CN114650173A - An encrypted communication method and system - Google Patents
An encrypted communication method and systemDownload PDFInfo
- Publication number
- CN114650173A CN114650173ACN202210260520.0ACN202210260520ACN114650173ACN 114650173 ACN114650173 ACN 114650173ACN 202210260520 ACN202210260520 ACN 202210260520ACN 114650173 ACN114650173 ACN 114650173A
- Authority
- CN
- China
- Prior art keywords
- information
- server
- client
- identity
- ciphertext
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
Description
Translated fromChinese技术领域technical field
本申请属于通讯技术领域,尤其涉及一种加密通讯方法及系统。The present application belongs to the field of communication technologies, and in particular relates to an encrypted communication method and system.
背景技术Background technique
随着互联网技术的高速发展,越来越多的智能设备可接入互连网,一方面给人们生活、工作、学习带来帮助,而另一方面数据通讯的安全性越来越受到重视。加密算法在通讯技术领域已得到广泛运用,主要包括对称加密算法、非对称加密算法及散列算法。With the rapid development of Internet technology, more and more smart devices can be connected to the Internet. On the one hand, it brings help to people's life, work, and study, and on the other hand, the security of data communication is getting more and more attention. Encryption algorithms have been widely used in the field of communication technology, mainly including symmetric encryption algorithms, asymmetric encryption algorithms and hash algorithms.
对称加密算法又称共享密钥加密算法,在这种算法中使用的密钥只有一个,发送和接收双方都使用这个密钥对数据进行加密和解密。这种加密方式有着更高的加解密速度,但其加密的安全性取决于密钥的复杂度,自身所用算法的安全性,以及密钥是否安全。在数据传输过程中,安全性较低,如果密钥被窃取,加密就失去了意义。Symmetric encryption algorithm, also known as shared key encryption algorithm, uses only one key in this algorithm, and both sender and receiver use this key to encrypt and decrypt data. This encryption method has higher encryption and decryption speed, but its encryption security depends on the complexity of the key, the security of the algorithm used by itself, and whether the key is safe. During data transmission, the security is low, and if the key is stolen, the encryption is meaningless.
非对称加密又称公开密钥加密算法。它需要两个密钥,一个称为公开密钥即公钥,另一个称为私有密钥即私钥,公私钥是由相应的椭圆曲线产生的,用公钥加密只能用所对应的私钥进行解密。非对称加密的方式相对于对称加密算法来说更加的安全,但加解密速度相对比较慢。Asymmetric encryption is also known as public key encryption algorithm. It requires two keys, one is called public key or public key, and the other is called private key or private key. key to decrypt. The asymmetric encryption method is more secure than the symmetric encryption algorithm, but the encryption and decryption speed is relatively slow.
散列算法是对数据进行散列,保证网络传输时数据的真实性,散列算法处理过的数据具有不可逆性。但散列算法本身不具有数据的加解密功能,只能保证网络传输时数据的真实性不会被篡改。The hash algorithm is to hash the data to ensure the authenticity of the data during network transmission. The data processed by the hash algorithm is irreversible. However, the hash algorithm itself does not have the function of data encryption and decryption, and can only ensure that the authenticity of the data will not be tampered with during network transmission.
使用单一算法对网络传输数据进行加密或散列,都会存在各算法自身相应的问题,如何结合以上三种算法对网络传输数据进行加密,提高数据传输的效率及安全性,并保证传输数据的真实性成了亟待解决的问题。Using a single algorithm to encrypt or hash network transmission data will have corresponding problems of each algorithm. How to combine the above three algorithms to encrypt network transmission data, improve the efficiency and security of data transmission, and ensure the authenticity of transmission data Sexuality has become a pressing issue.
发明内容SUMMARY OF THE INVENTION
针对上述技术问题,本申请提供一种加密通讯方法及系统,以提高数据传输的效率及安全性,并保证传输数据的真实性。In view of the above technical problems, the present application provides an encrypted communication method and system to improve the efficiency and security of data transmission and ensure the authenticity of the transmitted data.
本申请提供了一种加密通讯方法,包括:客户端与服务端建立连接并交换数字证书;所述客户端对协商信息进行加密及签名,得到第一密文信息,并将所述第一密文信息发送给所述服务端;所述服务端对所述第一密文信息进行解密及验签,以验证客户端身份的合法性;在所述客户端的身份合法性验证通过后,所述服务端生成共享密钥,并对所述协商信息及所述共享密钥的组合信息进行加密及签名,得到第二密文信息,并将所述第二密文信息发送给所述客户端;所述客户端对所述第二密文信息进行解密及验签,以验证服务端身份的合法性;在所述服务端的身份合法性验证通过后,所述客户端与所述服务端使用所述共享密钥对数据进行加密通讯。The present application provides an encrypted communication method, comprising: establishing a connection between a client and a server and exchanging digital certificates; the client encrypting and signing negotiation information to obtain first ciphertext information, and converting the first ciphertext to the first ciphertext. Send the text information to the server; the server decrypts and verifies the first cipher text information to verify the legitimacy of the client's identity; after the client's identity legality verification is passed, the The server generates a shared key, encrypts and signs the combination information of the negotiation information and the shared key, obtains second ciphertext information, and sends the second ciphertext information to the client; The client decrypts and verifies the signature of the second ciphertext information to verify the legitimacy of the identity of the server; after the authentication of the identity of the server is passed, the client and the server use the The shared key is used for encrypted communication of data.
