Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present application more apparent, the embodiments of the present application will be described in further detail with reference to the accompanying drawings.
FIG. 1 illustrates a schematic diagram of an implementation environment provided by one embodiment of the present application. The implementation environment includes a first device 11 and a second device 12.
The first device 11 is a transmitting device of a broadcast message, which is broadcast by means of bluetooth Beacon. The first device 11 may be a smart phone, a tablet computer, a smart home appliance (such as a smart speaker, a smart refrigerator, a smart air conditioner, etc.), a wearable smart device (such as smart glasses, a smart watch, etc.), a smart sensor (such as a temperature sensor, a door and window sensor, etc.), and the embodiment of the present application does not limit the device type of the first device 11.
The first device has a data encryption function. The first device 11 performs encryption processing on the data to be encrypted in the original message by the data encryption function to obtain encrypted data, and then sends an encrypted message carrying the encrypted data to the other device. Encryption algorithms used in the encryption process include, but are not limited to, data encryption standard (Data Encryption Standard, DES) algorithms, triple data encryption (TRIPLE DATA Encryption Algorithm,3 DES) algorithms, advanced encryption standard (Advanced Encryption Standard, AES) algorithms, and the like. In the embodiment of the present application, only the encryption algorithm is taken as an AES algorithm for explanation.
In the embodiment of the application, the encryption parameters involved in the encryption process comprise, besides the secret key, the encryption initialization vector generated based on the initialization vector and the first timestamp determined based on the current timestamp of the first device 11, and since the first timestamp has the characteristics of large variation span, irregular and the like, the encryption initialization vector generated based on the timestamp also has the characteristics, and the encryption initialization vector with the characteristics encrypts the data to be encrypted, so that the probability of cracking the encrypted message by illegal devices can be reduced, and the security of the encrypted message is improved. In addition, the key and the initialization vector are determined by negotiation between the first device 11 and the second device 12. Optionally, the first device 11 and the second device 12 negotiate to determine keys and initialization vectors during the distribution network.
The second device 12 is a receiving device for broadcast messages. The second device 12 may be a smart phone, a tablet computer, a smart home appliance (such as a smart speaker, a smart refrigerator, a smart air conditioner, etc.), a wearable smart device (such as smart glasses, a smart watch, etc.), a smart sensor (such as a temperature sensor, a door and window sensor, etc.), and the embodiment of the present application is not limited to the device type of the second device 12.
The second device 12 has a data decryption function. After receiving the encrypted message, the second device 12 decrypts the encrypted data carried in the encrypted message by using the data decryption function, so as to obtain the data to be encrypted in the original message. The decryption process is the inverse of the encryption process and involves a decryption algorithm that is actually determined based on the algorithm employed by the first device 11. For example, the first device 11 encrypts the data to be encrypted by using the AES encryption algorithm to obtain encrypted data, and the second device 12 decrypts the encrypted data by using the AES decryption algorithm to obtain the data to be encrypted.
In an embodiment of the application, the decryption parameters involved in the decryption process include, in addition to the key, a decryption initialization vector generated based on the current timestamp of the second device 12 and the first timestamp. The decryption initialization vector is the same as the encryption initialization vector.
As shown in fig. 1, the first device 11 is a smart home appliance, and the second device 12 is a smart phone.
In the embodiment of the present application, the cloud end 13 may also be included. The cloud 13 is a server that manages bluetooth devices (including the first device 11 and the second device 12). The user may register a home account with the cloud 13 using the second device 12, to which both the first device 11 and the second device 12 are added. A home communication network is formed between the first device 11 and the second device 12, through which bluetooth communication is possible between the devices. It will be appreciated that the functions provided by the cloud end 13 may also be implemented locally, which is not limited in this embodiment of the present application.
Illustratively, the cloud 13 assigns a home address to the home account. The broadcast message sent by the first device may carry a home address such that the broadcast message may be acquired by the second device 12 or by other devices in the home communications network.
In the related art, since the encryption initialization vector is set by negotiation between the encryptor and the decryptor, it is generally fixed, so that the encrypted message is easily broken by illegal devices, and the security is low.
Based on the above, the embodiment of the application provides an encryption scheme, by acquiring the encryption initialization vector according to the first timestamp provided by the first device, and then encrypting the data to be encrypted based on the encryption initialization vector, because the first timestamp has the characteristics of large variation span, irregular and the like, the encryption initialization vector generated based on the first timestamp also has the characteristics, and by encrypting the data to be encrypted by the encryption initialization vector with the characteristics, the probability that the encrypted message is cracked by illegal devices can be reduced, and the security of the encrypted message is improved.
