Disclosure of Invention
The invention mainly aims to solve the technical problem that the prior communication encryption mode is single and cannot better protect communication content.
The invention provides a communication method in the aspect of access, which is applied to a communication system, wherein the communication system comprises a client system, an intermediate service system, a communication service system and a built-in key system, and the communication method comprises the following steps:
the client system sends an access request encrypted by the built-in key system to the intermediate service system;
the intermediate service system decrypts the access request through the built-in key system to obtain the decrypted access request, and determines the corresponding communication service system according to the decrypted access request;
The intermediate service system sends the decrypted access request to the corresponding communication service system, and verifies the access request through the corresponding communication service system to obtain verification result information;
the intermediate service system transmits verification result information to the client system.
Optionally, the access request includes a security level value i, where the security level value i is calculated by a hash function to obtain a hash H1, and then the hash H1 is encrypted by a first key in the built-in key system to obtain a level authentication code, and the security level value i is encrypted by a second key in the built-in key system to obtain encrypted security level information.
Optionally, the communication service system includes a private network communication service system and a beidou communication service system, the intermediate service system decrypts the access request through the built-in key system to obtain the decrypted access request, and determines, according to the decrypted access request, the corresponding communication service system includes:
Decrypting the grade authentication code through a third key acquired from the built-in key system to obtain a plaintext of a hash H1, decrypting the encrypted security grade information through a fourth key acquired from the built-in key system to extract a security grade value i, calculating the security grade value i through a hash function to obtain a hash H2, comparing the hash H2 with the hash H1, and determining whether the obtained security grade value i is true or false;
Judging whether the confirmed security level value i is larger than a preset level boundary value k, wherein i is more than 0;
if the security level value i is greater than a preset level boundary value k, transmitting an access request to the Beidou communication service system;
if the security level value i is not greater than the preset level boundary value k, transmitting the access request to the private network communication service system.
Optionally, the access request further includes a digital signature, and the verifying the access request through the corresponding communication service system includes:
Designating a prime number domain Z, selecting a curve E (p, a, b, q) in the prime number domain Z, and generating a point A of a cyclic group of prime number order q by using the curve E (p, a, b, q), wherein p is a modulus, a and b are coefficients, and q is the prime number order of the cyclic group of the prime number domain Z;
Deriving a point B from the point a and an obtained random integer d by the formula b=da, and determining a public key kpub = (p, a, B, q, a, B) and a private key kpr = (d), wherein the random integer d has a value range of (0, q);
deriving a point R by the formula r=kE a based on the point a and selecting an integer as the random temporary key kE, wherein the value range of the random temporary key kE is (0, q);
By the formulaAnd calculating a signature parameter s, wherein R is a definition variable and is assigned by coordinates of a point R, and h is a hash value of the request information.
Optionally, the verifying the access request through the corresponding communication service system further includes:
Defining an auxiliary value w, an auxiliary value u1 and an auxiliary value u2, respectively assigning values by the formulas w≡s-1modq、u1 ≡w-hmodq and u2 ≡w-rmodq, and calculating the coordinates of the point P by p=u1A+u2 B;
According to the formulaAnd r=kE a, r=p can be derived;
Determining whether xP is equivalent to rmodq;
If the digital signature is equivalent, judging the digital signature as valid;
if not, the digital signature is judged to be invalid.
Optionally, the obtaining verification result information includes:
judging whether the digital signature is valid or not;
If the encryption result information is valid, the corresponding communication service system outputs and takes the encryption result information as verification result information, wherein the encryption result information is obtained by respectively and sequentially encrypting, decrypting and encrypting the result information by a key a1, a key a2 and a key a3 provided in a built-in key system;
if the communication service system is invalid, the corresponding communication service system outputs and takes the invalid verification information as verification result information, wherein encryption operation does not exist by taking the invalid verification information as the verification result information.
A second aspect of the present invention provides a communication system comprising:
The client system is used for sending an access request and receiving verification result information;
The built-in key system is used for encrypting and decrypting the access request;
the intermediate service system is used for receiving the access request, determining the corresponding communication service system according to the access request and transmitting verification result information;
And the communication service system is used for verifying the decrypted access request and sending verification result information.
A third aspect of the present invention provides a communication apparatus comprising: a memory and at least one processor, the memory having instructions stored therein, the memory and the at least one processor being interconnected by a line;
The at least one processor invokes the instructions in the memory to cause the device to perform the communication method as described above.
A fourth aspect of the present invention provides a computer readable storage medium for communication, the computer readable storage medium having instructions stored therein which, when run on a computer, cause the computer to perform the above-described communication method.