在一实施方式中,在交换数字证书之前,包括:所述客户端通过非对称加密算法生成第一密钥对,所述第一密钥对包括第一公钥、第一私钥;所述客户端的数字证书包括所述第一公钥;所述服务端通过所述非对称加密算法生成第二密钥对,所述第二密钥对包括第二公钥、第二私钥;所述服务端的数字证书包括所述第二公钥。In one embodiment, before exchanging digital certificates, it includes: the client generates a first key pair by using an asymmetric encryption algorithm, and the first key pair includes a first public key and a first private key; the The digital certificate of the client includes the first public key; the server generates a second key pair through the asymmetric encryption algorithm, and the second key pair includes a second public key and a second private key; the The digital certificate of the server includes the second public key.
在一实施方式中,所述客户端对协商信息进行加密及签名,得到第一密文信息,包括:所述客户端使用所述第二公钥对所述协商信息进行加密,并使用所述第一私钥对加密后的协商信息进行签名,得到所述第一密文信息;所述服务端对所述第一密文信息进行解密及验签,以验证客户端身份的合法性的步骤,包括:所述服务端使用所述第一公钥对所述第一密文信息进行验签,在对所述第一密文信息验签通过后,使用所述第二私钥对所述第一密文信息进行解密,得到所述协商信息。In one embodiment, the client encrypts and signs the negotiation information to obtain the first ciphertext information, including: the client encrypts the negotiation information by using the second public key, and uses the second public key to encrypt the negotiation information and use the The first private key signs the encrypted negotiation information to obtain the first ciphertext information; the server decrypts and verifies the signature of the first ciphertext information to verify the legitimacy of the client identity , including: the server uses the first public key to verify the signature of the first ciphertext information, and after the signature verification of the first ciphertext information passes, using the second private key to verify the signature of the first ciphertext information The first ciphertext information is decrypted to obtain the negotiation information.
在一实施方式中,所述服务端对所述第一密文信息进行解密及验签,以验证客户端身份的合法性的步骤,包括:若所述协商信息与预设信息一致,则所述客户端的身份合法性验证通过;若所述协商信息与所述预设信息不一致,则所述客户端的身份合法性验证失败。In one embodiment, the step of decrypting and verifying the signature of the first ciphertext information by the server to verify the legitimacy of the identity of the client includes: if the negotiation information is consistent with the preset information, then The identity legality verification of the client is passed; if the negotiation information is inconsistent with the preset information, the identity legality verification of the client fails.
在一实施方式中,所述服务端对所述协商信息及所述共享密钥的组合信息进行加密及签名,得到第二密文信息,包括:所述服务端使用所述第一公钥对所述组合信息进行加密,并使用所述第二私钥对加密后的组合信息进行签名,得到所述第二密文信息;所述客户端对所述第二密文信息进行解密及验签,以验证服务端身份的合法性的步骤,包括:所述客户端使用所述第二公钥对所述第二密文信息进行验签,并在对所述第二密文信息验签通过后,使用所述第一私钥对所述第二密文信息进行解密,得到所述协商信息及所述共享密钥。In one embodiment, the server encrypts and signs the combination information of the negotiation information and the shared key to obtain the second ciphertext information, including: the server uses the first public key pair. The combination information is encrypted, and the encrypted combination information is signed using the second private key to obtain the second ciphertext information; the client decrypts and verifies the signature of the second ciphertext information , to verify the legitimacy of the identity of the server, including: the client uses the second public key to verify the signature of the second ciphertext information, and passes the signature verification of the second ciphertext information Then, the second ciphertext information is decrypted using the first private key to obtain the negotiation information and the shared key.
在一实施方式中,所述客户端对所述第二密文信息进行解密及验签,以验证服务端身份的合法性的步骤,包括:若所述协商信息与预设信息一致,则所述服务端的身份合法性验证通过;若所述协商信息与预设信息不一致,则所述服务端的身份合法性验证失败。In one embodiment, the step of decrypting and verifying the signature of the second ciphertext information by the client to verify the legitimacy of the identity of the server includes: if the negotiation information is consistent with the preset information, then the The identity legality verification of the server is passed; if the negotiation information is inconsistent with the preset information, the identity legality verification of the server fails.
在一实施方式中,所述服务端生成共享密钥,包括:所述服务端通过对称加密算法生成所述共享密钥。In one embodiment, the generating, by the server, the shared key includes: the server generating the shared key by using a symmetric encryption algorithm.
