CN104023013B - Data transmission method, server side and client - Google Patents
Data transmission method, server side and client Download PDFInfo
- Publication number
- CN104023013B CN104023013B CN201410240981.7A CN201410240981A CN104023013B CN 104023013 B CN104023013 B CN 104023013B CN 201410240981 A CN201410240981 A CN 201410240981A CN 104023013 B CN104023013 B CN 104023013B
- Authority
- CN
- China
- Prior art keywords
- service end
- client
- key
- rsa
- diffie
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The invention discloses a data transmission method, a server side and a client. The data transmission method comprises the following steps that: the server side and the client carry out information interaction through an authentication protocol, and perform identity authentication with each other; a session key is generated by the server side and the client through a key exchange protocol; a data packet to be transmitted is encrypted by the client through adopting an encryption algorithm and the session key, and the encrypted data packet is transmitted to the server side; and the received encrypted data packet is decrypted by the server side through utilizing the session key and the encryption algorithm, and the corresponding operation is executed. According to the scheme, unidirectional transmission of the transmitted data packet from the client to the server side can be implemented, establishing process is simple, and the computing resource is effectively saved, so that the data transmission is safer and more reliable.
Description
Technical field
The present invention relates to technical field of data transmission, more particularly to a kind of data transmission method, service end and client.
Background technology
Network pipeline is operated, and is a kind of network one-way data transmission method, can will be defeated by the standard of client
Enter the data for obtaining, transmit to service end, and exported to standard output by service end.If coordinating pipeline (pipeline) to use,
The standard output of upstream program can just be transmitted the standard input of downstream program to distance host, similar to by POSIX systems
Pipeline mechanism networking in system, therefore referred to as network pipeline.
In prior art, the network pipeline operation between different clients and service end is realized, generally can be adopted following
Two methods:One kind is using VPN (virtual private network) (Virtual Private Network, VPN) or SSH (Secure
Shell, safety shell protocol) (TCP-PIPE increases income program for one, and the program is by Daniel.B in 2004 8 with TCP-PIPE
The moon 11 was registered on SourceForge.net, for carrying out Remote Pipe operation between client and service end) combine
Mode;Another kind is that the data transfer between service end and client is realized using SSH and pipeline.
But, above-mentioned two methods, or because the data to transmitting are without encryption, needs build and maintain
Not interruptable escape way, and there is a problem that wasting computing resource;Or need to rely on the not high RPC of safety
(Remote Procedure Call Protocol, remote procedure call protocol) is serviced, and there is a problem of that safety is poor;
Or operation flow is not met, and cause easily to produce the problem of maloperation, and above two method does not support multi-client
The concurrently-transmitted data between single service end.
The content of the invention
The problem that the embodiment of the present invention is solved is how safely to be entered between client and service end using Remote Pipe
The unidirectional data transfer of row.
To solve the above problems, a kind of data transmission method is embodiments provided, methods described includes:
Service end carries out information exchange with client by authentication protocol, mutually carries out authentication and specifically includes:By institute
State service end RSA private key and client RSA public key be stored in the service end, client RSA public key by client identity
Data directory, the client RSA private key and service end RSA public key are stored in the client, and service end RSA is public
Key is indexed by the identity data of service end, the service end RSA public key and service end RSA private key, the client RSA public key and
Client RSA private key is respectively adopted RSA Algorithm generation;The client sends the identity data of itself to the service end,
Service request is sent to the service end;The identity data of the client that the service end is sent according to client determines client
End RSA public keys, and the identity data of the random identification of client RSA public key encryption first and service end determined by use, and will
The plaintext of the identity data of service end is sent to the visitor with the identity data of the first random identification through encrypting and service end
Family end;The client decrypts Jing using the client RSA private key corresponding with the client RSA public key of itself storage
The first random identification of encryption and the identity data of the service end are crossed, the identity data of service end that obtains when decryption and is connect
When the plaintext of the identity data of the service end of receipts is consistent, the client is to the service end authentication success;The client
When end is successful to the service end authentication, the identity data of service end determines service end RSA public key described in the client,
And the random identification of service end RSA public key encryption second determined by use, and send to the service end, the described second random mark
Know and generated according to first random identification that decryption is obtained for the client;The service end uses itself storage and institute
State the corresponding service end RSA private key of service end RSA public key, decryption through encryption the second random identification, when decryption is obtained
Second random identification is identical according to calculated second random identification of the first random identification that decryption is obtained with the service end
When, it was demonstrated that the second random identification through encryption for being received is produced for this session, and the service end is to the client
Authentication success;The service end and client generate session key by IKE;
The client is encrypted using AES and the session key to packet waiting for transmission, and will be passed through
The packet of encryption is transmitted to the service end;
The service end decrypts the received packet through encryption using the session key and AES, and holds
The corresponding operation of row.
Alternatively, the service end and client generate session key by IKE, including:
The service end uses client RSA public key encryption Diffie-Hellman public keys, service end Diffie-
Hellman public keys and second random identification, and send to the client, the Diffie-Hellman public keys are by described
Service end is generated, and the service end Diffie-Hellman public key utilizes the Diffie-Hellman public keys by the service end
Generate with the service end Diffie-Hellman private key generated according to the Diffie-Hellman public keys;
The client uses the client RSA private key corresponding with the client RSA public key, decrypts through the visitor
The Diffie-Hellman public keys of family end RSA public key encryptions, service end Diffie-Hellman public key and the second random identification;
When decryption obtains correct second random identification, the Diffie-Hellman that the client is obtained according to decryption
Public key and service end Diffie-Hellman public key calculate session key;
The client uses service end RSA public key encryption client Diffie-Hellman public key and described second random
Mark, and send to the service end, wherein, the client Diffie-Hellman public key is by the client according to decryption
The Diffie-Hellman public keys for obtaining and client Diffie- generated according to the Diffie-Hellman public keys
Hellman private keys are generated;
The service end uses the service end RSA private key corresponding with the service end RSA public key, decrypts described through clothes
The client Diffie-Hellman public key and the second random identification of business end RSA public key encryptions;
When correct second random identification is obtained, the service end is according to the Diffie-Hellman public keys and decryption
Obtain the client Diffie-Hellman public key and calculate session key;
The service end encrypts described second random using itself calculated session key and the first stream cipher algorithm
Mark generates the random identification of ciphertext second, and using the random identification of the ciphertext second and the second stream cipher algorithm encrypted authentication number
According to, and send to the client;
The client generates ciphertext second using itself calculated session key and first stream cipher algorithm
Random identification, and it is described through service end encryption using the random identification of the ciphertext second and second stream cipher algorithm decryption
Checking data, when data are correctly verified, it was demonstrated that the service end and the client have been calculated correctly
Session key.
Alternatively, the client is encrypted using AES and the session key to packet waiting for transmission,
And will transmit to the service end through the packet of encryption, including:
The client is obtained using first stream cipher algorithm and the second random identification described in the session key
To the random identification of the ciphertext second;
The client is using second stream cipher algorithm and the random identification of the ciphertext second to data waiting for transmission
Bag is encrypted, and generates ciphertext packet, and the packet waiting for transmission includes command information, information and digital A.L.S.
Breath, wherein, the command information indicates that the service end performs corresponding operation, and the information will be passed by the service end
Transport to standard output, the digital signature information is to encrypt the command information, information and the using Digital Signature Algorithm
Two random identifications are generated.
Alternatively, the service end is encrypted using what the session key and AES decryption were received through client
Packet, and perform corresponding operation, including:
The service end is raw using first stream cipher algorithm and the second random identification described in the session key
Into the random identification of the ciphertext second;
The service end decrypts the ciphertext number using second stream cipher algorithm and the random identification of the ciphertext second
According to bag, the command information, information and digital signature information are obtained;
The digital signature information is verified using the Digital Signature Algorithm;
When verifying that the digital signature information is correct, the service end performs corresponding according to the command information that decryption is obtained
Operation.
Alternatively, when verifying that the digital signature information is correct, the command information that the service end is obtained according to decryption
Corresponding operation is performed, including:
When the command information is the first numerical value, the service end is any for the information that decryption is obtained is not performed
Operation;
When the command information is second value, the service end is interrupted and the client after receiving data terminates
The connection at end, and serve port is persistently monitored, to determine whether new service request;
When the command information is third value, the service end is interrupted and the client after receiving data terminates
The connection at end is simultaneously exited;
When the command information is four numerical value, the service end decompression is described to decrypt the information for obtaining;
When the command information is five numerical value, the service end request is with the client again through the key
Exchange agreement generates new session key.
Alternatively, the command information be located at the data to be transmitted bag the first byte, and from the client to
Corresponding numerical value is set at the end of the service end transmission data.
Alternatively, when the client reaches predetermined threshold value to the data volume that the service end is transmitted, the client
The command information is set to into the 5th numerical value, the service end and the client generate new again through IKE
Session key.
Alternatively, the client is more than one.
The embodiment of the present invention additionally provides a kind of service end, including:
First identification authenticating unit, is suitable to carry out information exchange by authentication protocol and client, and the client is entered
Row authentication, including:First storing sub-units, are suitable to storage service end RSA private keys and client RSA public key, client RSA
Public key is indexed by the identity data of the client, wherein, the service end RSA public key and service end RSA private key constitute service
End RSA key pair, the client RSA private key and client RSA public key constitute client RSA key pair, service end RSA
Key pair and client RSA key are generated to RSA Algorithm is respectively adopted, and the client RSA private key and service end RSA public key are deposited
It is stored in the client, the service end RSA public key is indexed by the identity data of service end;First encryption sub-unit operable, is suitable to
The client RSA public key stored in the first storing sub-units is determined according to the identity data of the client for being received, and uses institute
It is determined that the random identification of client RSA public key encryption first and the service end identity data, and by the identity number of service end
According to plaintext send to the client with the first random identification and the identity data of service end through encryption;First receives son
Unit, is suitable to receive the second random identification of the service end RSA public key encryption that client is determined using the identity data of service end;
First decryption subelement, is suitable for use with the service end RSA private key stored in first storing sub-units, decrypts through client
Using second random identification of service end RSA public key encryption, when the second random identification that decryption is obtained, and according to described the
When calculated second random identification of one random identification is identical, it was demonstrated that the second random identification through encryption for being received is this
Secondary session is produced, and to the authentication success of the client;
First key crosspoint, is suitable to generate session key by IKE with the client;
Receiving unit, is suitable to receive the packet that client uses AES and the session key;
Decryption unit, is adapted in use to the session key and the AES of the generation of first key crosspoint, decrypts institute
State the packet through client encryption that receiving unit is received;
Performance element, is suitable to the packet for obtaining and obtaining according to decryption unit decryption, performs corresponding operation.