In the technical scheme provided by the invention, the access request of the client system is decrypted and judged through the intermediate service system, the target communication service system is determined, the access request is transmitted to the corresponding communication service system, the access request is verified through the corresponding communication service system, the verification result information is encrypted and fed back to the intermediate service system, the intermediate service system transmits the verification result information to the client system, and the communication process is transmitted through three times of encryption so as to improve the communication safety.
Detailed Description
The embodiment of the invention provides a communication method, a communication system, a communication device and a storage medium.
The terms "access", "second", "third", "fourth", and the like in the description and in the claims and in the above-described figures, if any, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments described herein may be implemented in other sequences than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed or inherent to such process, method, article, or apparatus.
For easy understanding, the following describes a specific flow of an embodiment of the present invention, referring to fig. 1, and an embodiment of a communication method in an embodiment of the present invention, the communication device includes: an error microphone and a speaker, the communication method comprising:
101. The client system sends an access request encrypted by the built-in key system to the intermediate service system;
further, the "access request" includes the following:
The access request comprises a security level value i, wherein the security level value i obtains a hash H1 through hash function operation, encrypts the hash H1 through a first key in a built-in key system to obtain a level authentication code, and the security level value i is encrypted through a second key in the built-in key system to obtain encrypted security level information.
In this embodiment, the security level value i is used as a judgment value for selecting to access to different communication service systems, and before the information of the access request is transmitted, different security level values i are correspondingly generated by an internal random value generator according to the difference of the access target service systems selected by the user, wherein a number of value fields are given in the value generator so as to avoid unnecessary waste of calculation resources caused by too large or too small value generated randomly, and furthermore, in order to avoid hijacking or tampering in the process of transmitting the data to the intermediate server, the security level value i is calculated and a unique authentication code is generated by a hash function alone.
102. The intermediate service system decrypts the access request through the built-in key system to obtain the decrypted access request, and determines the corresponding communication service system according to the decrypted access request;
Further, as shown in fig. 2, the step 102 further includes the following steps:
1021. Decrypting the grade authentication code through a third key acquired from the built-in key system to obtain a plaintext of a hash H1, decrypting the encrypted security grade information through a fourth key acquired from the built-in key system to extract a security grade value i, calculating the security grade value i through a hash function to obtain a hash H2, comparing the hash H2 with the hash H1, and determining whether the obtained security grade value i is true or false;
In this embodiment, after receiving the information transmitted by the client system, the intermediate service system only analyzes and judges the security level value i and the level authentication code thereof in the information, extracts the level authentication code alone, decrypts the level authentication code by using a second key obtained from the built-in key system to obtain a hash H1, calculates the security level value i by using a hash function to obtain a hash H2, compares two sets of hashes, if the two sets of hashes are inconsistent, the authentication fails, the request of the client system for accessing the system is refused, and if the two sets of hashes are consistent, the following steps are performed.
1022. Judging whether the confirmed security level value i is larger than a preset level boundary value k, wherein i is more than 0;
1023. If the security level value i is greater than a preset level boundary value k, transmitting an access request to the Beidou communication service system;
1024. if the security level value i is not greater than the preset level boundary value k, transmitting the access request to the private network communication service system.
In step 1022-1024, the level boundary value k is a value preset in the system in advance, and is used for dividing the critical values of different communication service systems, in this embodiment, the private network communication service system and the beidou communication service system.
103. The intermediate service system sends the decrypted access request to the corresponding communication service system, and verifies the access request through the corresponding communication service system to obtain verification result information;
In this embodiment, the access request further includes a digital signature, and further security is ensured for the access request through the digital signature.
Further, as shown in fig. 3-fig. 4, the step 103 further includes the following steps:
1031. Designating a prime number domain Z, selecting a curve E (p, a, b, q) in the prime number domain Z, and generating a point A of a cyclic group of prime number order q by using the curve E (p, a, b, q), wherein p is a modulus, a and b are coefficients, and q is the prime number order of the cyclic group of the prime number domain Z;
1032. deriving a point B from the point a and an obtained random integer d by the formula b=da, and determining a public key kpub = (p, a, B, q, a, B) and a private key kpr = (d), wherein the random integer d has a value range of (0, q);
In the steps 1031-1032, the digital signature key is generated, the private key and the public key are not directly obtained from the built-in key system, but are calculated according to a randomly generated integer d and a point A obtained by a curve E (p, a, B, q) in a specified prime number domain Z, so as to obtain a point B, wherein the integer d is the private key, the point B is the public key, and the value of the integer d can be increased to more than 160 bits in order to improve the security level.