在一实施方式中,所述通讯方法,包括:所述客户端与所述服务端对所述数字证书的使用时长进行监测;在所述客户端的数字证书的使用时长超过第一预设时长,和/或所述服务端的数字证书的使用时长超过第二预设时长时,断开连接。In one embodiment, the communication method includes: the client and the server monitor the usage duration of the digital certificate; when the usage duration of the digital certificate of the client exceeds a first preset duration, And/or when the usage duration of the digital certificate of the server exceeds the second preset duration, the connection is disconnected.
本申请还提供了一种数据加密通讯系统,所述通讯系统包括一个服务端和至少一个客户端;其中,所述客户端用于与所述服务端建立连接并交换数字证书;所述客户端还用于对协商信息进行加密及签名,得到第一密文信息,并将所述第一密文信息发送给所述服务端;所述服务端用于对所述第一密文信息进行解密及验签,以验证客户端身份的合法性;在所述客户端的身份合法性验证通过后,所述服务端用于生成共享密钥,并对所述协商信息及所述共享密钥的组合信息进行加密及签名,得到第二密文信息,并将所述第二密文信息发送给所述客户端;所述客户端还用于对所述第二密文信息进行解密及验签,以验证服务端身份的合法性;在所述服务端的身份合法性验证通过后,所述客户端与所述服务端用于使用所述共享密钥对数据进行加密通讯。The present application also provides a data encryption communication system, the communication system includes a server and at least one client; wherein, the client is used to establish a connection with the server and exchange digital certificates; the client It is also used to encrypt and sign the negotiation information, obtain the first ciphertext information, and send the first ciphertext information to the server; the server is used to decrypt the first ciphertext information and verification to verify the legitimacy of the client's identity; after the client's identity legitimacy verification is passed, the server is used to generate a shared key, and the combination of the negotiation information and the shared key is The information is encrypted and signed to obtain second ciphertext information, and the second ciphertext information is sent to the client; the client is also used to decrypt and sign the second ciphertext information, to verify the legitimacy of the identity of the server; after the authentication of the identity of the server is passed, the client and the server are used to encrypt data using the shared key.
在一实施方式中,所述服务端包括第一认证单元和第一安全通道单元;所述客户端包括第二认证单元和第二安全通道单元;所述第一认证单元用于对所述客户端的身份合法性进行认证;所述第二认证单元用于对所述服务端的身份合法性进行认证;在所述客户端的身份合法性及所述服务端的身份合法性认证通过后,所述第一安全通道单元与第二安全通道单元使用所述共享密钥对数据进行加密通讯。In one embodiment, the server includes a first authentication unit and a first secure channel unit; the client includes a second authentication unit and a second secure channel unit; the first authentication unit is used to authenticate the client The identity validity of the client is authenticated; the second authentication unit is used to authenticate the identity validity of the server; after the identity validity of the client and the identity validity of the server are authenticated, the first authentication The secure channel unit and the second secure channel unit use the shared key to perform encrypted communication on data.
本申请提供的一种加密通讯方法及系统,将对称加密算法的高效性、非对称加密算法的安全性及散列算法的不可逆性相结合,能够提高数据传输的效率及安全性,并保证传输数据的真实性。The encrypted communication method and system provided by this application combine the efficiency of a symmetric encryption algorithm, the security of an asymmetric encryption algorithm, and the irreversibility of a hash algorithm, which can improve the efficiency and security of data transmission, and ensure the transmission of data. authenticity of the data.
附图说明Description of drawings
图1是本申请实施例一提供的加密通讯方法的流程示意图;1 is a schematic flowchart of an encrypted communication method provided in Embodiment 1 of the present application;
图2是本申请实施例二提供的加密通讯系统的结构示意图;2 is a schematic structural diagram of an encrypted communication system provided in Embodiment 2 of the present application;
图3是本申请实施例二提供的服务端的结构示意图;3 is a schematic structural diagram of a server provided by Embodiment 2 of the present application;
图4是本申请实施例二提供的客户端的结构示意图。FIG. 4 is a schematic structural diagram of a client according to Embodiment 2 of the present application.
具体实施方式Detailed ways
以下结合说明书附图及具体实施例对本申请技术方案做进一步的详细阐述。除非另有定义,本申请所使用的所有的技术和科学术语与属于本申请的技术领域的技术人员通常理解的含义相同。本文中在本申请的说明书中所使用的术语只是为了描述具体的实施例的目的,不是旨在于限制本申请。本文所使用的“和/或”包括一个或多个相关的所列项目的任意的和所有的组合。The technical solutions of the present application will be further elaborated below with reference to the accompanying drawings and specific embodiments of the description. Unless otherwise defined, all technical and scientific terms used in this application have the same meaning as commonly understood by one of ordinary skill in the technical field to which this application belongs. The terms used herein in the specification of the application are for the purpose of describing specific embodiments only, and are not intended to limit the application. As used herein, "and/or" includes any and all combinations of one or more of the associated listed items.