Alternatively, the first key crosspoint includes:
First generates subelement, is suitable to generate Diffie-Hellman public keys, service according to Diffie-Hellman algorithms
End Diffie-Hellman private keys and service end Diffie-Hellman public key, the Diffie-Hellman public keys are by the clothes
Business end generates, the service end Diffie-Hellman public key by the service end using the Diffie-Hellman public keys and
Generated according to the service end Diffie-Hellman private key that the Diffie-Hellman public keys are generated;
Second receiving subelement, is suitable to receive the identity data of the client that the client is sended over, and receives
The service request that the client sends;
Second encryption sub-unit operable, is adapted in use to the identity data according to the client of second receiving subelement reception true
Determine client RSA public key, and client RSA public key encryption first determined by use generates the Diffie- that subelement is generated
Hellman public keys, service end Diffie-Hellman public key and second random identification;
First sends subelement, the Diffie-Hellman public keys that are suitable to will to encrypt through second encryption sub-unit operable,
Service end Diffie-Hellman public key and second random identification are sent to the client;
3rd receiving subelement, is suitable to receive the service end that the identity data of the use service end that client sends determines
The client Diffie-Hellman public key of RSA public key encryptions and second random identification;
Second decryption subelement, is adapted in use to the service end RSA private key that stored in the first storing sub-units to described the
It is public using client Diffie-Hellman of service end RSA public key encryption through the client that three receiving subelements are received
Key and second random identification;
First computation subunit, is suitable to when the described second decryption subelement decryption obtains correct second random identification
When, obtain client Diffie-Hellman using the Diffie-Hellman public keys and the second decryption subelement decryption
Public key session key;
3rd encryption sub-unit operable, be adapted in use to session key that first computation subunit calculates and it is first-class plus
Second random identification described in close algorithm for encryption, generates the random identification of ciphertext second, and using the random identification of the ciphertext second and
Second stream cipher algorithm encrypted authentication data, and send to the client.
The receiving unit includes:4th receiving subelement, is suitable to receive client using second stream cipher algorithm
Data Packet Encryption waiting for transmission is generated ciphertext packet with the random identification of the ciphertext second, the packet waiting for transmission
Including command information, information and digital signature information, wherein, it is corresponding that the command information indicates that the service end is performed
Operation, the information will be transmitted to standard output by the service end, and the digital signature information is to adopt digital signature
Command information, information and second random identification are generated described in algorithm for encryption.
Alternatively, the decryption unit includes:
3rd decryption subelement, be suitable for use with described in first stream cipher algorithm and the session key second with
Machine is identified, and generates the random identification of ciphertext second, and is marked at random using second stream cipher algorithm and the ciphertext second
Know the decryption ciphertext packet, obtain the command information, information and digital signature information;
Digital signature authentication unit, is suitable for use with Digital Signature Algorithm checking the described 3rd and decrypts subelement
The digital signature information for arriving;
Subelement is performed, is suitable to when the digital signature authentication unit verifies that the digital signature information is correct, according to
The command information that decryption is obtained performs corresponding operation.
Alternatively, the execution subelement includes:
First performing module, is suitable to, when the command information is the first numerical value, to described the information for obtaining be decrypted
Any operation is not performed;
Second performing module, is suitable to, when the command information is second value, interrupt the connection with the client, and
Serve port is persistently monitored, to determine whether new service request;
3rd performing module, is suitable to, when the command information is third value, interrupt with the connection of the client simultaneously
Exit;
4th performing module, is suitable to when the command information is four numerical value, the information that decompression decryption is obtained;
5th performing module, when the command information is five numerical value, request passes through with client again session key
The IKE generates new session key.
The embodiment of the present invention additionally provides a kind of client, including:
Second identification authenticating unit, is suitable to carry out information exchange by authentication protocol and service end, and the service end is entered
Row authentication, including:Second storing sub-units, are suitable to store client RSA private key and service end RSA public key, service end RSA
Public key is indexed by the identity data of the service end, wherein, the client RSA private key and client RSA public key constitute client
End RSA key pair, the service end RSA public key and service end RSA private key constitute service end RSA key pair, service end RSA
, to being generated using RSA Algorithm, the service end RSA private key and client RSA public key are stored in for key pair and service end RSA key
In the service end, the client RSA public key is indexed by the identity data of the client;Second sends subelement, is suitable to
The identity data of the client is sent to the service end, to the service end service request is sent;5th receives son list
Unit, is suitable to receive client RSA that the service end is determined using the second identity data for sending the client that subelement sends
The identity data of the service end of public key encryption and the first random identification;3rd decryption subelement, is suitable for use with second storage
The client RSA private key corresponding with client RSA public key stored in subelement, decrypts the 5th receiving subelement and receives
Through service end using client RSA public key encryption service end identity data and the first random identification, when decryption is obtained
Service end identity data it is consistent with the plaintext of the identity data of the service end for being received when, the client is to the service
End authentication success;4th encryption sub-unit operable, is suitable to when the described 3rd decryption subelement is for the identity of the service end is recognized
When demonstrate,proving successfully, second storage is determined using the identity data of the service end obtained according to the 3rd decryption subelement decryption
The service end RSA public key stored in subelement, and the random identification of service end RSA public key encryption second determined by use, concurrently
The service end is delivered to, second random identification is the first random identification life obtained according to the 3rd decryption subelement decryption
Into;
Second key exchange unit, is suitable to exchange association by key with the service end through the second identification authenticating unit certification
View generates session key;
Ciphering unit, the session key for being suitable for use with the second key exchange unit generation enters to packet waiting for transmission
Row encryption, and will transmit to the service end through the packet of encryption.
Alternatively, second key exchange unit includes:
6th receiving subelement, is suitable to receive the Diffie- that client RSA public key encryption is used through the service end
Hellman public keys, service end Diffie-Hellman public key and second random identification, the Diffie-Hellman public keys
Generated by the service end, the service end Diffie-Hellman public key utilizes the Diffie- by the service end
Hellman public keys and the service end Diffie-Hellman private key generated according to the Diffie-Hellman public keys are generated;
4th decryption subelement, is adapted in use to the corresponding with the client RSA public key of the second storing sub-units storage
Client RSA private key, decrypt the Diffie- through client RSA public key encryption that the 6th receiving subelement is received
Hellman public keys, service end Diffie-Hellman public key and second random identification;
Second generates subelement, and the Diffie-Hellman public keys for being suitable to be obtained according to the 4th decryption subelement decryption are generated
Client Diffie-Hellman private key, and it is private according to the Diffie-Hellman public keys and client Diffie-Hellman
Key generates client Diffie-Hellman public key;
Second computation subunit, is suitable to when the described 4th decryption subelement decryption obtains correct second random identification,
The Diffie-Hellman public keys obtained according to the described 4th decryption subelement decryption and service end Diffie-Hellman
Public key session key;
5th encryption sub-unit operable, is adapted in use to the service end RSA public key stored in the second storing sub-units, encrypts described the
Two generate client Diffie-Hellman public key and second random identification that subelement is generated, and send to the service
End;
7th receiving subelement, is suitable to receive service end using described in the first stream cipher algorithm and the session key
Second random identification, generates the random identification of ciphertext second, and using the random identification of the ciphertext second and the second stream cipher algorithm
The checking data of encryption;
5th decryption subelement, is adapted in use to the calculated session key of the second computation subunit and the first stream encryption to calculate
Method encrypts the second random identification, generates the random identification of ciphertext second, and is added using the random identification of the ciphertext second and second
Close algorithm, decrypts the checking data through service end encryption of the 6th receiving subelement reception, correct when obtaining
During checking data, it was demonstrated that the client and the service end have calculated correct session key.
Alternatively, the ciphering unit includes:
Information input subelement, is suitable to be input into information waiting for transmission;
6th encryption sub-unit operable, be adapted in use to the session key and first stream cipher algorithm encryption described second with
Machine is identified, and obtains the random identification of ciphertext second;
Signature generates subelement, is suitable for use with Digital Signature Algorithm encrypted instruction information, the information and described the
Two random identifications, generate digital signature information;
7th encryption sub-unit operable, be suitable for use with ciphertext that the second stream cipher algorithm and the 6th encryption sub-unit operable obtain with
Machine mark encryption packet waiting for transmission, generates ciphertext packet, and the data to be transmitted bag includes the command information, message
Information and the signature generate the digital signature information that subelement is generated, wherein, the command information indicates that the service end is held
The corresponding operation of row, the information will be transmitted to standard output by the service end;
3rd sends subelement, is suitable to the ciphertext packet that the 7th encryption sub-unit operable is generated be sent to the service
End.
Alternatively, the ciphering unit also includes:Instruction arranges subelement, is suitable to send subelement to clothes the described 3rd
At the end of business end transmission data, the command information is set to into corresponding numerical value.
Alternatively, corresponding numerical value includes the first numerical value, second value, third value, the 4th numerical value or the 5th
Numerical value;
When the command information is the first numerical value, indicate that service end is not performed for the information that the decryption is obtained
Any operation;
When the command information is second value, indicate that service end interrupts the connection with client, and indicate service end
Serve port is persistently monitored, to determine whether service request;
When the command information is third value, indicate that service end is interrupted the connection with the client and exited;
When the command information is four numerical value, the information that service end decompression decryption is obtained is indicated;
When the command information is five numerical value, indicate that service end is exchanged with key is re-started, generate new session
Key.
Alternatively, the ciphering unit also includes:Statistics subelement, is suitable to statistics the 3rd transmission subelement and is sent to
The data volume of the service end.
Compared with prior art, technical scheme has the following advantages that:
Above-mentioned technical scheme, due to before carrying out data transmission, authentication protocol being passed through between client and service end
Be mutually authenticated the identity of other side, then by IKE session key, and using calculated session key and
AES come to transmit packet encrypt and decrypt, realize transmission security data packet ground from client to service end
One-way transmission, build it is simple, without the need for extra consumption calculations resource, therefore, the transmission of data is more safe and reliable, it is possible to have
Effect saves computing resource.
Further, due to being controlled to the operation that service end is performed using instruction, various data can be met and is passed
Defeated demand.
Further, due to RSA cryptographic algorithms for client exchanges rank with service end in authentication stage and key
The information of section interaction is encrypted, and can effectively improve the safety of data transfer, it is possible to effectively prevent man-in-the-middle attack.
Further, due to and add in the information that interacts of the client with service end the first random identification or
Two random identifications, can effectively prevent Replay Attack.
Further, due to calculating the symmetrical of client and service end using Diffie-hellman secret keys exchange agreement
Session key, due to the session key each self-generating by both party, rather than is transferred to the opposing party after being calculated by a side, therefore,
Can effectively prevent session key from being intercepted and captured by third party, and the safety of data transfer is threatened.
Further, due to using the first stream cipher algorithm and the session identification of session session key second, generating close
Literary second random identification, can effectively prevent Replay Attack, reuse the second stream cipher algorithm and the random identification of ciphertext second is come
The data of encrypted transmission so that the key that every time encryption data is used is differed, and can effectively prevent birthday attack, therefore,
The safety of data transfer can be improved.
Further, due to generating number to command information, information and the second random identification using Digital Signature Algorithm
Word signing messages, can confirm that the true identity of packet sender and the integrity of packet and confidentiality.
Further, the client due to more than can meet client simultaneously to service end transmission data
The demand of concurrently-transmitted data between service end.