Fig. 2 is a schematic diagram illustrating an encryption and decryption process according to an embodiment of the present application. The first equipment is an intelligent air conditioner, the second equipment is a smart phone, the first equipment determines an encryption initialization vector and time data carried in an original message according to a current time stamp of the first equipment, then the encryption initialization vector is used for carrying out encryption processing on a plaintext in the original message to obtain an encrypted message, after the encrypted message is sent to the second equipment, the second equipment determines a decryption initialization vector according to the current time stamp of the second equipment and the time data, and the decryption initialization vector is used for carrying out decryption processing on a ciphertext in the encrypted message to obtain the original message.
Fig. 3 shows a flowchart of an encryption method according to an embodiment of the present application, which is applied to the first device 11 in the embodiment of fig. 1. The method comprises the following steps:
step 301, obtaining an encryption initialization vector based on a first timestamp.
The first timestamp is determined based on a timestamp of when the encrypted message was generated by the first device. In one example, the first timestamp is the timestamp of when the encrypted message was generated by the first device. In another example, the second timestamp is determined based on the timestamp of the first device when generating the encryption and a preset time difference value, which is set by default by the first device, and may also be set in a customized manner. The encryption initialization vector refers to an initialization vector used in the encryption process.
In the embodiment of the application, the first device determines the encryption initialization vector based on the current timestamp of the first device, then encrypts the data to be encrypted based on the encryption initialization vector, and the encryption initialization vector generated based on the first timestamp also has the characteristics because the first timestamp has the characteristics of large variation span, irregularity and the like.
Optionally, step 301 comprises the sub-steps of:
In step 301a, the first timestamp is encoded according to a preset format, so as to obtain a first encoded timestamp.
The preset format refers to a format that allows recognition and parsing by the first device and the device receiving the encrypted message. Optionally, the preset format is set by negotiation between the first device and the device receiving the encrypted message. Illustratively, the preset format is a network coding order.
In step 301b, if the number of bits included in the first encoded timestamp is smaller than the number of bits included in the initialization vector, the first encoded timestamp is subjected to bit-filling processing, so as to obtain the first bit-filling timestamp.
The initialization vector is pre-agreed by the first device and the device receiving the encrypted message.
The bit-filling process refers to increasing the number of bits included in the first coded timestamp so that the number of bits included in the first coded timestamp is the same as the number of bits included in the initialization vector.
Optionally, the first device calculates a difference between the number of bits included in the first encoded timestamp and the number of bits included in the initialization vector, and then fills a set value at a specified position of the first encoded timestamp, where the number of fills is the difference.
The specified location is set by default by the first device or by negotiation of the first device with the device receiving the encrypted message. Such as before the first bit of the first encoded timestamp or after the last bit of the first encoded timestamp. The setting is also set by default by the first device or by the first device negotiating a setting, such as 0 or 1, with the device receiving the encrypted message.
Illustratively, the first encoded timestamp includes 8 bits, 10111011 bits, the initialization vector includes 13 bits, the first device calculates a difference between the number of bits included in the first encoded timestamp and the number of bits included in the initialization vector as 5, and then supplements 5 bits after the last bit of the first encoded timestamp to obtain 1011101100000, where the number of bits included in the first encoded timestamp is the same as the number of bits included in the initialization vector.
If the number of bits included in the first encoded timestamp is equal to the number of bits included in the initialization vector, the first encoded timestamp is directly determined to be the first post-bit-supplement timestamp.
In step 301c, a logical operation is performed on the timestamp after the first bit compensation and the initialization vector to obtain an encrypted initialization vector.
Optionally, the first device performs an exclusive-or operation on the timestamp after the first bit is complemented and the initialization vector to obtain an encrypted initialization vector. Illustratively, the first post-bit time stamp is 1100101011001, the first post-bit time stamp is 1011101100000, and the two are exclusive-ored to obtain the encrypted initialization vector 0111000111001.
Step 302, encrypting the data to be encrypted in the original message by the encryption initialization vector to obtain encrypted data.
The original message includes data to be encrypted. Table-1 illustrates the data structure of the original message.