1033. Deriving a point R by the formula r=kE a based on the point a and selecting an integer as the random temporary key kE, wherein the value range of the random temporary key kE is (0, q);
1034. by the formulaAnd calculating a signature parameter s, wherein R is a definition variable and is assigned by the x coordinate of a point R, and h is a hash value of the request information.
In 1033-1034 steps, signature generation is performed, an integer is randomly selected as a temporary key, and a point R coordinate is obtained, wherein h is a hash value of the request information, so that when the request information is changed, the hash value of the request information is changed to be completely different from the previous value, and the request information can be effectively protected in operation.
1035. Defining an auxiliary value w, an auxiliary value u1 and an auxiliary value u2, respectively assigning values by the formulas w≡s-1modq、u1 ≡w-hmodq and u2 ≡w-rmodq, and calculating the coordinates of the point P by p=u1A+u2 B;
1036. According to the formulaAnd r=kE a, r=p can be derived;
1037. Determining whether xP is equivalent to rmodq;
1038. if the digital signature is equivalent, judging the digital signature as valid;
1039. if not, judging that the digital signature is invalid;
In 1033-1039, the target communication service system verifies the received mathematical signature, wherein the target communication service system mainly needs to verify whether the signature (r, s) satisfies r≡xp modq, calculates the coordinates of the point P through the defined auxiliary values w, u1 and u2, and judges whether the point P is in the signed cyclic group, thereby completing the verification.
Further, the "get authentication result information" of step 103 may further be performed:
103a, judging whether the digital signature is valid;
103b, if the information is valid, the corresponding communication service system outputs verification result information taking encryption result information as verification result information, wherein the encryption result information is obtained by respectively and sequentially encrypting, decrypting and encrypting the verification passing information by a key a1, a key a2 and a key a3 provided in a built-in key system;
103c, if the communication service system is invalid, outputting verification result information which takes invalid verification information as verification failure information by the corresponding communication service system, wherein the invalid verification information is verification failure information.
The step 103a-103c is that the corresponding communication service system performs feedback after verifying the mathematical signature and performs encryption processing on the feedback, wherein the feedback is encrypted after having conditional restrictions on the encryption processing, and the digital signature needs to be verified, and the feedback is encrypted only after the digital signature passes, because after the digital signature passes, the corresponding communication service system can send out information of successful verification, and also can send corresponding communication interface information together, so that the communication interface information is not required to be leaked, the encryption processing is required, the encryption algorithm is 3DES, encryption, decryption and encryption are sequentially performed through three different keys a1、a2 and a3, and the information of failed verification is directly fed back after the mathematical signature verification is not passed, and because the information does not add the communication interface information, the information is directly sent to the intermediate service system without encryption.
104. The intermediate service system transmits verification result information to the client system;
in this embodiment, after receiving the verification result information, the intermediate service system does not read the content of the verification result information, but directly transmits the content to the client system, and the client system analyzes the verification result information.
The specific mode of the client system for analyzing the verification result information is as follows:
Judging whether the verification result information is encrypted or not;
specifically, since only one encryption condition is that the digital signature passes verification, the received information without encryption is regarded as the verification is not passed at all;
If the encrypted verification result information is received, re-acquiring the key a3, the key a2 and the key a1 from the built-in key system, decrypting, encrypting and decrypting the encrypted result information according to the key a3, the key a2 and the key a1 respectively and sequentially to obtain the verification result information and the communication interface information, and establishing an encrypted communication channel with the corresponding communication service system by directly crossing the intermediate service system through the communication interface information.
The method comprises the steps of decrypting and judging an access request of a client system through an intermediate service system, determining a target communication service system, transmitting the access request into a corresponding communication service system, verifying the access request through the corresponding communication service system, encrypting and feeding back verification result information to the intermediate service system, and transmitting the verification result information to the client system through the intermediate service system, wherein the communication process is transmitted through three times of encryption, so that the communication safety is improved.
The communication method in the embodiment of the present invention is described above, and the communication system in the embodiment of the present invention is described below, where one embodiment of the communication system in the embodiment of the present invention includes:
201. the client system is used for sending an access request and receiving verification result information;
202. The built-in key system is used for encrypting and decrypting the access request;
203. The intermediate service system is used for receiving the access request, determining the corresponding communication service system according to the access request and transmitting verification result information;
204. and the communication service system is used for verifying the decrypted access request and sending verification result information.