Description of the drawings
Fig. 1 is a kind of flow chart of the data transmission method in the embodiment of the present invention;
Fig. 2 is the flow chart of another kind of data transmission method in the embodiment of the present invention;
Fig. 3 is a kind of structural representation of the service end in the embodiment of the present invention;
Fig. 4 is the structural representation of the first identification authenticating unit of the service end in the embodiment of the present invention;
Fig. 5 is the structural representation of the first key crosspoint of the service end in the embodiment of the present invention;
Fig. 6 is the structural representation of the receiving unit of the service end in the embodiment of the present invention;
Fig. 7 is the structural representation of the decryption unit of the service end in the embodiment of the present invention;
Fig. 8 is the structural representation of the client in the embodiment of the present invention;
Fig. 9 is the structural representation of the second identification authenticating unit of the client in the embodiment of the present invention;
Figure 10 is the structural representation of the second key exchange unit of the client in the embodiment of the present invention;
Figure 11 is the structural representation of the ciphering unit in the client in the embodiment of the present invention.
Specific embodiment
In prior art, the data transfer set up using pipeline between client and service end, generally using following two
The mode of kind:
One kind is using VPN (Virtual Private Network, VPN (virtual private network)) or SSH (Secure
Shell, safety shell protocol) mode in combination with TCP-PIPE, i.e.,:First, VPN is set up between client and service end
Or acted on behalf of using SSH, to build escape way, then, TCP-PIPE service ends are registered on RPC.Finally, using TCP-
PIPE clients carry out data transmission with TCP-PIPE service ends.
On the one hand, due to carrying out data using clear-text way using between TCP-PIPE clients and TCP-PIPE service ends
Transmission, it is therefore desirable to extraly build long-standing escape way, to guarantee the safety of transmission data, thus exist
Can waste of resource.On the other hand, because TCP-PIPE service ends need to rely on transmission of the RPC service to carry out data, due to RPC
The safety of service itself is not high, therefore also increases the risk that client and service end are invaded.
Another kind is that the data transfer between client and service end is realized using SSH and pipeline, and this kind of method has two
Implementation is planted, by business service end to as a example by service customer end transmission data, including:
The order for needing to be performed at business service end is transferred to into SSH services by ssh client for a kind of being achieved in that
End.Then, recycle pipeline that the postrun result of SSH service sort commands is transferred to into downstream from the standard output of ssh client
The standard input of program.
Another kind is achieved in that and is guided the result of business service end local runtime using pipeline to the mark of ssh client
Quasi- input, then the order in the operation of business service end will be needed to be transferred to SSH service ends, with this, by the local of business service end
Data transfer is to service customer end.
As can be seen here, in method, no matter the first implementation or second implementation do not meet normally
Data transfer flow process, therefore, it is easily caused maloperation.
Meanwhile, above-mentioned two ways does not support the concurrent communication between multiple stage client and service end, it is impossible to meet
Service end carries out the demand of concurrent communication with multiple stage client.
To solve the above-mentioned problems in the prior art, the embodiment of the present invention is adopted and first carries out body before data is transmitted
Part certification, then session key, and utilize calculated session key to carry out data transmission, number can be effectively improved
According to the safety of transmission, computing resource is saved, it is easy to use.
It is understandable to enable the above objects, features and advantages of the present invention to become apparent from, below in conjunction with the accompanying drawings to the present invention
Specific embodiment be described in detail.
Fig. 1 shows a kind of flow chart of the data transmission method in the embodiment of the present invention.Transmission side data as shown in Figure 1
Method, can include:
Step S11:Service end carries out information exchange with client by authentication protocol, mutually carries out authentication.
In being embodied as, service end and client can carry out information exchange by authentication protocol, mutually determine other side
Identity, to determine that other side is not invader.
Step S12:The service end and client generate session key by IKE.
In being embodied as, service end and client can adopt secret key exchange agreement session key, and verify double
Whether side has calculated correct session key, when both sides calculate correct session key, then can carry out follow-up
Data transfer.
Step S13:The client is encrypted using AES and the session key to packet waiting for transmission,
And will transmit to the service end through the packet of encryption.
In being embodied as, when service end and client generate correct session key, client can be using calculating
Session key and AES out is encrypted to packet waiting for transmission, to confirm that packet sends out the true body of sender
Part, and guarantee the confidentiality and integrity of packet.
In being embodied as, in order to further ensure that the safety of data transfer, can be treated using stream cipher algorithm
The packet of transmission is encrypted, and because client is in each transmission data, the data transmitted is entered using different keys
Row encryption, can be prevented effectively from and be encrypted produced safety issue using constant data key.
Step S14:The service end decrypts the received number through encryption using the session key and AES
According to bag, and perform corresponding operation.
In being embodied as, service end can be using itself calculated session key and AES, by client
The data encrypted using session key and the AES are decrypted, and the data obtained according to decryption perform corresponding behaviour
Make.For example, client can perform corresponding operation according to the information of the instruction in the data that obtain of decryption.
Fig. 2 shows the flow chart of another kind of data transmission method in the embodiment of the present invention.Data as described in Figure 2 are passed
Transmission method, can include:
Step S201:The service end RSA private key and client RSA public key are stored in the service end, client
RSA public keys are indexed by the identity data of client, and the client RSA private key and service end RSA public key are stored in into the visitor
In the end of family, the service end RSA public key is indexed by the identity data of service end.
In being embodied as, the service end RSA private key and service end RSA public key constitute service end RSA key pair, client
End RSA private keys and client RSA public key constitute client RSA key pair, and service end RSA key pair and client key pair can be with
Generated using RSA Algorithm by service end and client respectively, it is also possible to generated by third party.
In being embodied as, client RSA public key is indexed by the identity data of client, i.e.,:Service end can be according to visitor
The identity data at family end is determining corresponding client RSA public key.The service end RSA public key by service end identity data rope
Draw, i.e., client can determine corresponding client RSA public key according to the identity data of client
Step S202:The client sends the identity data of itself to the service end.
In being embodied as, client first can send the identity data of itself to client, with to the service
End sends service request.Wherein, the identity data of client can be used for uniquely determining the client, and be stored in clothes
Client RSA public key on business end.
Step S203:The identity data of the client that the service end is sent according to client determines that client RSA is public
Key, and the identity data of the random identification of client RSA public key encryption first and service end determined by use, and by service end
The plaintext of identity data is sent to the client with the identity data of the first random identification through encrypting and service end.
In being embodied as, the identity data of the client that service end can send first according to client is determining storage
In own customers end RSA public keys, it is possible to which client RSA public key determined by use is random to itself identity data and first
Mark is encrypted.Wherein, the identity data of service end can be that client is used to determine the service end for being stored in client
RSA public keys, the first random identification can be used to generate the second random identification for client.
Step S204:Client RSA corresponding with the client RSA public key that the client is stored using itself
The first random identification of encryption and the identity data of the service end are passed through in private key, decryption, when the body of the service end that decryption is obtained
Number according to it is consistent with the plaintext of the identity data of the service end for being received when, the client to the service end authentication into
Work(.
In being embodied as, client is receiving first random identification of the service end using client RSA public key encryption
After the identity data of service end, corresponding client RSA can be searched in the client RSA private key storehouse of itself storage private
Key, and decrypt the identity data and the second random mark through client RSA public key encryption using the client RSA private key for finding
Know.
Client can decrypt the clothes that obtain when decryption obtains the identity data and the second random identification of service end
Whether the identity data at business end is compared with the plaintext of the identity data of the service end for being received, consistent to determine the two.When
It is determined that when the identity data for decrypting the service end for obtaining is consistent with the plaintext of the identity data of the service end for being received, it was demonstrated that client
What the identity data and the second random identification of the received service end through encryption in end was sended over for service end really, client
End is for the authentication success of service end.
Step S205:When the client is successful to the service end authentication, service end described in the client
Identity data determines service end RSA public key, and the random identification of service end RSA public key encryption second determined by use, and sends
To the service end.
In being embodied as, the client is to during service end authentication success, client can be according to decryption
The identity data of the service end for obtaining, determines the service end RSA public key of itself storage, and service end RSA is public determined by adopting
Key decrypts the second random identification, and sends to service end.
In being embodied as, the second random identification can decrypt the first random identification that the service end for obtaining sends according to
Generate.For example, the first random identification can be a random number, and client can be with the first random identification as seed, using safety
Random number algorithm generates the second random identification.
Step S206:Service end RSA corresponding with the service end RSA public key that the service end is stored using itself
Private key, decryption through encryption the second random identification, when the second random identification for obtaining of decryption with the service end according to decryption
When calculated second random identification of the first random identification that obtains is identical, it was demonstrated that received through the second random of encryption
It is designated this session to produce, and authentication success of the service end to the client.
In being embodied as, service end can be searched and service end RSA in the service end RSA private key storehouse of itself storage
The corresponding service end RSA private key of public key, it is possible to using searching the service end RSA private key that obtains for encrypting through client
The second random identification be decrypted.
In being embodied as, during client and service end mutually carry out authentication, client and service end
Data interactive information data is encrypted and decrypted using RSA Algorithm.Because RSA private keys can typically carry out secret guarantor
Deposit, RSA public keys then may come forth, and be in publicly available state.When RSA public keys come forth, anyone can
The RSA public keys for being used in public's Ke get states are decrypted to the data through RSA private key encryptions.
Therefore, in data transmission method in embodiments of the present invention, mutually carry out identity in client and service end and recognize
During card, using information data encryption of the RSA public keys to transmission, and the secret RSA private keys for preserving are adopted to public through RSA
The information data of key encryption is decrypted.Therefore, even if corresponding RSA public keys come forth, any third party cannot also decrypt Jing
The data of client and service end encryption are crossed, the safety of data transfer can be improved.
In being embodied as, when client and the success of service end mutual identity authentication, both sides just can enter next step
Cipher key exchange phase, to generate session key.
In an embodiment of the present invention, service end and client exchange session key can be close using Diffie-Hellman
Spoon exchange agreement is carried out.Specifically, can include:
Step S207:The service end uses client RSA public key, encryption Diffie-Hellman public keys, service end
Diffie-Hellman public keys and second random identification, and send to the client.
In being embodied as, the Diffie-Hellman public keys are generated by the service end, service end Diffie-
Hellman public keys are by the service end using the Diffie-Hellman public keys and according to the Diffie-Hellman public keys
The service end Diffie-Hellman private key of generation is generated.
In being embodied as, according to Diffie-Hellman secret key exchange agreements, can be determined by service end first
Diffie-Hellman public keys.Wherein, Diffie-Hellman public keys include parameter disclosed in two overall situations, prime number q and
One integer a, a are a primitive roots of q.Service end may be selected random identification Xs and Xs<Q is used as service end Diffie-
Hellman private keys, it is possible to which service end Diffie-Hellman public key Ys is calculated according to formula Ys=a^Xs mod q.Service end
To carry out secrecy storage to service end Diffie-Hellman private key, and service end Diffie-Hellman public key can be by servicing
End is sent to client after encryption, so that client can obtain service end Diffie-Hellman public key.