TABLE-1
As shown in table-1, the original message carries a header (Head Flag), a device Address (Address), time data (Msgtime), plaintext (cipherertext), a message integrity Code (MESSAGE INTEGRITY Code, MIC), and the like.
The header is used for indicating attribute information of the first device and the original message, such as whether the first device completes network configuration, whether the original message is encrypted, and the like. The device address is a network address of the first device, and when the first device is a bluetooth device, the device address is a home device address allocated when the bluetooth device is configured with the gateway device. The time stamp is i.e. the time data determined based on the first time stamp in step 301. The plaintext is the data to be encrypted, and the data to be encrypted is null data or service data. When the original message is the device discovery broadcast, the data to be encrypted is null data, and when the original message is the service message, the data to be encrypted is the service data.
The encryption parameters used in the encryption process include an encryption algorithm and an encryption key in addition to the encryption initialization vector. Encryption algorithms include, but are not limited to, DES algorithm, 3DES algorithm, AES algorithm. In the embodiment of the present application, only the encryption algorithm is exemplified as the AES algorithm. The encryption key is also set by the first device negotiating with the device receiving the encrypted message. Illustratively, the bluetooth device and the gateway device negotiate to determine an encryption key during the provisioning process.
Optionally, the first device performs encryption of the data to be encrypted by AES CCM Encrypt (key=beacon_key, iv=xx, aad=data from HEAD FLAGS (inclusive) back to Address (inclusive), in= plaintext, tag=mic).
As indicated by the above code, the encryption key is beacon_key, the encryption initialization vector is xx, the header and the device address are additional authentication data (Additional Authenticated Data, ADD), i.e. data provided to the device receiving the encrypted message for the device to authenticate the identity information of the first device, without encryption. The data to be encrypted is plaintext. Identified as a message integrity code.
Step 303, sending an encrypted message to the second device, or broadcasting an encrypted message.
The encrypted message carries encrypted data and time data determined based on the first timestamp.
Optionally, the number of bits included in the time data is determined according to whether the original message carries the service data, and the former one or both of the number of bits included in the service data. For example, if the original message carries service data, the fewer the number of bits included in the time data, and if the original message does not carry service data, the more the number of bits included in the time data. For another example, if the original message carries more service data, the fewer bits the time data includes, and if the original message carries less service data, the more bits the time data includes.
Optionally, if the data to be encrypted includes service data, the time data is low n-bit data of the first timestamp, n is smaller than the number of bits included in the first timestamp, and n is a positive integer.
The first timestamp includes a number of bits of 64, i.e. 8 bytes. n is set by default by the first device or by the first device negotiating settings with the device receiving the encrypted message (e.g., the second device). Illustratively, n is 8, and also the temporal data is one byte. By the method, the byte number of the time data is reduced, so that the original message can carry more service data, and the data transmission efficiency is improved.
Optionally, if the data to be encrypted does not carry service data, the time data is a first timestamp.
Accordingly, the second device receives the encrypted message sent by the first device, or the second device receives the encrypted message broadcast by the first device.
Optionally, the first device performs timing processing on its own time before performing step 201. The difference between the time of the first device after the time correction processing and the reference time is smaller than a preset threshold. The preset threshold is set according to practical experience, which is not limited in the embodiment of the present application.
Since the second device needs to calculate the decryption initial vector according to the time data and decrypt according to the decryption initial vector, when the time of the first device is inaccurate, the second device cannot accurately restore the encryption initial vector to generate the decryption failure, and in order to avoid the situation, the time of the first device needs to be corrected. In summary, according to the technical scheme provided by the embodiment of the application, the encryption initialization vector is obtained according to the first timestamp provided by the first device, and then the data to be encrypted is encrypted based on the encryption initialization vector, because the first timestamp has the characteristics of large variation span, irregular and the like, the encryption initialization vector generated based on the first timestamp also has the characteristics, and the encryption initialization vector with the characteristics is used for encrypting the data to be encrypted, so that the probability of cracking an encrypted message by illegal devices can be reduced, and the security of the encrypted message is improved.
And the probability of decryption failure of the second device is reduced by performing timing processing on the first device.
Fig. 4 shows a flow chart of a decryption method according to an embodiment of the application, which is applied to the second device in fig. 1. The method comprises the following steps:
Step 401, an encrypted message sent or broadcast by a first device is received.
The encrypted message carries encrypted data and time data determined based on the first timestamp.
Step 402, obtaining a decryption initialization vector according to the time stamp and time data when the second device received the encrypted message.