图1是本申请实施例一提供的加密通讯方法的流程示意图。如图1所示,本申请的加密通讯方法可以包括如下步骤:FIG. 1 is a schematic flowchart of an encrypted communication method provided by Embodiment 1 of the present application. As shown in Figure 1, the encrypted communication method of the present application may include the following steps:
步骤S101:客户端与服务端建立连接并交换数字证书;Step S101: the client and the server establish a connection and exchange digital certificates;
在一实施方式中,在交换数字证书之前,包括:In one embodiment, before exchanging digital certificates, including:
客户端通过非对称加密算法生成第一密钥对,第一密钥对包括第一公钥、第一私钥;客户端的数字证书包括第一公钥;The client generates a first key pair through an asymmetric encryption algorithm, and the first key pair includes a first public key and a first private key; the digital certificate of the client includes the first public key;
服务端通过非对称加密算法生成第二密钥对,第二密钥对包括第二公钥、第二私钥;服务端的数字证书包括第二公钥。The server generates a second key pair through an asymmetric encryption algorithm, and the second key pair includes a second public key and a second private key; the digital certificate of the server includes the second public key.
可选地,客户端数字证书的内容还包括客户端数字证书的可用时长,即第一公钥的密效时长;服务端数字证书的内容还包括服务端数字证书的可用时长,即第二公钥的密效时长。Optionally, the content of the client digital certificate also includes the available duration of the client digital certificate, that is, the encryption validity duration of the first public key; the content of the server digital certificate also includes the available duration of the server digital certificate, that is, the second public key. The duration of the key's validity period.
步骤S102:客户端对协商信息进行加密及签名,得到第一密文信息,并将第一密文信息发送给服务端;Step S102: the client encrypts and signs the negotiation information, obtains the first ciphertext information, and sends the first ciphertext information to the server;
在一实施方式中,客户端对协商信息进行加密及签名,得到第一密文信息,包括:In one embodiment, the client encrypts and signs the negotiation information to obtain the first ciphertext information, including:
客户端使用第二公钥对协商信息进行加密,并使用第一私钥对加密后的协商信息进行签名,得到第一密文信息;The client uses the second public key to encrypt the negotiation information, and uses the first private key to sign the encrypted negotiation information to obtain the first ciphertext information;
可选地,客户端通过散列算法使用第一私钥对加密后的协商信息进行签名;协商信息为客户端与服务端协商的,用于身份认证的信息。Optionally, the client uses the first private key to sign the encrypted negotiation information through a hash algorithm; the negotiation information is information negotiated between the client and the server and used for identity authentication.
步骤S103:服务端对第一密文信息进行解密及验签,以验证客户端身份的合法性;Step S103: the server decrypts and verifies the signature of the first ciphertext information to verify the legitimacy of the identity of the client;
在一实施方式中,步骤S103,包括:In one embodiment, step S103 includes:
服务端使用第一公钥对第一密文信息进行验签,在对第一密文信息验签通过后,使用第二私钥对第一密文信息进行解密,得到协商信息。The server uses the first public key to verify the signature of the first ciphertext information, and after passing the signature verification of the first ciphertext information, uses the second private key to decrypt the first ciphertext information to obtain negotiation information.
若协商信息与预设信息一致,则客户端的身份合法性验证通过;If the negotiation information is consistent with the preset information, the client's identity legality verification is passed;
若协商信息与预设信息不一致,则客户端的身份合法性验证失败。If the negotiation information is inconsistent with the preset information, the client's identity validity verification fails.
步骤S104:在客户端的身份合法性验证通过后,服务端生成共享密钥,并对协商信息及共享密钥的组合信息进行加密及签名,得到第二密文信息,并将第二密文信息发送给客户端;Step S104: After the identity validity verification of the client is passed, the server generates a shared key, encrypts and signs the combination information of the negotiation information and the shared key, obtains the second ciphertext information, and converts the second ciphertext information to the second ciphertext information. sent to the client;
在一实施方式中,服务端对协商信息及共享密钥的组合信息进行加密及签名,得到第二密文信息,包括:In one embodiment, the server encrypts and signs the combination information of the negotiation information and the shared key to obtain second ciphertext information, including:
服务端使用第一公钥对组合信息进行加密,并使用第二私钥对加密后的组合信息进行签名,得到第二密文信息;The server uses the first public key to encrypt the combination information, and uses the second private key to sign the encrypted combination information to obtain the second ciphertext information;
可选地,服务端通过散列算法使用第二公钥对加密后的组合信息进行签名。Optionally, the server signs the encrypted combination information by using the second public key through a hash algorithm.