Step S208:The client uses the client RSA private key corresponding with the client RSA public key, decryption
Diffie-Hellman public keys, service end Diffie-Hellman public key and second through the client RSA public key encryption
Random identification.
In being embodied as, in order to obtain Diffie-Hellman public keys and service end Diffie- that service end is transmitted
Hellman public keys, client can search corresponding client RSA private key in the client RSA private key storehouse of itself storage, and
The client RSA private key obtained using lookup decrypts Diffie-Hellman public keys, the service through client RSA public key encryption
End Diffie-Hellman public keys and the second random identification, to calculate client Diffie-Hellman private key and the visitor of itself
Family end Diffie-Hellman public keys, and verify received Diffie-Hellman public keys, service end through encryption
The identity of Diffie-Hellman public keys and the second random identification.
Step S209:When decryption obtains correct second random identification, the client is obtained according to decryption
Diffie-Hellman public keys and service end Diffie-Hellman public key calculate session key.
In being embodied as, when client obtains Diffie-Hellman public keys and service end Diffie-Hellman public key
Afterwards, formula K=(Ys) ^Xc mod q can be adopted, calculates session key K.
Step S210:The client uses service end RSA public key encryption client Diffie-Hellman public key and institute
The second random identification is stated, and is sent to the service end.
In being embodied as, according to Diffie-Hellman IKEs, in order to allow service end to adopt client
End Diffie-Hellman public keys, using formula:K=(Yc) ^Xs mod q, are calculated session key K, first can be by visitor
Send to service end after the calculated client Diffie-Hellman public key encryption in family end.
Due to using Diffie-Hellman Diffie-Hellman, only when needing, client and service end are calculated
Symmetrical session key, and session key itself need not transmission, can effectively reduce the chance that symmetric key is attacked, carry
High security.
Further, since adding the first random identification or the second random mark in the data that client and service end send
Know, can effectively prevent third party from intercepting and capturing the packet that client and service end send, the client that disguises oneself as or service end, will
The packet intercepted and captured before is reentered into network, sends to client or service end, thus can improve the peace of data transfer
Quan Xing.
Step S211:The service end uses the service end RSA private key corresponding with the service end RSA public key, decryption
The client Diffie-Hellman public key and the second random identification through service end RSA public key encryption.
In being embodied as, client can be randomly choosed after through decrypting the Diffie-Hellman public keys for obtaining
One privately owned random identification Xc<Q is counted as client Diffie-Hellman private key according to formula Yc=a^Xc mod q
Calculation obtains the client Diffie-Hellman public key Yc of itself.Wherein, client Diffie-Hellman key Xc is by client
End secrecy storage, and client Diffie-Hellman public key Yc then being serviced end acquisition is disclosed.
In being embodied as, in order to obtain client Diffie-Hellman public key that client transmitted and second random
Mark, service end can search corresponding service end RSA private key in the service end RSA private key storehouse of itself storage, and using looking into
The service end RSA private key found, decrypts the client Diffie-Hellman public key through service end RSA public key encryption, with
Just session key K.
Step S212:When correct second random identification is obtained, the service end is according to the Diffie-Hellman
Public key and decryption obtain the client Diffie-Hellman public key and calculate session key.
In being embodied as, when client obtains correct second random identification using the decryption of service end RSA private key, card
Bright its received data bag is produced for this session really, and it is also Jing to decrypt the client Diffie-Hellman public key for obtaining
The client for crossing authentication sends.
In being embodied as, after service end obtains client Diffie-Hellman public key, formula can be adopted:K=
(Yc) ^Xs mod q, calculate session key K.
Due to K=(YB) ^XA mod q=(a^XB mod q) ^XA mod q=(a^XB) ^XA mod q=a^
(XBXA) mod q=(a^XA) ^XB mod q=(a^XA mod q) ^XB mod q=(YA) ^XB mod q, therefore, service
End and client can calculate identical session key.
Existing RSA Algorithm, RSA private keys can typically carry out secret preservation, and RSA public keys then may come forth, in public affairs
Many available states.When RSA public keys come forth, anyone can be used in the RSA public keys of public's Ke get states to Jing
The data for crossing RSA private key encryptions are decrypted.
Therefore, in data transmission method in embodiments of the present invention, in client and service end key exchange is carried out
During, using information data encryption of the RSA public keys to transmission, and the secret RSA private keys for preserving are adopted to adding through RSA public keys
Close information data is decrypted, even if corresponding RSA public keys come forth, any third party also cannot decrypt through client and
The data of service end encryption, can improve the safety of data transfer.
Simultaneously as calculating the symmetrical close of client and service end using Diffie-Hellman secret keys exchange agreement
Key, due to the session key each self-generating by both party, rather than is transferred to the opposing party after being calculated by a side, therefore, it can to have
Effect prevents session key from being intercepted and captured by third party, and the safety of data transfer is threatened
In being embodied as, after service end and client are calculated session key respectively, can further pass through phase
The information exchange answered is determining whether both sides have calculated correct symmetric session keys.Specifically, can include:
Step S213:The service end encrypts institute using itself calculated session key and the first stream cipher algorithm
The generation of the second random identification is stated, the random identification of ciphertext second is generated, and is added using the random identification of the ciphertext second and second
Close algorithm for encryption verifies data, and sends to the client.
In being embodied as, checking data can be configured according to the actual needs.For example, verify that data can be random
Random identification of generation etc..
In being embodied as, the first stream cipher algorithm can be with identical with the second stream cipher algorithm, it is also possible to differs.
Step S214:The client is generated using itself calculated session key and first stream cipher algorithm
The random identification of ciphertext second, and it is described through clothes using the random identification of the ciphertext second and second stream cipher algorithm decryption
The checking data of business end encryption, when data are correctly verified, it was demonstrated that the service end and the client are calculated
Correct symmetrical session key.
In being embodied as, according to Diffie-Hellman secret key exchange agreements, when client is added using session key pair
When close checking data are decrypted, the session key that can be calculated first by itself and the 6th AES are to
Two random identifications are encrypted, and obtain the ciphertext of the second random identification, the i.e. random identification of ciphertext second.Then, service end can be with
Using the random identification of ciphertext second and the second stream cipher algorithm for the checking data encrypted through client are decrypted.Work as clothes
When business end and the correct session key that calculates of client, then service end use can use the random identification of ciphertext second and second
Stream cipher algorithm is decrypted to the checking data that client is encrypted, and just can obtain correct checking data.At this point it is possible to really
Determine service end and client has calculated correct session key, follow-up data transfer phase can be entered.
In being embodied as, checking data can be configured according to the actual needs.For example, can be character string, number
Word etc..
Step S215:The client using described in first stream cipher algorithm and the session key second with
Machine is identified, and obtains the random identification of the ciphertext second, and is marked at random using second stream cipher algorithm and the ciphertext second
Knowledge is encrypted to packet waiting for transmission, generates ciphertext packet.
In being embodied as, in order to ensure safety of the data to be transmitted in transmitting procedure, session can not be directly adopted
Key encrypts data waiting for transmission, and can encrypt the second random identification initially with session key and the first stream cipher algorithm,
The random identification of ciphertext second is obtained, the random identification of ciphertext second that obtains is reused and the encryption of the second stream cipher algorithm is waiting for transmission
Packet, generates ciphertext packet.The presence of the first stream encryption so that encrypt the key meeting that packet waiting for transmission is adopted every time
It is continually changing, reduces the probability that the ciphertext generated after different pieces of information packet encryption produces conflict, therefore, it can effectively defence life
Day attacks, and improves the safety of data transfer.
In being embodied as, when service end obtains correct packet by decryption, due to depositing for the second random identification
, service end just can determine received data bag and really produce for this session, rather than after third party's intercepted data bag again
The packet put, it is thus possible to improve the safety of data transfer.
In being embodied as, command information, information sum can be included in the ciphertext packet that client is generated
Word signing messages.Wherein:
In being embodied as, the command information may be located at the first byte of packet waiting for transmission, it is possible to by visitor
Family end is set to corresponding numerical value at the end of to service end transmission data.For example:
When the instruction is the first numerical value, the service end does not perform any behaviour for the information that decryption is obtained
Make.
When the instruction is second value, the service end is interrupted and the client after receiving data terminates
Connection, and serve port is persistently monitored, to determine whether new service request.Now, when client sends new to service end
Service request when, service end can be received and responded.
When the instruction is third value, the service end is interrupted and the client after receiving data terminates
Connect and exit.Now, service end has logged out, and when client sends new service request to service end, service end is by nothing
Method is received and responded.
When the instruction is four numerical value, the service end decompression is described to decrypt the information for obtaining.Concrete
In enforcement, when the instruction is four numerical value, illustrate that client have passed through compression by the information of standard input
Process, therefore, service end can be entered when it is four numerical value to read command information to the information compressed through client
Row decompression.
When the instruction is five numerical value, the service end request is exchanged with the client again through the key
The new session key of protocol generation.
In being embodied as, digital signature information can be using the Digital Signature Algorithm encrypted instruction information, message
Information and the second random identification are generated.
In being embodied as, the algorithm that generation digital signature information is adopted can be selected according to the actual needs.
For example, Message Digest 5 (Message Digest Algorithm, abbreviation MD5) can be selected.
It is described when the client reaches predetermined threshold value to the data volume that the service end is transmitted in being embodied as
The command information is set to the 5th numerical value by client, and the service end and the client are again through IKE
Generate new session key.
In being embodied as, the AES can be RC4 AESs.But, because RC4 AESs can be subject to
Birthday attack, in order to ensure the safety of data transfer, when the client reaches default threshold to the data volume that service end is transmitted
The command information can be set to the 5th numerical value by value, client, the service end and client exchange session again
Key.
In being embodied as, in order to prevent third party from intercepting and capturing the data of transmission, and the client that disguises oneself as is transmitted to service end
Data, in data transmission method in embodiments of the present invention, in the data of service end and client transmissions first are added
Random identification or the second random identification.The presence of the first random identification and the second random identification can effectively prevent playback from attacking
Hit, improve the safety and reliability of data transfer.
In being embodied as, the client in the embodiment of the present invention can be more than one, namely in the embodiment of the present invention
Data transmission method can support a service end with multiple stage client while being communicated, carry out concurrent processing, therefore.Can
The demand of concurrent communication is carried out to meet client of the service end simultaneously with more than one.
Fig. 3 shows a kind of structural representation of the service end in the embodiment of the present invention.Service end as shown in Figure 3 can be with
Including the first identification authenticating unit 31, first key crosspoint 32, receiving unit 33, decryption unit 34 that are sequentially connected and hold
Row unit 35, first key crosspoint 32 is also connected with decryption unit 34.Wherein:
First identification authenticating unit 31, is suitable to carry out information exchange by authentication protocol and client, to the client
Carry out authentication.
First key crosspoint 32, is suitable to be handed over by key with the client through the certification of the first identification authenticating unit 31
Change protocol generation session key.
Receiving unit 33, is suitable to reception client and uses the session that AES and first key crosspoint 32 are generated close
The packet of key encryption.