The decryption initialization vector refers to an initialization vector used in the decryption process, which is identical to the encryption initialization vector. In the embodiment of the application, the second device acquires the decryption initialization vector according to the time stamp and the time data when the second device receives the encrypted message.
Optionally, step 402 includes the sub-steps of:
step 402a, determining a second timestamp from the timestamp and the time data at the time the encrypted message was received by the second device.
Optionally, the second device determines at least two candidate timestamps according to the timestamp and the time data when the second device received the encrypted message, and then determines the candidate timestamp closest to the timestamp when the second device received the encrypted message as the second timestamp. Illustratively, the second device receives the encrypted message with a timestamp of 14:27:30, and at least two candidate timestamps of 14:26:14, 14:27:14, and 14:28:14, respectively, and then the second device determines the 14:27:14 as the second timestamp.
In one possible implementation, when the time data is the low n-bit data in the first timestamp, step 402a is implemented as follows steps 402a1-402a3.
Step 402a1, replacing low-n bit data in a timestamp when the second device receives the encrypted message with time data to obtain a first candidate timestamp;
Illustratively, the timestamp of the second device when receiving the encrypted message is 14:27:30, and the lower n bits in the timestamp of the first device when receiving the encrypted message is 14, then the first candidate timestamp is 14:27:14.
Step 402a2, carrying out high m bit data in the timestamp when the second device receives the encrypted message, and replacing low n bit data in the timestamp when the carried second device receives the encrypted message with time data to obtain a second candidate timestamp;
The high m-bit data is data except the low n-bit data in a time stamp when the second device receives the encrypted message, and m is a positive integer. Carry refers to incrementing the high m-bit data of the timestamp of the encrypted message received by the second device by a first predetermined value, the first predetermined value being determined according to the system employed by the second device. For example, the number used by the second device is decimal, and the first predetermined value is 1. For another example, the number used by the second device is binary and the first predetermined value is 246.
Illustratively, when the second device receives the encrypted message, the timestamp is 14:27:30, and the high m bits of the timestamp when the second device receives the encrypted message are carried, and the low n bits in the timestamp when the first device receives the encrypted message is 14, which is 14:28:14, and the first candidate timestamp is 14:28:14.
Step 402a3, the high m bit data in the timestamp when the second device receives the encrypted message is stripped, and the low n bit data in the timestamp when the stripped second device receives the encrypted message is replaced by the time data, so as to obtain a third candidate timestamp.
The unset refers to reducing the high m-bit data of the timestamp when the encrypted message was received by the second device by a second predetermined value, which is determined according to the system employed by the second device. For example, the number used by the second device is decimal and the second predetermined value is 1. For another example, the number used by the second device is binary and the second predetermined value is 246. Illustratively, when the second device receives the encrypted message, the timestamp is 14:27:30, and the high m bits of the timestamp when the second device receives the encrypted message are carried, and the low n bits in the timestamp when the first device receives the encrypted message is 14, which is 14:26:14, and the first candidate timestamp is 14:26:14.
In other possible implementations, when the time data is the first timestamp, then the time data is directly determined to be the second timestamp.
And step 402b, encoding the second timestamp according to a preset format to obtain a second encoded timestamp.
In step 402c, if the number of bits included in the second encoded timestamp is smaller than the number of bits included in the initialization vector, the second encoded timestamp is subjected to bit-filling processing, so as to obtain the second bit-filling timestamp.
The second bit-complemented timestamp includes the same number of bits as the initialization vector.
And step 402d, performing logic operation on the second bit-complemented time stamp and the initialization vector to obtain a decryption initialization vector.
Optionally, the second device performs an exclusive-or operation on the second bit-complemented timestamp and the initialization vector to obtain a decrypted initialization vector.
The explanation of steps 402b-402d refers to steps 301a-301c and is not described here in detail.
And step 403, performing decryption processing on the encrypted data through the decryption initialization vector to obtain the data to be encrypted in the original message.
The decryption parameters used in the decryption process include a decryption algorithm and a decryption key in addition to the decryption initialization vector. The decryption algorithm is determined from the encryption algorithm. The decryption key is also set by the first device negotiating with the device receiving the encrypted message.
Optionally, the second device performs encryption of the data to be encrypted by aes_ccm_ Decrypt (key=beacon_key, iv=xx, aad=data from HEAD FLAGS (inclusive) back to Address (inclusive), in=cipherertext, tag=mic).