In this embodiment, the access request in the client system includes a security level value i, where the security level value i is calculated in advance by a hash function to obtain a hash H1, the hash H1 is encrypted by a first key in the built-in key system to obtain a level authentication code, the security level value itself is encrypted by a second key in the built-in key system to obtain encrypted security level information, the level authentication code and the encrypted security level information are spliced, the access request is transmitted to the intermediate service system, the intermediate service system disassembles the level authentication code and the encrypted security level information in the access request, decrypts the level authentication code and the encrypted security level information by a third key and a fourth key in the built-in key system, respectively, to obtain a hash H1 and a security level value, calculates the security level value i by the hash function to obtain a hash H2, compares the hash H1 and the hash H2, and confirms the authenticity of the obtained security level value i;
After confirming the correctness of the security level value, judging the security level value i and a preset level boundary value k, and sending an access request to a corresponding communication service system after judging the communication service system corresponding to the security level value i;
After receiving the access request, the corresponding communication service system verifies and decrypts the digital signature of the access request, and respectively generates different results after verifying the digital signature, wherein the verification results comprise passing and failing, the corresponding communication service system outputs verification passing information and communication interface information according to the passing verification results, the verification passing information and the communication interface information are encrypted, the encryption mode is that a key a1, a key a2 and a key a3 in a built-in key system are used for encrypting, decrypting and encrypting the verification passing information and the communication interface information, the obtained encryption result information is transmitted to an intermediate service system as verification result information, the corresponding communication service system outputs verification failing information according to the failing verification result, and invalid verification information is directly transmitted to the intermediate service system as verification result information and is not encrypted;
the intermediate service system analyzes the received verification result information, wherein, as only invalid verification information is not encrypted, only whether the verification result information is invalid verification information is needed to be analyzed, if yes, the connection between the client system and the corresponding communication service system is disconnected, and if not, the verification result information is fed back to the client system.
The client system receives the verification result information of the encryption result information, obtains verification passing information and communication interface information by obtaining a key a1, a key a2 and a key a3 in the built-in key system, and respectively and sequentially decrypts, encrypts and decrypts the encryption result information according to the key a3, the key a2 and the key a1, and directly establishes an encryption communication channel with the corresponding communication service system through the communication interface information.
The method comprises the steps of decrypting and judging an access request of a client system through an intermediate service system, determining a target communication service system, transmitting the access request into a corresponding communication service system, verifying the access request through the corresponding communication service system, encrypting and feeding back verification result information to the intermediate service system, and transmitting the verification result information to the client system through the intermediate service system, wherein the communication process is transmitted through three times of encryption, so that the communication safety is improved.
Fig. 5 above describes the communication system in detail from the point of view of the modularized functional entity, and the following describes the communication device in detail from the point of view of hardware processing.
Fig. 6 is a schematic structural diagram of a communication device according to an embodiment of the present invention, where the communication device 300 may have a relatively large difference due to different configurations or performances, and may include one or more processors (central processing units, CPU) 310 (e.g., one or more processors) and a memory 320, and one or more storage mediums 330 (e.g., one or more mass storage devices) storing application programs 333 or data 332. Wherein memory 320 and storage medium 330 may be transitory or persistent storage. The program stored in the storage medium 330 may include one or more modules (not shown), each of which may include a series of instruction operations in the communication device 300. Still further, the processor 310 may be configured to communicate with the storage medium 330 and execute a series of instruction operations in the storage medium 230 on the communication device 300.
The communications device 300 may also include one or more power supplies 340, one or more wired or wireless network interfaces 350, one or more input/output interfaces 360, and/or one or more operating systems 331, such as Windows Serve, mac OS, uni, linu, freeBSD, etc. It will be appreciated by those skilled in the art that the communication device structure shown in fig. 5 is not limiting on the communication device basis and may include more or fewer components than shown, or may combine certain components, or may be arranged in different components.
The present invention also provides a computer readable storage medium, which may be a non-volatile computer readable storage medium, or may be a volatile computer readable storage medium, in which instructions are stored which, when executed on a computer, cause the computer to perform the steps of the communication method and system.
It will be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working process of the system or the unit described above may refer to the corresponding process in the foregoing method embodiment, which is not repeated herein.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied essentially or in part or all of the technical solution or in part in the form of a software product stored in a storage medium, including instructions for causing a computer device (which may be a personal computer, a service system, or a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a read-only memory (ROM), a random access memory (random access memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The above embodiments are only for illustrating the technical solution of the present invention, and not for limiting the same; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.