Decryption unit 34, is adapted in use to the session key and the AES of the generation of first key crosspoint 32, solution
The packet through client encryption that close receiving unit 33 is received.
Performance element 35, is suitable to the packet for obtaining and obtaining according to the decryption of decryption unit 34, performs corresponding operation.
Fig. 4 shows the structural representation of the first identification authenticating unit of the service end in the embodiment of the present invention.Such as Fig. 4 institutes
The first identification authenticating unit for showing can include:First storing sub-units 41, the first encryption sub-unit operable 42, the first receiving subelement
43rd, the first decryption subelement 44, the first storing sub-units 41 decrypt subelement 43 with the first encryption sub-unit operable 42 and first respectively
It is connected.Wherein:
First storing sub-units 41, are suitable to storage service end RSA private keys and client RSA public key.
In being embodied as, the first storing sub-units 41 storage client RSA public key by the client identity number
According to index, wherein, the service end RSA public key and service end RSA private key constitute service end RSA key pair, client RSA
Private key and client RSA public key constitute client RSA key pair, and the service end RSA key pair and client RSA key are to dividing
Do not generated using RSA Algorithm, the client RSA private key and service end RSA public key are stored in the client, the service
End RSA public keys are indexed by the identity data of service end.
First encryption sub-unit operable 42, is suitable to determine the first storing sub-units 41 according to the identity data of the client for being received
The client RSA public key of middle storage, and the random identification of client RSA public key encryption first determined by use and the service end
Identity data, and by the plaintext of the identity data of service end and through encryption the first random identification and service end identity number
According to transmission to the client.
First receiving subelement 43, is suitable to receive the service end RSA public affairs that client is determined using the identity data of service end
Second random identification of key encryption.
First decryption subelement 44, is suitable for use with the service end RSA private key stored in first storing sub-units 41, solution
What close first receiving subelement 43 was received adopts second random identification of service end RSA public key encryption through client, when
The second random identification for obtaining of decryption with according to calculated second random identification of first random identification it is identical when, it was demonstrated that
The second random identification through encryption for being received is produced for this session, and to the authentication success of the client.
Fig. 5 shows the structure of the first key crosspoint of the service end in the embodiment of the present invention.As shown in Figure 5 the
One key exchange unit can include that first generates subelement 51, the second receiving subelement 52, the second encryption sub-unit operable 53, first
Send subelement 54, the 3rd receiving subelement 55, second and decrypt subelement 56, the first computation subunit 57 and the 3rd encryption son list
Unit 58, the first generation subelement 51 is connected with the second receiving subelement 52, and the second encryption sub-unit operable 53 is generated respectively with first
Subelement 51, the second receiving subelement 52, first send subelement 54 and are connected, and the second decryption subelement 56 is given birth to respectively with first
It is connected with the 3rd receiving subelement 55 into subelement 51, the second decryption subelement 56, the first computation subunit 57 and Acanthopanan trifoliatus (L.) Merr.
Close subelement 58 is sequentially connected.Wherein:
First generates subelement 51, is suitable to generate Diffie-Hellman public keys, clothes according to Diffie-Hellman algorithms
Business end Diffie-Hellman private keys and service end Diffie-Hellman public key.
Second receiving subelement 52, is suitable to receive the identity data of the client that the client is sended over, and connects
Receive the service request that the client sends.
Second encryption sub-unit operable 53, is adapted in use to the identity number of the client according to second receiving subelement 52 reception
According to determination client RSA public key, and client RSA public key encryption first determined by use generates what subelement 51 was generated
Diffie-Hellman public keys, service end Diffie-Hellman public key and the second random identification.
First sends subelement 54, the Diffie-Hellman public keys that are suitable to will to encrypt through the second encryption sub-unit operable 53,
Service end Diffie-Hellman public key and the second random identification are sent to the client.
3rd receiving subelement 55, is suitable to receive the service end that the identity data of the use service end that client sends determines
The client Diffie-Hellman public key of RSA public key encryptions and second random identification.
Second decryption subelement 56, is adapted in use to the service end RSA private key stored in the first storing sub-units 51 to the 3rd
It is public using client Diffie-Hellman of service end RSA public key encryption through the client that receiving subelement 55 is received
Key and second random identification.
First computation subunit 57, is suitable to when the second decryption decryption of subelement 56 obtains correct second random identification
When, the Diffie-Hellman public keys and client Diffie-Hellman public key for obtaining is decrypted using the second decryption subelement 56
Session key.
3rd encryption sub-unit operable 58, be adapted in use to session key that the first computation subunit 57 calculates and it is first-class plus
Second random identification described in close algorithm for encryption, generates the random identification of ciphertext second, and using the random identification of the ciphertext second and
Second stream cipher algorithm encrypted authentication data, and send to the client.
Fig. 6 shows the structure of the receiving unit of the service end in the embodiment of the present invention.Receiving unit as shown in Figure 6 can
To include:4th receiving subelement 61, be suitable to receive client using second stream cipher algorithm and the ciphertext second with
Machine identifies the ciphertext packet generated to Data Packet Encryption waiting for transmission.
In being embodied as, the packet waiting for transmission includes command information, information and digital signature information, its
In, the command information indicates that the service end performs corresponding operation, the information will by the service end transmit to
Standard output, the digital signature information is to encrypt the command information, information and described the using Digital Signature Algorithm
Two random identifications are generated.
Fig. 7 shows the structural representation of the decryption unit of the service end in the embodiment of the present invention.Decryption as shown in Figure 7
Unit can include:First decryption subelement 71, digital signature authentication unit 72 and execution subelement 73, the first decryption subelement
71 are connected respectively with digital signature authentication unit 72 and execution subelement 73.Wherein:
3rd decryption subelement 71, is suitable for use with second described in first stream cipher algorithm and the session key
Random identification, generates the random identification of ciphertext second, and random using second stream cipher algorithm and the ciphertext second
The mark decryption ciphertext packet, obtains the command information, information and digital signature information.
Digital signature authentication unit 72, is suitable for use with the first decryption of Digital Signature Algorithm checking subelement 71 and decrypts
Whether the digital signature information for arriving is correct.
Subelement 73 is performed, is suitable to when digital signature authentication unit 72 verifies that the digital signature information is correct, according to
The command information that decryption is obtained performs corresponding operation.
In being embodied as, the execution subelement 73 may further include the first performing module 731, second and perform mould
Block 732, the 3rd performing module 733, the 4th performing module 734 and the 5th performing module 735.Wherein:
First performing module 731, is suitable to, when the command information is the first numerical value, to described the message for obtaining letter be decrypted
Breath does not perform any operation.
Second performing module 732, is suitable to, when the command information is second value, interrupt the company with the client
Connect, and persistently monitor serve port, to determine whether new service request.
3rd performing module 733, is suitable to, when the command information is third value, interrupt the connection with the client
And exit.
4th performing module 734, is suitable to when the command information is four numerical value, the message letter that decompression decryption is obtained
Breath.
5th performing module 735, when the command information is five numerical value, request is led to client again session key
Cross the IKE and generate new session key.
Fig. 8 shows the structure of the client in the embodiment of the present invention.Client as shown in Figure 8, can be included successively
The second identification authenticating unit 81, the second key exchange unit 82 and the ciphering unit 83 for connecting.Wherein:
Second identification authenticating unit 81, is suitable to carry out information exchange by authentication protocol and service end, to the service end
Carry out authentication.
Second key exchange unit 82, is suitable to be handed over by key with the service end through the certification of the second identification authenticating unit 81
Change protocol generation session key.
Ciphering unit 83, is suitable for use with the session key of the generation of the second key exchange unit 82 to data waiting for transmission
Bag is encrypted, and will transmit to the service end through the packet of encryption.
Fig. 9 shows the structure of the second identification authenticating unit of the client in the embodiment of the present invention.As described in Figure 9
Two identification authenticating units can include that the second storing sub-units 91, second send subelement 92, the 5th receiving subelement the 93, the 3rd
The decryption encryption sub-unit operable 95 of subelement 94 and the 4th, the second storing sub-units 91 add respectively with the 3rd decryption subelement 94 and the 4th
Close subelement 95 is connected, and the decryption encryption sub-unit operable 95 of subelement 94 and the 4th of the 5th receiving subelement the 93, the 3rd is sequentially connected.
Wherein:
Second storing sub-units 91, are suitable to store client RSA private key and service end RSA public key, service end RSA public key by
The identity data index of the service end.
In being embodied as, the client RSA private key and client RSA public key constitute client RSA key pair.It is described
Service end RSA public key and service end RSA private key constitute service end RSA key pair.The service end RSA key pair and service end
RSA key using RSA Algorithm to being generated.The service end RSA private key and client RSA public key are stored in the service end,
The client RSA public key is indexed by the identity data of the client.
Second sends subelement 92, is suitable to the identity data of the client be sent to the service end, to the clothes
Business end sends service request.
5th receiving subelement 93, is suitable to receive the service end using the second client for sending the transmission of subelement 92
The identity data and the first random identification of the service end of the client RSA public key encryption that identity data determines.
3rd decryption subelement 94, be suitable for use with second storing sub-units 91 store with client RSA public key
Corresponding client RSA private key, what the 5th receiving subelement 93 of decryption was received adopts client RSA public key through service end
The identity data of the service end of encryption and the first random identification, when the identity data for decrypting the service end for obtaining and the clothes for being received
When the plaintext of the identity data at business end is consistent, the client is to the service end authentication success.
4th encryption sub-unit operable 95, is suitable to when the authentication success of the 3rd decryption 94 pairs of service ends of subelement,
Second storing sub-units are determined using the identity data of the service end obtained according to the 3rd decryption decryption of subelement 94
The service end RSA public key stored in 91, and the random identification of service end RSA public key encryption second determined by use, and send to
The service end.
In being embodied as, it is random that second random identification can decrypt first for obtaining according to the 3rd decryption subelement
Mark is generated.
Figure 10 shows the structure of the second key exchange unit of the client in the embodiment of the present invention.As shown in Figure 10
Second key exchange unit can include that the decryption subelement 102, second of the 6th receiving subelement the 101, the 4th generates subelement
103rd, the second computation subunit 104, the 5th encryption sub-unit operable 105, the 7th receiving subelement 106 and the 5th decryption subelement 107,
4th decryption subelement 102 generates the computation subunit 104 of subelement 103 and second with the 6th receiving subelement 101, second respectively
Be connected, second generation subelement 103 is also connected with the 5th encryption sub-unit operable 105, the 5th decryption subelement 107 also respectively with
Second computation subunit 104 is connected with the 6th receiving subelement 106.Wherein:
6th receiving subelement 101, is suitable to reception and uses client RSA public key encryption through the service end
Diffie-Hellman public keys, service end Diffie-Hellman public key and second random identification.
In being embodied as, the Diffie-Hellman public keys are generated by the service end, service end Diffie-
Hellman public keys are by the service end using the Diffie-Hellman public keys and according to the Diffie-Hellman public keys
The service end Diffie-Hellman private key of generation is generated.