As indicated by the above code, the decryption key is beacon_key, the decryption initialization vector is xx, and the header and the device address are additional authentication data (Additional Authenticated Data, ADD), that is, data for the second device to authenticate the identity information of the first device, without decryption. The data to be encrypted is ciphertext. Identified as a message integrity code.
Optionally, when the time data is low n-bit data in the first timestamp, if the second device fails to decrypt the encrypted data by decrypting the initialization vector, the encrypted message is discarded.
When the illegal device copies the encrypted message and sends the copied encrypted message to the second device at a certain time after the first time stamp, the decryption initialization vector determined by the second device is different from the encryption initialization vector, which can cause decryption failure, so that the second device directly discards the encrypted message when decryption fails, and replay attack is effectively resisted.
In summary, according to the technical scheme provided by the embodiment of the application, the encryption initialization vector is obtained according to the first timestamp provided by the first device, and then the data to be encrypted is encrypted based on the encryption initialization vector, because the first timestamp has the characteristics of large variation span, irregular and the like, the encryption initialization vector generated based on the first timestamp also has the characteristics, and the encryption initialization vector with the characteristics is used for encrypting the data to be encrypted, so that the probability of cracking an encrypted message by illegal devices can be reduced, and the security of the encrypted message is improved.
In summary, when the time data is the low n-bit data of the first timestamp, the corresponding encrypted message is discarded if decryption fails, so that replay attack is effectively resisted.
Because the encryption initialization vector used in the encryption process is determined based on the first timestamp, when the first device initiates a timing flow after establishing a binding relation or when powering up again after powering down, the second device can judge whether the time of the first device is accurate according to the first timestamp and the current timestamp thereof when decrypting the encryption timing request message. This flow is explained below in conjunction with fig. 5.
In step 501, the first device obtains an encryption initialization vector based on a first timestamp.
In step 502, the first device performs encryption processing on the timing request message through the encryption initialization vector to obtain an encrypted timing request message.
The timing request broadcast is for requesting correction of the time of the first device. The timing request broadcast carries a header, a device address, a first timestamp, plaintext, and a message integrity code.
The first device broadcasts an encrypted timing request message, step 503.
In one possible implementation, the first device broadcasts the encrypted timing request message after establishing a binding relationship with other devices (e.g., gateway devices). In another possible implementation, the first device broadcasts the encrypted timing request message out when powered back up after power down.
Optionally, the timing parameter is determined according to the power consumption of the first device. The timing window includes a first time interval, a timing window, a second time interval, and the like. The first time interval is the time interval between two adjacent time-correction flows initiated by the first device. The timing window is a time window in which an encrypted timing request message is broadcast. The second time interval is the time interval between two adjacent broadcast encryption timing request messages.
Optionally, the first time interval has a positive correlation with the power consumption of the first device. I.e. the larger the power consumption of the first device, the larger the first time interval, and the smaller the power consumption of the first device, the smaller the first time interval.
Optionally, the timing window has a negative correlation with the power consumption of the first device. I.e. the smaller the power consumption of the first device, the larger the timing window, and the larger the power consumption of the first device, the smaller the timing window.
Optionally, the second time interval has a positive correlation with the power consumption of the first device. I.e. the smaller the power consumption of the first device the smaller the second time interval, the larger the power consumption of the first device the larger the second time interval.
In one example, the first time interval is 30 minutes, the timing window is 15 seconds, and the second time interval is 200 milliseconds. In another example, the first time interval is flexibly set according to the number of time-correction initiation, such as the first time interval is 30 seconds, the second time interval is 1 minute, the third time interval is 2 minutes, and the last time interval is twice the previous time interval until the first time interval is 30 minutes.
In step 504, when the second device scans the encrypted timing request message broadcast by the first device, the second device decrypts the encrypted timing request message according to the first timestamp carried by the encrypted timing request message.
Step 505, if decryption is successful, but the difference between the first timestamp and the timestamp of the second device when scanning the encrypted timing request message is greater than a preset threshold, initiating a timing flow for the first device according to the encrypted timing request message.
The preset threshold is set according to the time precision requirement, which is not limited in the embodiment of the present application. If the difference between the first timestamp and the timestamp of the second device when receiving the encrypted message is greater than a preset threshold, the difference between the time of the second device and the time of the first device is larger, so that a timing flow of the first device needs to be initiated.