步骤S105:客户端对第二密文信息进行解密及验签,以验证服务端身份的合法性;Step S105: the client decrypts and verifies the signature of the second ciphertext information to verify the legitimacy of the identity of the server;
在一实施方式中,步骤S105,包括:In one embodiment, step S105 includes:
客户端使用第二公钥对第二密文信息进行验签,并在对第二密文信息验签通过后,使用第一私钥对第二密文信息进行解密,得到协商信息及共享密钥。The client uses the second public key to verify the signature of the second ciphertext information, and uses the first private key to decrypt the second ciphertext information after verifying the signature of the second ciphertext information to obtain the negotiation information and the shared secret. key.
若协商信息与预设信息一致,则服务端的身份合法性验证通过;If the negotiated information is consistent with the preset information, the authentication of the identity of the server is passed;
若协商信息与预设信息不一致,则服务端的身份合法性验证失败。If the negotiation information is inconsistent with the preset information, the authentication of the identity validity of the server fails.
步骤S106:在服务端的身份合法性验证通过后,客户端与服务端使用共享密钥对数据进行加密通讯。Step S106: After the authentication of the identity of the server is passed, the client and the server use the shared key to encrypt data for communication.
在一实施方式中,客户端与服务端使用共享密钥对数据进行加密通讯,包括:In one embodiment, the client and the server use a shared key to encrypt data, including:
客户端使用共享密钥对第一数据进行加密,得到第一加密数据,并将第一加密数据发送给服务端;The client uses the shared key to encrypt the first data, obtains the first encrypted data, and sends the first encrypted data to the server;
服务端使用共享密钥对第一加密数据进行解密,获取第一数据;和/或The server uses the shared key to decrypt the first encrypted data to obtain the first data; and/or
服务端使用共享密钥对第二数据进行加密,得到第二加密数据,并将第二加密数据发送给客户端;The server uses the shared key to encrypt the second data, obtains the second encrypted data, and sends the second encrypted data to the client;
客户端使用共享密钥对第二加密数据进行解密,获取第二数据。The client decrypts the second encrypted data by using the shared key to obtain the second data.
可选地,共享密钥通过对称加密算法生成。Optionally, the shared key is generated by a symmetric encryption algorithm.
值得一提的是,本申请的通讯方法还包括:客户端与服务端对数字证书的使用时长进行监测;在客户端的数字证书的使用时长超过第一预设时长,和/或服务端的数字证书的使用时长超过第二预设时长时,断开连接,再次通讯时需重新执行上述S101-S106的步骤。可选地,第一预设时长为客户端数字证书的可用时长;第二预设时长为服务端数字证书的可用时长。It is worth mentioning that the communication method of the present application further includes: the client and the server monitor the usage duration of the digital certificate; the usage duration of the digital certificate at the client exceeds the first preset duration, and/or the digital certificate at the server When the usage duration exceeds the second preset duration, the connection is disconnected, and the above steps S101-S106 need to be performed again when communicating again. Optionally, the first preset duration is the available duration of the client digital certificate; the second preset duration is the available duration of the server digital certificate.
可选地,以7G智慧盒(服务端),大屏媒体处理卡(客户端)为例:大屏媒体处理卡与7G智慧盒连接成功后,大屏媒体处理卡会产生一个数字证书,证书内容包括基于非对称加密算法SM2生成的公钥PK1,以及该证书的可用时长,并将该证书发送给7G智慧盒;7G智慧盒收到大屏媒体处理卡发送的数字证书后也产生一个数字证书,证书内容包括基于非对称加密算法SM2生成的公钥PK2,以及该证书的可用时长,并将该证书发送给大屏媒体处理卡;大屏媒体处理卡用7G智慧盒数字证书上的公钥PK2加密协商信息,如7G字符串,并使用私钥SK1(与公钥PK1一起产生的密钥对),通过散列算法签名加密后的协商信息,并将签名且加密的协商信息发送给7G智慧盒;7G智慧盒收到信息后先用公钥PK1验签,若验签成功则使用私钥SK2(与公钥PK2一起产生的密钥对)解密获得协商信息,并对大屏媒体处理卡的身份合法性进行验证,若协商信息与预设信息一致,则大屏媒体处理卡的身份合法性验证通过,7G智慧盒开启安全模式,并通过对称加密算法SM4生成一个随机数作为共享密钥,然后用公钥PK1加密协商信息和共享密钥,并用私钥SK2签名加密信息后发送给大屏媒体处理卡;大屏媒体处理卡收到信息后先用公钥PK2验签,若验签成功则使用私钥SK1解密获得协商信息及共享密钥,并对7G智慧盒的身份合法性进行验证,若协商信息与预设信息一致,则7G智慧盒的身份合法性验证通过,大屏媒体处理卡开启安全模式;在7G智慧盒和大屏媒体处理卡双方都开启安全模式后,数据发送方通过对称加密算法的加密模式如密文分组链接模式(CBC模式),使用共享密钥将数据加密成密文后进行传输,数据接收方获得密文后使用共享密钥解密取得明文。在上述过程中,7G智慧盒及大屏媒体处理卡都会监测双方数字证书的使用时长,若任一方数字证书的使用时长超过可用时长,则主动断开连接。Optionally, take the 7G smart box (server) and the large-screen media processing card (client) as examples: after the large-screen media processing card and the 7G smart box are successfully connected, the large-screen media processing card will generate a digital certificate, the certificate The content includes the public key PK1 generated based on the asymmetric encryption algorithm SM2, and the available time of the certificate, and the certificate is sent to the 7G smart box; the 7G smart box also generates a digital certificate after receiving the digital certificate sent by the large-screen media processing card. Certificate, the content of the certificate includes the public key PK2 generated based on the asymmetric encryption algorithm SM2, and the available time of the certificate, and the certificate is sent to the