4th decryption subelement 102, be adapted in use in the second storing sub-units store with the client RSA public key phase
Corresponding client RSA private key, decrypts the Diffie- through client RSA public key encryption that the 6th receiving subelement 101 is received
Hellman public keys, service end Diffie-Hellman public key and second random identification.
Second generates subelement 103, is suitable to obtain correct second random identification according to the 4th decryption decryption of subelement 102
When, the Diffie-Hellman public keys obtained using the 4th decryption decryption of subelement 102 generate client Diffie-Hellman
Private key, and client Diffie- is generated according to the Diffie-Hellman public keys and client Diffie-Hellman private key
Hellman public keys.
Second computation subunit 104, is suitable to when the 4th decryption decryption of subelement 102 obtains correct second random identification
When, the Diffie-Hellman public keys and service end Diffie-Hellman obtained according to the 4th decryption decryption of subelement 102 is public
Key session key.
5th encryption sub-unit operable 105, is adapted in use to the service end RSA public key stored in the second storing sub-units, encrypts institute
State the second generation subelement 103 generation client Diffie-Hellman public key and second random identification, and send to
The service end.
7th receiving subelement 106, is suitable to receive service end using the random identification of the ciphertext second and the second
The checking data of AES encryption.
5th decryption subelement 107, is adapted in use to the calculated session key of the second computation subunit 104 and first-class
AES encrypts the second random identification, generates the random identification of ciphertext second, and using the random identification of the ciphertext second and the
Two stream cipher algorithms, decrypt the checking data through service end encryption that the 6th receiving subelement 106 is received, when
During to correct checking data, it was demonstrated that the client and the service end have calculated correct session key.
Figure 11 shows the structural representation of the ciphering unit of the client in the embodiment of the present invention.As shown in figure 11 adds
Close unit 110, can include that information input subelement 111, the 6th encryption sub-unit operable 112, signature generate subelement the 113, the 7th
Encryption sub-unit operable 114 and the 3rd sends subelement 115, the 7th encryption sub-unit operable 114 respectively with information input subelement 111, the
Six encryption sub-unit operables 112 generate subelement 113 and are connected with signature, and it is also sub with information input respectively that signature generates subelement 113
Unit 111 is connected with the 6th encryption sub-unit operable 112.Wherein:
Information input subelement 111, is suitable to be input into information waiting for transmission.
6th encryption sub-unit operable 112, is adapted in use to the session key and first stream cipher algorithm encryption described the
Two random identifications, generate the random identification of ciphertext second.
Signature generates subelement 113, is suitable for use with Digital Signature Algorithm encrypted instruction information, information input subelement 111
The information of input and the second random identification, generate digital signature information.
7th encryption sub-unit operable 114, is suitable for use with the ciphertext random identification and second of the generation of the 6th encryption sub-unit operable 112
AES encrypts packet waiting for transmission, generates ciphertext packet.
3rd sends subelement 115, is suitable to the ciphertext packet that the 7th encryption sub-unit operable 114 is generated be sent to institute
State service end.
In being embodied as, the data to be transmitted bag can include that the command information, information input subelement 111 are defeated
The information for entering and the signature generate the digital signature information that subelement 113 is generated.Wherein, the command information indicates institute
State service end and perform corresponding operation, the information will be transmitted to standard output by the service end.
In being embodied as, ciphering unit 110 can also include:Instruction arranges subelement 116, is suitable at described 3rd
Send subelement 115 at the end of service end transmission data, the command information is set to into corresponding numerical value.
In being embodied as, ciphering unit 110 can also include:Statistics subelement 117, is suitable to statistics the 3rd and sends son list
Unit 115 is sent to the data volume of the service end.When the 3rd transmission subelement 115 of the statistics statistics of subelement 117 is sent to clothes
When the data volume at business end reaches default threshold value, service end and client generate new session again through IKE
Key.
One of ordinary skill in the art will appreciate that all or part of step in the various methods of above-described embodiment is can
Completed with instructing the hardware of correlation by program, the program can be stored in computer-readable recording medium, storage is situated between
Matter can include:ROM, RAM, disk or CD etc..
The method and system of the embodiment of the present invention are had been described in detail above, the present invention is not limited to this.Any
Art personnel, without departing from the spirit and scope of the present invention, can make various changes or modifications, therefore the guarantor of the present invention
Shield scope should be defined by claim limited range.
Claims (19)
1. a kind of data transmission method, it is characterised in that include:
Service end carries out information exchange with client by authentication protocol, mutually carries out authentication, specifically includes:By the clothes
Business end RSA private keys and client RSA public key be stored in the service end, client RSA public key by client identity data
Index, the client RSA private key and service end RSA public key are stored in the client, the service end RSA public key by
The identity data index of service end, the service end RSA public key and service end RSA private key, the client RSA public key and client
End RSA private keys are respectively adopted RSA Algorithm generation;The client sends the identity data of itself to the service end, to institute
State service end and send service request;The identity data of the client that the service end is sent according to client determines client
RSA public keys, and the identity data of the random identification of client RSA public key encryption first and service end determined by use, and
Send to described by the plaintext of the identity data of service end and through the first random identification of encryption and the identity data of service end
Client;The client is decrypted using the client RSA private key corresponding with the client RSA public key of itself storage
Through first random identification and the identity data of the service end of encryption, when the identity data and institute of decrypting the service end for obtaining
When the plaintext of the identity data of the service end of reception is consistent, the client is to the service end authentication success;The visitor
Family end is to during service end authentication success, the client determines service end based on the identity data of the service end
RSA public keys, and the random identification of service end RSA public key encryption second determined by use, and send to the service end, described
Two random identifications are that the client is generated according to first random identification that decryption is obtained;The service end is deposited using itself
The service end RSA private key corresponding with the service end RSA public key of storage, decryption works as solution through the second random identification of encryption
Close the second random identification for obtaining and the service end are calculated second random according to the first random identification that decryption is obtained
When identifying identical, it was demonstrated that the second random identification through encryption for being received is produced for this session, and the service end is to institute
State the authentication success of client;
The service end and client generate session key by IKE;
The client is encrypted using AES and the session key to packet waiting for transmission, and will be through encryption
Packet transmit to the service end;
The service end decrypts the received packet through encryption using the session key and AES, and performs phase
The operation answered.
2. data transmission method according to claim 1, it is characterised in that the service end and client are handed over by key
Protocol generation session key is changed, including:
The service end is public using client RSA public key encryption Diffie-Hellman public keys, service end Diffie-Hellman
Key and second random identification, and send to the client, the Diffie-Hellman public keys are given birth to by the service end
Into the service end Diffie-Hellman public key is by the service end using the Diffie-Hellman public keys and according to institute
The service end Diffie-Hellman private key for stating the generation of Diffie-Hellman public keys is generated;
The client uses the client RSA private key corresponding with the client RSA public key, decrypts through the client
The Diffie-Hellman public keys of RSA public key encryptions, service end Diffie-Hellman public key and the second random identification;
When decryption obtains correct second random identification, the Diffie-Hellman public keys that the client is obtained according to decryption
Session key is calculated with service end Diffie-Hellman public key;
The client uses service end RSA public key encryption client Diffie-Hellman public key and the second random mark
Know, and send to the service end, wherein, the client Diffie-Hellman public key is by the client according to decrypting
The Diffie-Hellman public keys for arriving and client Diffie-Hellman generated according to the Diffie-Hellman public keys
Private key is generated;
The service end uses the service end RSA private key corresponding with the service end RSA public key, decrypts described through service end
The client Diffie-Hellman public key and the second random identification of RSA public key encryptions;
When correct second random identification is obtained, the service end is obtained according to the Diffie-Hellman public keys and decryption
The client Diffie-Hellman public key calculates session key;
The service end encrypts second random identification using itself calculated session key and the first stream cipher algorithm
The random identification of ciphertext second is generated, and using the random identification of the ciphertext second and the second stream cipher algorithm encrypted authentication data,
And send to the client;
It is random that the client generates ciphertext second using itself calculated session key and first stream cipher algorithm
Mark, and using the random identification of the ciphertext second and second stream cipher algorithm decryption the testing through service end encryption
Card data, when data are correctly verified, it was demonstrated that the service end and the client have calculated correct session
Key.
3. data transmission method according to claim 2, it is characterised in that the client is using AES and described
Session key is encrypted to packet waiting for transmission, and will transmit to the service end through the packet of encryption, including:
The client obtains institute using first stream cipher algorithm and the second random identification described in the session key
State the random identification of ciphertext second;
The client is entered using second stream cipher algorithm and the random identification of the ciphertext second to packet waiting for transmission
Row encryption, generates ciphertext packet, and the packet waiting for transmission includes command information, information and digital signature information,
Wherein, the command information indicates that the service end performs corresponding operation, and the information will be transmitted by the service end
To standard output, the digital signature information is to encrypt the command information, information and second using Digital Signature Algorithm
Random identification is generated.
4. data transmission method according to claim 3, it is characterised in that the service end using the session key and
The packet through client encryption that AES decryption is received, and corresponding operation is performed, including:
The service end generates institute using first stream cipher algorithm and the second random identification described in the session key
State the random identification of ciphertext second;
The service end decrypts the ciphertext data using second stream cipher algorithm and the random identification of the ciphertext second
Bag, obtains the command information, information and digital signature information;
The digital signature information is verified using the Digital Signature Algorithm;
When verifying that the digital signature information is correct, the service end performs corresponding behaviour according to the command information that decryption is obtained
Make.
5. data transmission method according to claim 4, it is characterised in that when verifying that the digital signature information is correct
When, the service end performs corresponding operation according to the command information that decryption is obtained, including:
When the command information is the first numerical value, the service end does not perform any behaviour for the information that decryption is obtained
Make;
When the command information is second value, the service end is interrupted and the client after receiving data terminates
Connection, and serve port is persistently monitored, to determine whether new service request;
When the command information is third value, the service end is interrupted and the client after receiving data terminates
Connect and exit;
When the command information is four numerical value, the service end decompression is described to decrypt the information for obtaining;
When the command information is five numerical value, the service end request is exchanged with the client again through the key
The new session key of protocol generation.
6. data transmission method according to claim 4, it is characterised in that the command information is located at the number to be transmitted
According to the first byte of bag, and corresponding numerical value is set at the end of to the service end transmission data from the client.
7. data transmission method according to claim 4, it is characterised in that when the client is transmitted to the service end
Data volume when reaching predetermined threshold value, the command information is set to the 5th numerical value, the service end and institute by the client
State client and generate new session key again through IKE.
8. data transmission method according to claim 1, it is characterised in that the client is more than.