Optionally, if the difference between the first timestamp and the timestamp of the time when the second device receives the encrypted message is smaller than a preset threshold, the encrypted timing request message is decrypted by using the second timestamp, and if the decryption fails, a timing flow of the first device is initiated according to the encrypted timing request message.
Optionally, before sending the timing response message, the second device determines whether to establish communication connection with the first device, if the communication connection is not established between the second device and the first device, the second device sends a connection establishment request to the first device, and the first device establishes communication connection with the second device according to the connection establishment request. After the communication connection is established, the second equipment returns a timing response message to the first equipment through the communication connection, or after the communication connection is established, the first equipment sends a timing request to the second equipment through the communication connection, and the second equipment returns the timing response message through the communication connection according to the timing request.
The timing flow is concretely as follows, the second equipment establishes communication connection with the first equipment, the second equipment sends timing command to the first equipment, the timing command carries timing time, and the first equipment carries out timing according to the timing time carried in the timing command after receiving the timing command.
FIG. 6 illustrates a flow chart showing timing of a first device according to one embodiment of the present application. The method comprises the following steps:
In step 601, after the first device completes binding, or after the first device is powered off and powered on, an encrypted timing request message is broadcast.
Step 602, after the second device scans the encrypted timing request broadcast, the second device decrypts the encrypted timing request message according to the first timestamp carried by the encrypted timing request message.
Step 603, if the decryption is successful, and the difference between the second timestamp and the timestamp of the second device when scanning the encryption timing request message is greater than a preset threshold, initiating connection timing.
In step 604, the first device establishes a communication connection with the second device.
In step 605, the first device sends a timing request to the second device.
In step 606, the second device sends a timing response to the first device, the timing response carrying the timing time.
In step 607, the first device completes timing according to the timing time.
At step 608, the first device disconnects the communication from the second device.
Optionally, the encryption scheme provided by the embodiment of the application is applied to the field of internet of things (Internet of Things, IOT), and the first device is a bluetooth device and the second device is a mobile terminal. The encryption method comprises the following steps:
Step 61, obtaining the encryption initialization vector based on the first timestamp.
The first timestamp is the timestamp when the bluetooth device generated the encrypted message.
And step 62, encrypting the data to be encrypted in the original message through the encryption initialization vector to obtain encrypted data.
Step 63, sending the encrypted message to the mobile terminal, or broadcasting the encrypted message.
The encrypted message carries encrypted data and time data determined based on the first timestamp. Correspondingly, the decryption method further comprises the following steps:
Step 64, an encrypted message sent or broadcast by the bluetooth device is received.
The encrypted message carries encrypted data and time data determined based on the first timestamp.
Step 65, obtaining the decryption initialization vector according to the time stamp and the time data when the mobile terminal receives the encrypted message.
And step 66, decrypting the encrypted data through the decryption initialization vector to obtain the data to be encrypted in the original message.
The following are device embodiments of the application, for which reference is made to the technical details disclosed in the method embodiments described above, for parts not specifically stated in the device embodiments.
Fig. 7 shows a block diagram of an encryption apparatus provided by an exemplary embodiment of the present application. The encryption means may be implemented as all or part of the terminal by software, hardware or a combination of both. The encryption device includes:
A first obtaining module 701, configured to obtain an encryption initialization vector based on the first timestamp, where the first timestamp is determined based on a timestamp when the first device generates an encrypted message.
And the encryption module 702 is configured to encrypt the data to be encrypted in the original message according to the encryption initialization vector, so as to obtain encrypted data.
And a message sending module 703, configured to send the encrypted message to a second device, or broadcast the encrypted message, where the encrypted message carries the encrypted data and the time data determined based on the first timestamp.
In summary, according to the technical scheme provided by the embodiment of the application, the encryption initialization vector is obtained according to the first timestamp provided by the first device, and then the data to be encrypted is encrypted based on the encryption initialization vector, because the first timestamp has the characteristics of large variation span, irregular and the like, the encryption initialization vector generated based on the first timestamp also has the characteristics, and the encryption initialization vector with the characteristics is used for encrypting the data to be encrypted, so that the probability of cracking an encrypted message by illegal devices can be reduced, and the security of the encrypted message is improved.