large-screen media processing card; the large-screen media processing card uses the public key on the 7G smart box digital certificate. The key PK2 encrypts the negotiation information, such as a 7G string, and uses the private key SK1 (the key pair generated with the public key PK1) to sign the encrypted negotiation information through a hash algorithm, and send the signed and encrypted negotiation information to 7G smart box; 7G smart box uses the public key PK1 to verify the signature after receiving the information. If the verification is successful, the private key SK2 (the key pair generated with the public key PK2) is used to decrypt the negotiated information to obtain the negotiated information. The identity legality of the processing card is verified. If the negotiated information is consistent with the preset information, the identity legality verification of the large-screen media processing card is passed, and the 7G smart box turns on the security mode, and generates a random number as a share through the symmetric encryption algorithm SM4. Then use the public key PK1 to encrypt the negotiation information and shared key, and use the private key SK2 to sign the encrypted information and send it to the large-screen media processing card; after the large-screen media processing card receives the information, it uses the public key PK2 to verify the signature. If the verification is successful, use the private key SK1 to decrypt to obtain the negotiation information and shared key, and verify the legality of the identity of the 7G smart box. The screen media processing card enables the security mode; after both the 7G smart box and the large-screen media processing card enable the security mode, the data sender uses a symmetric encryption algorithm encryption mode such as ciphertext block chaining mode (CBC mode), using the shared key The data is encrypted into ciphertext for transmission, and the data receiver obtains the ciphertext and decrypts it with the shared key to obtain the plaintext. During the above process, the 7G smart box and the large-screen media processing card will monitor the usage time of the digital certificates of both parties. If the usage time of either party's digital certificate exceeds the available time, it will actively disconnect.
本申请实施例一提供的通讯方法,将对称加密算法的高效性、非对称加密算法的安全性及散列算法的不可逆性相结合,有效提高了数据传输的效率及安全性,并保证了传输数据的真实性。The communication method provided in the first embodiment of the present application combines the efficiency of the symmetric encryption algorithm, the security of the asymmetric encryption algorithm, and the irreversibility of the hash algorithm, thereby effectively improving the efficiency and security of data transmission, and ensuring the transmission authenticity of the data.
图2是本申请实施二提供的加密通讯系统的结构示意图。如图2所示,本申请的加密通讯系统包括一个服务端11和至少一个客户端12;FIG. 2 is a schematic structural diagram of an encrypted communication system provided by Embodiment 2 of the present application. As shown in FIG. 2 , the encrypted communication system of the present application includes a server 11 and at least one client 12;
其中,客户端12用于与服务端11建立连接并交换数字证书;Wherein, the client 12 is used to establish a connection with the server 11 and exchange digital certificates;
客户端12还用于对协商信息进行加密及签名,得到第一密文信息,并将第一密文信息发送给服务端11;The client 12 is also used to encrypt and sign the negotiation information, obtain the first ciphertext information, and send the first ciphertext information to the server 11;
服务端11用于对第一密文信息进行解密及验签,以验证客户端12身份的合法性;The server 11 is used to decrypt and verify the signature of the first ciphertext information to verify the legitimacy of the identity of the client 12;
在客户端12的身份合法性验证通过后,服务端11用于生成共享密钥,并对协商信息及共享密钥的组合信息进行加密及签名,得到第二密文信息,并将第二密文信息发送给客户端12;After the identity legitimacy verification of the client 12 is passed, the server 11 is used to generate a shared key, and encrypt and sign the negotiated information and the combined information of the shared key to obtain the second ciphertext information, and the second ciphertext Send the text information to the client 12;
客户端12还用于对第二密文信息进行解密及验签,以验证服务端11身份的合法性;The client 12 is also used to decrypt and verify the signature of the second ciphertext information to verify the legitimacy of the identity of the server 11;
在服务端11的身份合法性验证通过后,客户端12用于与服务端11使用共享密钥对数据进行加密通讯。After the authentication of the identity of the server 11 is passed, the client 12 is used for encrypting the data with the server 11 by using the shared key.