9. a kind of service end, it is characterised in that include:
First identification authenticating unit, is suitable to carry out information exchange by authentication protocol and client, and to the client body is carried out
Part certification;First identification authenticating unit includes:First storing sub-units, are suitable to storage service end RSA private keys and client
RSA public keys, client RSA public key is indexed by the identity data of the client, wherein, the service end RSA public key and service
End RSA private keys constitute service end RSA key pair, and it is close that the client RSA private key and client RSA public key constitute client RSA
Key pair, the service end RSA key pair and client RSA key are generated to RSA Algorithm is respectively adopted, and client RSA is private
Key and service end RSA public key are stored in the client, and the service end RSA public key is indexed by the identity data of service end;
First encryption sub-unit operable, is suitable to determine according to the identity data of the client for being received the client stored in the first storing sub-units
End RSA public keys, and the identity data of the random identification of client RSA public key encryption first and the service end determined by use,
And the plaintext of the identity data of service end is sent to institute with the identity data of the first random identification through encrypting and service end
State client;First receiving subelement, is suitable to receive the service end RSA public key that client is determined using the identity data of service end
Second random identification of encryption;
First decryption subelement, is suitable for use with the service end RSA private key stored in first storing sub-units, and decryption first connects
Receive that subelement receives through client using service end RSA public key encryption second random identification, when decryption is obtained
Second random identification, with according to calculated second random identification of first random identification it is identical when, it was demonstrated that received
The second random identification through encrypting is produced for this session, and to the authentication success of the client;
First key crosspoint, is suitable to generate session key by IKE with the client;
Receiving unit, is suitable to receive the packet that client uses AES and the session key;
Decryption unit, be adapted in use to first key crosspoint generate session key and the AES, decryption described in connect
Receive the packet through client encryption that unit is received;
Performance element, is suitable to the packet for obtaining and obtaining according to decryption unit decryption, performs corresponding operation.
10. service end according to claim 9, it is characterised in that the first key crosspoint includes:
First generates subelement, is suitable to generate Diffie-Hellman public keys, service end according to Diffie-Hellman algorithms
Diffie-Hellman private keys and service end Diffie-Hellman public key, the Diffie-Hellman public keys are by the service
End generates, and the service end Diffie-Hellman public key is by the service end using the Diffie-Hellman public keys and root
The service end Diffie-Hellman private key generated according to the Diffie-Hellman public keys is generated;
Second receiving subelement, is suitable to receive the identity data of the client that the client is sended over, and receives described
The service request that client sends;
Second encryption sub-unit operable, the identity data for being adapted in use to the client received according to second receiving subelement determines visitor
Family end RSA public keys, and client RSA public key encryption first determined by use generates the Diffie-Hellman that subelement is generated
Public key, service end Diffie-Hellman public key and second random identification;
First sends subelement, is suitable to Diffie-Hellman public keys, the service that will be encrypted through second encryption sub-unit operable
End Diffie-Hellman public keys and second random identification are sent to the client;
3rd receiving subelement, is suitable to receive the service end RSA public affairs that the identity data of the use service end that client sends determines
The client Diffie-Hellman public key and second random identification of key encryption;
Second decryption subelement, is adapted in use to the service end RSA private key stored in the first storing sub-units to connect to the described 3rd
Receive subelement receive through the client using service end RSA public key encryption client Diffie-Hellman public key and
Second random identification;
First computation subunit, is suitable to when the described second decryption subelement decryption obtains correct second random identification,
It is public client Diffie-Hellman to be obtained using the Diffie-Hellman public keys and the second decryption subelement decryption
Key session key;
3rd encryption sub-unit operable, is adapted in use to session key that first computation subunit calculates and the first stream encryption to calculate
Method encrypts second random identification, generates the random identification of ciphertext second, and using the random identification of the ciphertext second and second
Stream cipher algorithm encrypted authentication data, and send to the client.
11. service ends according to claim 10, it is characterised in that the receiving unit includes:
4th receiving subelement, is suitable to receive client using second stream cipher algorithm and the random identification of the ciphertext second
The ciphertext packet generated to Data Packet Encryption waiting for transmission, the packet waiting for transmission includes command information, information
And digital signature information, wherein, the command information indicates that the service end performs corresponding operation, and the information will be by
The service end is transmitted to standard output, the digital signature information be using Digital Signature Algorithm encrypt the command information,
Information and second random identification are generated.
12. service ends according to claim 11, it is characterised in that the decryption unit includes:
3rd decryption subelement, is suitable for use with the second random mark described in first stream cipher algorithm and the session key
Know, generate the random identification of ciphertext second, and using second stream cipher algorithm and the ciphertext the second random identification solution
The close ciphertext packet, obtains the command information, information and digital signature information;
Digital signature authentication unit, is suitable for use with what the Digital Signature Algorithm checking the 3rd decryption subelement decryption was obtained
Digital signature information;
Subelement is performed, is suitable to when the digital signature authentication unit verifies that the digital signature information is correct, according to decryption
The command information for obtaining performs corresponding operation.
13. service ends according to claim 12, it is characterised in that the execution subelement includes:
First performing module, is suitable to, when the command information is the first numerical value, not hold the information for obtaining of decrypting
Any operation of row;
Second performing module, is suitable to, when the command information is second value, interrupt the connection with the client, and continues
Serve port is monitored, to determine whether new service request;
3rd performing module, is suitable to, when the command information is third value, interrupt the connection with the client and exit;
4th performing module, is suitable to when the command information is four numerical value, the information that decompression decryption is obtained;
5th performing module, when the command information is five numerical value, asks with client again session key by described
IKE generates new session key.
14. a kind of clients, it is characterised in that include:
Second identification authenticating unit, is suitable to carry out information exchange by authentication protocol and service end, and to the service end body is carried out
Part certification;Second identification authenticating unit includes:Second storing sub-units, are suitable to store client RSA private key and service end
RSA public keys, service end RSA public key is indexed by the identity data of the service end, wherein, the client RSA private key and client
End RSA public keys constitute client RSA key pair, and it is close that the service end RSA public key and service end RSA private key constitute service end RSA
Key pair, the service end RSA key pair and service end RSA key to being generated using RSA Algorithm, the service end RSA private key and
Client RSA public key is stored in the service end, and the client RSA public key is indexed by the identity data of the client;
Second sends subelement, is suitable to the identity data of the client be sent to the service end, and to the service end clothes are sent
Business request;5th receiving subelement, is suitable to receive the service end using the second identity for sending the client that subelement sends
The identity data and the first random identification of the service end of the client RSA public key encryption that data determine;3rd decryption subelement, fits
The client RSA private key corresponding with client RSA public key stored in using second storing sub-units, decryption is described
5th receiving subelement receive through service end using client RSA public key encryption service end identity data and first with
Machine is identified, when the identity data of the service end that decryption is obtained is consistent with the plaintext of the identity data of the service end for being received, institute
Client is stated to the service end authentication success;4th encryption sub-unit operable, be suitable to when the described 3rd decryption subelement for
During the authentication success of the service end, using the identity number of the service end obtained according to the 3rd decryption subelement decryption
According to determining the service end RSA public key that stores in second storing sub-units, and service end RSA public key encryption determined by use
Second random identification, and send to the service end, second random identification is to be obtained according to the 3rd decryption subelement decryption
The first random identification generate;
Second key exchange unit, is suitable to be given birth to by IKE with the service end through the second identification authenticating unit certification
Into session key;
Ciphering unit, be suitable for use with the session key of the second key exchange unit generation carries out adding to packet waiting for transmission
It is close, and will transmit to the service end through the packet of encryption.
15. clients according to claim 14, it is characterised in that second key exchange unit includes:
6th receiving subelement, is suitable to receive the Diffie- that client RSA public key encryption is used through the service end
Hellman public keys, service end Diffie-Hellman public key and second random identification, the Diffie-Hellman public keys
Generated by the service end, the service end Diffie-Hellman public key utilizes the Diffie- by the service end
Hellman public keys and the service end Diffie-Hellman private key generated according to the Diffie-Hellman public keys are generated;
4th decryption subelement, the visitor corresponding with the client RSA public key for being adapted in use to the second storing sub-units to store
Family end RSA private keys, decrypt the Diffie-Hellman through client RSA public key encryption that the 6th receiving subelement is received
Public key, service end Diffie-Hellman public key and second random identification;
Second generates subelement, and the Diffie-Hellman public keys for being suitable to be obtained according to the 4th decryption subelement decryption generate client
End Diffie-Hellman private keys, and given birth to according to the Diffie-Hellman public keys and client Diffie-Hellman private key
Into client Diffie-Hellman public key;
Second computation subunit, be suitable to when the described 4th decryption subelement decryption obtain correct second random identification when, according to
Diffie-Hellman public keys and the service end Diffie-Hellman public key that the 4th decryption subelement decryption is obtained
Session key;
5th encryption sub-unit operable, is adapted in use to the service end RSA public key stored in the second storing sub-units, encrypts second life
The client Diffie-Hellman public key generated into subelement and second random identification, and send to the service end;
7th receiving subelement, is suitable to receive service end using second described in the first stream cipher algorithm and the session key
Random identification, generates the random identification of ciphertext second, and is encrypted using the random identification of the ciphertext second and the second stream cipher algorithm
Checking data;
5th decryption subelement, is adapted in use to the calculated session key of the second computation subunit and the first stream cipher algorithm to add
Close second random identification, generates the random identification of ciphertext second, and is calculated using the random identification of the ciphertext second and the second stream encryption
Method, decrypts the checking data through service end encryption that the 7th receiving subelement is received, when correctly being verified
During data, it was demonstrated that the client and the service end have calculated correct session key.
16. clients according to claim 15, it is characterised in that the ciphering unit includes:
Information input subelement, is suitable to be input into information waiting for transmission;
6th encryption sub-unit operable, is adapted in use to the session key and first stream cipher algorithm encryption, the second random mark
Know, obtain the random identification of ciphertext second;
Signature generate subelement, be suitable for use with Digital Signature Algorithm encrypted instruction information, the information and described second with
Machine is identified, and generates digital signature information;
7th encryption sub-unit operable, is suitable for use with the ciphertext that the second stream cipher algorithm and the 6th encryption sub-unit operable obtain and marks at random
Know encryption packet waiting for transmission, generate ciphertext packet, the data to be transmitted bag includes the command information, information
The digital signature information that subelement is generated is generated with the signature, wherein, the command information indicates that the service end performs phase
The operation answered, the information will be transmitted to standard output by the service end;
3rd sends subelement, is suitable to the ciphertext packet that the 7th encryption sub-unit operable is generated be sent to the service end.
17. clients according to claim 16, it is characterised in that the ciphering unit also includes:It is single that instruction arranges son
Unit, is suitable to send subelement at the end of service end transmission data the described 3rd, and the command information is set to into corresponding number
Value.
18. clients according to claim 16, it is characterised in that corresponding numerical value include the first numerical value, second
Numerical value, third value, the 4th numerical value or the 5th numerical value;
When the command information is the first numerical value, indicate that service end is any for the information that the decryption is obtained is not performed
Operation;
When the command information is second value, indicate that service end interrupts the connection with client, and indicate that service end continues
Serve port is monitored, to determine whether service request;
When the command information is third value, indicate that service end is interrupted the connection with the client and exited;
When the command information is four numerical value, the information that service end decompression decryption is obtained is indicated;
When the command information is five numerical value, indicate that service end is exchanged with key is re-started, generate new session key.