In an alternative embodiment provided based on the embodiment shown in fig. 7, a first obtaining module 702 is configured to:
encoding the first timestamp according to a preset format to obtain a first encoded timestamp;
If the number of bits included in the first coded timestamp is smaller than the number of bits included in the initialization vector, performing bit filling processing on the first coded timestamp to obtain a first bit-filled timestamp, wherein the number of bits included in the first bit-filled timestamp is the same as the number of bits included in the initialization vector;
and carrying out logic operation on the first bit-complemented time stamp and the initialization vector to obtain the encryption initialization vector.
Optionally, the first obtaining module 702 is configured to perform an exclusive-or operation on the first post-bit-complement timestamp and the initialization vector to obtain the encrypted initialization vector.
In an alternative embodiment provided based on the embodiment shown in fig. 7, when the data to be encrypted includes service data, the time data is low n-bit data in the first timestamp, and n is smaller than the number of bits included in the first timestamp;
And when the data to be encrypted does not comprise business data, the time data is the first time stamp.
In an alternative embodiment provided based on the embodiment shown in fig. 7, the apparatus further comprises a first timing module (not shown in fig. 7).
The first timing module is used for performing timing processing on the time of the first equipment, and the error between the time of the first equipment after the timing processing and the reference time is smaller than a preset threshold.
In an alternative embodiment provided based on the embodiment shown in fig. 7, the first device is a bluetooth device, and the second device is a mobile terminal;
the first obtaining module 701 is configured to obtain an encryption initialization vector based on a first timestamp, where the first timestamp is a timestamp when the bluetooth device generates an encrypted message.
The encryption module 702 is configured to encrypt data to be encrypted in an original message by using the encryption initialization vector, so as to obtain encrypted data.
The message sending module 703 is configured to send an encrypted message to a mobile terminal, or broadcast an encrypted message, where the encrypted message carries the encrypted data and the time data determined based on the first timestamp.
Fig. 8 shows a block diagram of a decryption apparatus according to an exemplary embodiment of the present application. The decryption means may be implemented as whole or part of the terminal by software, hardware or a combination of both. The decryption device includes:
A message receiving module 801, configured to receive an encrypted message sent by a first device, where the encrypted message carries encrypted data and time data determined based on a first timestamp.
A second obtaining module 802, configured to obtain a decryption initialization vector according to the timestamp and the first timestamp when the second device receives the encrypted message.
And the decryption module 803 is configured to decrypt the encrypted data through the decryption initialization vector, thereby obtaining data to be encrypted in the original message.
In an alternative embodiment provided based on the embodiment shown in fig. 8, the second obtaining module 802 is configured to:
Determining a second timestamp according to the timestamp when the second device receives the encrypted message and the time data;
Encoding the second timestamp according to a preset format to obtain a second encoded timestamp;
If the number of bits included in the second coded timestamp is smaller than the number of bits included in the initialization vector, performing bit filling processing on the second coded timestamp to obtain a second bit-filled timestamp, wherein the number of bits included in the second bit-filled timestamp is the same as the number of bits included in the initialization vector;
And carrying out logic operation on the second bit-complemented time stamp and the initialization vector to obtain the decryption initialization vector.
Optionally, the second obtaining module 802 is configured to:
Determining at least two candidate timestamps according to the timestamp when the second device receives the encrypted message and the time data;
and determining the candidate timestamp closest to the timestamp when the second device receives the encrypted message as the second timestamp.
Optionally, when the time data is the lower n bits of data in the first timestamp, the second obtaining module 802 is configured to:
Replacing low-n bit data in a timestamp when the second device receives the encrypted message with the time data to obtain a first candidate timestamp;
Carrying out high-m-bit data in a time stamp when the second device receives the encrypted message, replacing low-n-bit data in the time stamp when the carried second device receives the encrypted message with the time data to obtain a second candidate time stamp, wherein the high-m-bit data are data except the low-n-bit data in the time stamp when the second device receives the encrypted message, and m is a positive integer;
and the high m bit data in the timestamp when the second device receives the encrypted message is unset, and the low n bit data in the timestamp when the second device receives the encrypted message after unset is replaced by the time data, so that a third candidate timestamp is obtained.
Optionally, the second obtaining module 802 is configured to perform an exclusive-or operation on the second post-bit-complement timestamp and the initialization vector to obtain the decryption initialization vector.
In an alternative embodiment provided based on the embodiment shown in fig. 8, the apparatus further comprises a discard module (not shown in fig. 8) when the time data is the lower n bits of data in the first timestamp.
And the discarding module is used for discarding the encrypted message if the decryption of the encrypted data by the decryption initialization vector fails.
In an alternative embodiment provided based on the embodiment shown in fig. 8, the apparatus further comprises a second timing module (not shown in fig. 8).
A second time-correction module for:
When the encrypted message is an encrypted timing request message, if the difference between a second timestamp corresponding to the timing request message and the timestamp when the second device receives the encrypted message is greater than a preset threshold, initiating a timing flow of the first device according to the timing request message.
It should be noted that, when the apparatus provided in the foregoing embodiment performs the functions thereof, only the division of the foregoing functional modules is used as an example, in practical application, the foregoing functional allocation may be performed by different functional modules according to needs, that is, the internal structure of the device is divided into different functional modules, so as to perform all or part of the functions described above. In addition, the apparatus and the method embodiments provided in the foregoing embodiments belong to the same concept, and specific implementation processes of the apparatus and the method embodiments are detailed in the method embodiments and are not repeated herein.
Fig. 9 is a block diagram showing the structure of a computer device according to an exemplary embodiment of the present application. The computer device of the present application may include one or more of a processor 910 and a memory 920.
Processor 910 may include one or more processing cores. The processor 910 utilizes various interfaces and lines to connect various portions of the overall computer device, perform various functions of the computer device, and process data by executing or executing instructions, programs, code sets, or instruction sets stored in the memory 920, and invoking data stored in the memory 920. Alternatively, the processor 910 may be implemented in hardware in at least one of digital signal Processing (DIGITAL SIGNAL Processing, DSP), field-Programmable gate array (Field-Programmable GATE ARRAY, FPGA), programmable logic array (Programmable Logic Array, PLA). The processor 910 may integrate one or a combination of several of a central processing unit (Central Processing Unit, CPU) and a modem, etc. The CPU is mainly used for processing an operating system, application programs and the like, and the modem is used for processing wireless communication. It will be appreciated that the modem may not be integrated into the processor 910 and may be implemented by a single chip.
Optionally, the processor 910 implements the encryption method, or the decryption method provided by the method embodiments described below when executing the program instructions in the memory 920.
The Memory 920 may include a random access Memory (Random Access Memory, RAM) or a Read-Only Memory (ROM). Optionally, the memory 920 includes a non-transitory computer-readable medium (non-transitory computer-readable storage medium). Memory 920 may be used to store instructions, programs, code, sets of codes, or instruction sets. The memory 920 may include a stored program area that may store instructions for implementing an operating system, instructions for at least one function, instructions for implementing the various method embodiments described above, and the like, and a stored data area that may store data created according to the use of a computer device, and the like.
The structure of the computer device described above is merely illustrative, and the computer device may include more or less components in actual implementation, which is not limited in this embodiment.
Those skilled in the art will appreciate that the architecture shown in fig. 9 is not limiting of the computer device 900, and may include more or fewer components than shown, or may combine certain components, or employ a different arrangement of components.
In an exemplary embodiment, the present application provides a computer device, where the computer device includes a bluetooth chip, where the bluetooth chip stores computer instructions for performing the encryption method, or the decryption method described above.
In an exemplary embodiment, there is also provided a computer-readable storage medium having stored therein a computer program that is loaded and executed by a processor of a terminal to implement the encryption method, or the decryption method in the above-described method embodiment.
Alternatively, the above-mentioned computer readable storage medium may be a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic tape, a floppy disk, an optical data storage device, or the like.
In an exemplary embodiment, there is also provided a computer program product comprising computer instructions stored in a computer-readable storage medium, the computer instructions being read from the computer-readable storage medium by a processor of a computer device, the computer instructions being executed by the processor to cause the computer device to perform the encryption method, or the decryption method, provided in the above aspects or various alternative implementations of the above aspects.
It should be understood that references herein to "a plurality" are to two or more. "and/or" describes an association relationship of an association object, and indicates that there may be three relationships, for example, a and/or B, and may indicate that there are three cases of a alone, a and B together, and B alone. The character "/" generally indicates that the context-dependent object is an "or" relationship. The terms "first," "second," and the like, as used herein, do not denote any order, quantity, or importance, but rather are used to distinguish one element from another.
The foregoing embodiment numbers of the present application are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
The foregoing description of the exemplary embodiments of the application is not intended to limit the application to the particular embodiments disclosed, but on the contrary, the intention is to cover all modifications, equivalents, and alternatives falling within the spirit and scope of the application.