在一实施方式中,服务端11包括第一认证单元111和第一安全通道单元112,如图3所示;客户端12包括第二认证单元121和第二安全通道单元122,如图4所示;In one embodiment, the server 11 includes a first authentication unit 111 and a first secure channel unit 112, as shown in FIG. 3; the client 12 includes a second authentication unit 121 and a second secure channel unit 122, as shown in FIG. 4 . Show;
第一认证单元111用于对客户端12的身份合法性进行认证;The first authentication unit 111 is used to authenticate the legality of the identity of the client 12;
第二认证单元121用于对服务端11的身份合法性进行认证;The second authentication unit 121 is used to authenticate the identity legitimacy of the server 11;
在客户端12的身份合法性及服务端11的身份合法性认证通过后,第一安全通道单元112与第二安全通道单元122使用共享密钥对数据进行加密通讯。After the identity validity of the client 12 and the identity validity of the server 11 are authenticated, the first secure channel unit 112 and the second secure channel unit 122 use the shared key to encrypt data for communication.
本实施例的具体实现方法参考实施例一,此处不再赘述。For the specific implementation method of this embodiment, refer to Embodiment 1, which is not repeated here.
本申请实施例二提供的通讯系统,在客户端与服务端的双向身份认证通过后,双方开启安全模式,通过第一安全通道单元与第二安全通道单元使用共享密钥对数据进行加密通讯,将对称加密算法的高效性、非对称加密算法的安全性及散列算法的不可逆性相结合,有效提高了数据传输的效率及安全性,并保证了传输数据的真实性。In the communication system provided in the second embodiment of the present application, after the two-way identity authentication between the client and the server is passed, the two parties turn on the security mode, and the first security channel unit and the second security channel unit use a shared key to encrypt data for communication, and The combination of the efficiency of the symmetric encryption algorithm, the security of the asymmetric encryption algorithm and the irreversibility of the hash algorithm effectively improves the efficiency and security of data transmission, and ensures the authenticity of the transmitted data.
以上所述实施例的各技术特征可以进行任意的组合,为使描述简洁,未对上述实施例中的各个技术特征所有可能的组合都进行描述,然而,只要这些技术特征的组合不存在矛盾,都应当认为是本说明书记载的范围。The technical features of the above-described embodiments can be combined arbitrarily. For the sake of brevity, all possible combinations of the technical features in the above-described embodiments are not described. However, as long as there is no contradiction between the combinations of these technical features, All should be regarded as the scope described in this specification.
在本文中,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,除了包含所列的那些要素,而且还可包含没有明确列出的其他要素。As used herein, the terms "comprising", "comprising" or any other variation thereof are intended to encompass non-exclusive inclusion, in addition to those elements listed, but also other elements not expressly listed.
以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以所述权利要求的保护范围为准。The above are only specific embodiments of the present application, but the protection scope of the present application is not limited to this. should be covered within the scope of protection of this application. Therefore, the protection scope of the present application should be subject to the protection scope of the claims.
Claims (10)
Translated fromChinesePriority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210260520.0ACN114650173A (en) | 2022-03-16 | 2022-03-16 | An encrypted communication method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210260520.0ACN114650173A (en) | 2022-03-16 | 2022-03-16 | An encrypted communication method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114650173Atrue CN114650173A (en) | 2022-06-21 |
Family
ID=81993829
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210260520.0APendingCN114650173A (en) | 2022-03-16 | 2022-03-16 | An encrypted communication method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114650173A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114826659A (en)* | 2022-03-16 | 2022-07-29 | 深圳奇迹智慧网络有限公司 | Encryption communication method and system |
| CN115457687A (en)* | 2022-09-15 | 2022-12-09 | 深圳奇迹智慧网络有限公司 | Safety configuration method and system for intelligent pole |
| CN115514480A (en)* | 2022-09-30 | 2022-12-23 | 深圳奇迹智慧网络有限公司 | A data interaction method and readable storage medium |
| CN118487881A (en)* | 2024-07-16 | 2024-08-13 | 神州医疗科技股份有限公司 | Data encryption and distribution method and system |
| CN119182588A (en)* | 2024-09-09 | 2024-12-24 | 西安热工研究院有限公司 | Symmetric encryption transmission method, device, medium and program product based on TCM |
| CN119182529A (en)* | 2024-11-21 | 2024-12-24 | 浙江正泰仪器仪表有限责任公司 | Secure transmission method, system, equipment and medium for equipment key |
| CN119182588B (en)* | 2024-09-09 | 2025-10-10 | 西安热工研究院有限公司 | Symmetric encryption transmission method, device, medium and program product based on TCM |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105991650A (en)* | 2016-01-21 | 2016-10-05 | 李明 | Secret key acquisition method and identity card information transmission method and system |
| CN110535868A (en)* | 2019-09-05 | 2019-12-03 | 山东浪潮商用系统有限公司 | Data transmission method and system based on Hybrid Encryption algorithm |
| CN111030814A (en)* | 2019-12-25 | 2020-04-17 | 杭州迪普科技股份有限公司 | Key negotiation method and device |
| CN114826659A (en)* | 2022-03-16 | 2022-07-29 | 深圳奇迹智慧网络有限公司 | Encryption communication method and system |
- 2022
- 2022-03-16CNCN202210260520.0Apatent/CN114650173A/enactivePending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105991650A (en)* | 2016-01-21 | 2016-10-05 | 李明 | Secret key acquisition method and identity card information transmission method and system |
| CN110535868A (en)* | 2019-09-05 | 2019-12-03 | 山东浪潮商用系统有限公司 | Data transmission method and system based on Hybrid Encryption algorithm |
| CN111030814A (en)* | 2019-12-25 | 2020-04-17 | 杭州迪普科技股份有限公司 | Key negotiation method and device |
| CN114826659A (en)* | 2022-03-16 | 2022-07-29 | 深圳奇迹智慧网络有限公司 | Encryption communication method and system |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114826659A (en)* | 2022-03-16 | 2022-07-29 | 深圳奇迹智慧网络有限公司 | Encryption communication method and system |
| CN114826659B (en)* | 2022-03-16 | 2024-07-26 | 深圳奇迹智慧网络有限公司 | Encryption communication method and system |
| CN115457687A (en)* | 2022-09-15 | 2022-12-09 | 深圳奇迹智慧网络有限公司 | Safety configuration method and system for intelligent pole |
| CN115457687B (en)* | 2022-09-15 | 2024-05-03 | 深圳奇迹智慧网络有限公司 | Security configuration method and system for intelligent pole |
| CN115514480A (en)* | 2022-09-30 | 2022-12-23 | 深圳奇迹智慧网络有限公司 | A data interaction method and readable storage medium |
| CN118487881A (en)* | 2024-07-16 | 2024-08-13 | 神州医疗科技股份有限公司 | Data encryption and distribution method and system |
| CN118487881B (en)* | 2024-07-16 | 2024-09-20 | 神州医疗科技股份有限公司 | Data encryption and distribution method and system |
| CN119182588A (en)* | 2024-09-09 | 2024-12-24 | 西安热工研究院有限公司 | Symmetric encryption transmission method, device, medium and program product based on TCM |
| CN119182588B (en)* | 2024-09-09 | 2025-10-10 | 西安热工研究院有限公司 | Symmetric encryption transmission method, device, medium and program product based on TCM |
| CN119182529A (en)* | 2024-11-21 | 2024-12-24 | 浙江正泰仪器仪表有限责任公司 | Secure transmission method, system, equipment and medium for equipment key |
| CN119182529B (en)* | 2024-11-21 | 2025-04-01 | 浙江正泰仪器仪表有限责任公司 | Secure transmission method, system, equipment and medium for equipment key |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106506470B (en) | network data security transmission method | |
| CN101459506B (en) | Cipher key negotiation method, system, customer terminal and server for cipher key negotiation | |
| CN108199835B (en) | Multi-party combined private key decryption method | |
| CN103095696B (en) | A kind of authentication and cryptographic key negotiation method being applicable to power information acquisition system | |
| JP5307191B2 (en) | System and method for secure transaction of data between a wireless communication device and a server | |
| CN103763356B (en) | A kind of SSL establishment of connection method, apparatus and system | |
| CN114650173A (en) | An encrypted communication method and system | |
| CN105162599B (en) | A kind of data transmission system and its transmission method | |
| CN112087428B (en) | Anti-quantum computing identity authentication system and method based on digital certificate | |
| CN110020524B (en) | A Two-way Authentication Method Based on Smart Card | |
| CN114826659B (en) | Encryption communication method and system | |
| CN101997679A (en) | Encrypted message negotiation method, equipment and network system | |
| JP2009503934A (en) | Cryptographic authentication and / or shared encryption key configuration using signature keys encrypted with non-one-time pad cryptography, including but not limited to technology with improved security against malleable attacks | |
| JP2003298568A (en) | Authenticated identification-based cryptosystem with no key escrow | |
| WO2010078755A1 (en) | Method and system for transmitting electronic mail, wlan authentication and privacy infrastructure (wapi) terminal thereof | |
| CN108683647A (en) | A Data Transmission Method Based on Multiple Encryption | |
| CN101640590A (en) | Method for obtaining identification cipher algorithm private key and cipher center | |
| CN105245326A (en) | A secure communication method for smart grid based on combined cipher | |
| CN103905384A (en) | Embedded inter-terminal session handshake realization method based on security digital certificate | |
| CN106685969A (en) | Hybrid-encrypted information transmission method and transmission system | |
| TW201537937A (en) | Unified identity authentication platform and authentication method thereof | |
| CN112020038A (en) | Domestic encryption terminal suitable for rail transit mobile application | |
| CN112532648A (en) | Security access method and system based on hybrid cryptosystem | |
| CN118631447A (en) | TLCP communication method and system for resisting quantum attacks | |
| US7360238B2 (en) | Method and system for authentication of a user |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | Application publication date:20220621 | |
| RJ01 | Rejection of invention patent application after publication |