19. clients according to claim 16, it is characterised in that the ciphering unit also includes:Statistics subelement, fits
The data volume that subelement is sent to the service end is sent in counting the described 3rd.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410240981.7A CN104023013B (en) | 2014-05-30 | 2014-05-30 | Data transmission method, server side and client |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410240981.7A CN104023013B (en) | 2014-05-30 | 2014-05-30 | Data transmission method, server side and client |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104023013A CN104023013A (en) | 2014-09-03 |
| CN104023013B true CN104023013B (en) | 2017-04-12 |
Family
ID=51439583
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410240981.7A Active CN104023013B (en) | 2014-05-30 | 2014-05-30 | Data transmission method, server side and client |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104023013B (en) |
Families Citing this family (42)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104821951B (en) * | 2015-05-26 | 2019-04-19 | 新华三技术有限公司 | A kind of method and apparatus of secure communication |
| CN106341375B (en) * | 2015-07-14 | 2021-01-01 | 腾讯科技(深圳)有限公司 | Method and system for realizing encrypted access of resources |
| CN107113171B (en) | 2015-12-10 | 2019-03-29 | 深圳市大疆创新科技有限公司 | Safe communication system, method and device |
| CN105939520A (en) * | 2016-03-18 | 2016-09-14 | 李明 | Method, device and system for establishing communication connection |
| CN105719120B (en) * | 2016-04-25 | 2019-11-15 | 成都木马人网络科技有限公司 | A method of encryption express delivery list privacy information |
| CN106101097A (en) * | 2016-06-08 | 2016-11-09 | 美的集团股份有限公司 | Home appliance and with the communication system of Cloud Server and method, Cloud Server |
| CN106250517A (en) * | 2016-08-02 | 2016-12-21 | 广东电网有限责任公司中山供电局 | The storage system and method for regional power grid power consumption data |
| CN106161472A (en) * | 2016-09-05 | 2016-11-23 | 上海前隆金融信息服务有限公司 | A kind of method of data encryption, Apparatus and system |
| CN106453319A (en) * | 2016-10-14 | 2017-02-22 | 北京握奇智能科技有限公司 | Data transmission system and method based on security module |
| CN106790223B (en) * | 2017-01-13 | 2020-10-20 | 无锡英威腾电梯控制技术有限公司 | Data transmission method, equipment and system |
| CN106777362A (en) * | 2017-01-19 | 2017-05-31 | 杭州云灵科技有限公司 | A kind of information collecting method of the html pages |
| CN106953728B (en) * | 2017-03-28 | 2020-08-25 | 联想(北京)有限公司 | Data transmission method and electronic equipment |
| CN107231354A (en) * | 2017-06-02 | 2017-10-03 | 四川铭扬通信科技有限公司 | The data transmission method and system of a kind of data transmission unit |
| CN107425959A (en) * | 2017-06-20 | 2017-12-01 | 郑州云海信息技术有限公司 | A kind of method for realizing encryption, system, client and service end |
| CN107231368A (en) * | 2017-06-22 | 2017-10-03 | 四川长虹电器股份有限公司 | The method for lifting the software interface security that Internet is opened |
| EP3710972A1 (en) * | 2017-11-23 | 2020-09-23 | Huawei Technologies Co., Ltd. | System and method for storing encrypted data |
| CN107979596B (en) * | 2017-11-24 | 2020-10-16 | 武汉斗鱼网络科技有限公司 | Method and system for preventing people from being refreshed in live broadcast |
| CN108471423B (en) * | 2018-04-02 | 2021-03-09 | 北京奇艺世纪科技有限公司 | Method and system for obtaining private key |
| CN108923956A (en) * | 2018-06-13 | 2018-11-30 | 广州微林软件有限公司 | A kind of method of network data transmission |
| CN109587149A (en) * | 2018-12-11 | 2019-04-05 | 许昌许继软件技术有限公司 | A kind of safety communicating method and device of data |
| CN109617886B (en) * | 2018-12-21 | 2021-07-27 | 广东宏大欣电子科技有限公司 | Client data encryption method and server data encryption method based on TCP communication |
| JP2022523068A (en) * | 2019-01-28 | 2022-04-21 | コネクトアイキュー・インコーポレイテッド | Systems and methods for secure electronic data transfer |
| CN111614596B (en) * | 2019-02-22 | 2021-07-09 | 北京大学 | Remote equipment control method and system based on IPv6 tunnel technology |
| EP3713188A1 (en) | 2019-03-19 | 2020-09-23 | Siemens Mobility GmbH | Method and apparatus for data transmission between two networks |
| CN111753312B (en) * | 2019-03-26 | 2023-09-08 | 钉钉控股(开曼)有限公司 | Data processing method, device, equipment and system |
| CN110430204A (en) * | 2019-08-12 | 2019-11-08 | 徐州恒佳电子科技有限公司 | A kind of modified JSON safety communicating method based on third party's password book server |
| CN110519054A (en) * | 2019-08-29 | 2019-11-29 | 四川普思科创信息技术有限公司 | A method of internet of things data safeguard protection is carried out based on reliable computing technology |
| CN110808829B (en) * | 2019-09-27 | 2023-04-18 | 国电南瑞科技股份有限公司 | SSH authentication method based on key distribution center |
| CN113114610B (en) * | 2020-01-13 | 2022-11-01 | 杭州萤石软件有限公司 | Stream taking method, device and equipment |
| CN111327629B (en) * | 2020-03-04 | 2021-07-27 | 广州柏视医疗科技有限公司 | Identity verification method, client and server |
| CN111756690A (en) * | 2020-05-19 | 2020-10-09 | 北京明略软件系统有限公司 | Data processing system, method and server |
| CN111800467B (en) * | 2020-06-04 | 2023-02-14 | 河南信大网御科技有限公司 | Remote synchronous communication method, data interaction method, equipment and readable storage medium |
| CN112351023A (en) * | 2020-10-30 | 2021-02-09 | 杭州安恒信息技术股份有限公司 | Data sharing and transmission method and system |
| CN112702712A (en) * | 2020-12-25 | 2021-04-23 | 江苏鸣实纯钧科技有限公司 | Method and system for encrypted data transmission of vehicle-mounted terminal |
| CN112861148B (en) * | 2021-01-28 | 2022-02-18 | 北京深思数盾科技股份有限公司 | Data processing method, server, client and encryption machine |
| CN113037484B (en) * | 2021-05-19 | 2021-08-24 | 银联商务股份有限公司 | Data transmission method, device, terminal, server and storage medium |
| CN113572741A (en) * | 2021-06-30 | 2021-10-29 | 深圳市证通云计算有限公司 | Method for realizing safe data transmission based on SM2-SM3-SM4 algorithm |
| CN113364816B (en) * | 2021-08-11 | 2021-10-26 | 北京蔚领时代科技有限公司 | Data transmission system based on multi-channel exchange protocol |
| CN114143026B (en) * | 2021-10-26 | 2024-01-23 | 福建福诺移动通信技术有限公司 | Data security interface based on asymmetric and symmetric encryption and working method thereof |
| CN114513339A (en) * | 2022-01-21 | 2022-05-17 | 国网浙江省电力有限公司金华供电公司 | Security authentication method, system and device |
| CN115001705B (en) * | 2022-05-25 | 2024-01-26 | 深圳市证通电子股份有限公司 | Network protocol security improving method based on encryption equipment |
| CN117475533A (en) * | 2022-07-21 | 2024-01-30 | 广州汽车集团股份有限公司 | Data transmission method and device, equipment and computer readable storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101459506A (en) * | 2007-12-14 | 2009-06-17 | 华为技术有限公司 | Cipher key negotiation method, system, customer terminal and server for cipher key negotiation |
| CN101771535A (en) * | 2008-12-30 | 2010-07-07 | 上海茂碧信息科技有限公司 | Mutual authentication method between terminal and server |
| CN103354498A (en) * | 2013-05-31 | 2013-10-16 | 北京鹏宇成软件技术有限公司 | Identity-based file encryption transmission method |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7975139B2 (en) * | 2001-05-01 | 2011-07-05 | Vasco Data Security, Inc. | Use and generation of a session key in a secure socket layer connection |
| US20040003287A1 (en) * | 2002-06-28 | 2004-01-01 | Zissimopoulos Vasileios Bill | Method for authenticating kerberos users from common web browsers |
-
2014
- 2014-05-30 CN CN201410240981.7A patent/CN104023013B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101459506A (en) * | 2007-12-14 | 2009-06-17 | 华为技术有限公司 | Cipher key negotiation method, system, customer terminal and server for cipher key negotiation |
| CN101771535A (en) * | 2008-12-30 | 2010-07-07 | 上海茂碧信息科技有限公司 | Mutual authentication method between terminal and server |
| CN103354498A (en) * | 2013-05-31 | 2013-10-16 | 北京鹏宇成软件技术有限公司 | Identity-based file encryption transmission method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104023013A (en) | 2014-09-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104023013B (en) | Data transmission method, server side and client | |
| CN104219228B (en) | A kind of user's registration, user identification method and system | |
| US9166793B2 (en) | Efficient authentication for mobile and pervasive computing | |
| CN108111301A (en) | The method and its system for realizing SSH agreements are exchanged based on rear quantum key | |
| CN108347419A (en) | Data transmission method and device | |
| CN109951513B (en) | Quantum-resistant computing smart home quantum cloud storage method and system based on quantum key card | |
| CN102780698A (en) | User terminal safety communication method in platform of Internet of Things | |
| CN104935553B (en) | Unified identity authentication platform and authentication method | |
| Chen et al. | Privacy-preserving encrypted traffic inspection with symmetric cryptographic techniques in IoT | |
| CN110247881A (en) | Identity identifying method and system based on wearable device | |
| US20230188325A1 (en) | Computer-implemented system and method for highly secure, high speed encryption and transmission of data | |
| CN106850191A (en) | The encryption and decryption method and device of distributed memory system communication protocol | |
| CN110020524A (en) | A kind of mutual authentication method based on smart card | |
| CN114143117B (en) | Data processing method and device | |
| US11528127B2 (en) | Computer-implemented system and method for highly secure, high speed encryption and transmission of data | |
| CN112235107A (en) | Data transmission method, device, equipment and storage medium | |
| CN107483388A (en) | A kind of safety communicating method and its terminal and high in the clouds | |
| CN114915396B (en) | Hopping key digital communication encryption system and method based on national encryption algorithm | |
| CN111416712B (en) | Quantum secret communication identity authentication system and method based on multiple mobile devices | |
| CN109104278A (en) | A kind of encrypting and decrypting method | |
| CN106230840B (en) | A kind of command identifying method of high security | |
| CN107276996A (en) | The transmission method and system of a kind of journal file | |
| CN110519052A (en) | Data interactive method and device based on Internet of Things operating system | |
| CN108599941A (en) | Random asymmetries expand byte encryption of communicated data method | |
| CN112822015B (en) | Information transmission method and related device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB03 | Change of inventor or designer information |
Inventor after: Zhang Jingyi Inventor after: Kang Kai Inventor before: Zhang Jingyi |
|
| COR | Change of bibliographic data | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |