transit |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114095156A (en) | 2022-02-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104796265B (en) | A kind of Internet of Things identity identifying method based on Bluetooth communication access | |
| CN105162808B (en) | A kind of safe login method based on national secret algorithm | |
| CN102024123B (en) | Method and device for importing mirror image of virtual machine in cloud calculation | |
| KR101753859B1 (en) | Server and method for managing smart home environment thereby, method for joining smart home environment and method for connecting communication session with smart device | |
| CN109684129B (en) | Data backup recovery method, storage medium, encryption machine, client and server | |
| CN110519046A (en) | Quantum communications service station cryptographic key negotiation method and system based on disposable asymmetric key pair and QKD | |
| CN113472793A (en) | Personal data protection system based on hardware password equipment | |
| CN101695038A (en) | Method and device for detecting SSL enciphered data safety | |
| CN108323230B (en) | Method for transmitting key, receiving terminal and distributing terminal | |
| CN114401087B (en) | Passive lock identity authentication and key agreement system based on state cryptographic algorithm | |
| CN114006736B (en) | Instant communication message protection system and method based on hardware password equipment | |
| CN114567470B (en) | SDK-based multi-system key splitting verification system and method | |
| CN112020038A (en) | Domestic encryption terminal suitable for rail transit mobile application | |
| CN106411926A (en) | Data encryption communication method and system | |
| JPH07325785A (en) | Network user authentication method, encrypted communication method, application client and server | |
| CN104424446A (en) | Safety verification and transmission method and system | |
| CN111600948B (en) | Cloud platform application and data security processing method, system, storage medium and program based on identification password | |
| CN112865965A (en) | Train service data processing method and system based on quantum key | |
| CN112685786A (en) | Financial data encryption and decryption method, system, equipment and storage medium | |
| CN113591109B (en) | Method and system for communication between trusted execution environment and cloud | |
| CN110098925A (en) | Based on unsymmetrical key pond to and random number quantum communications service station cryptographic key negotiation method and system | |
| CN101539977A (en) | Method for protecting computer software | |
| JP3348753B2 (en) | Encryption key distribution system and method | |
| CN119364360A (en) | Railway vehicle operation intelligent mobile terminal safety protection system | |
| CN110519222A (en) | Outer net access identity authentication method and system based on disposable asymmetric key pair and key card |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |