CN108156112A - Data ciphering method, electronic equipment and network side equipment - Google Patents

Data ciphering method, electronic equipment and network side equipment Download PDF

Info

Publication number
CN108156112A
CN108156112A CN201611096712.3A CN201611096712A CN108156112A CN 108156112 A CN108156112 A CN 108156112A CN 201611096712 A CN201611096712 A CN 201611096712A CN 108156112 A CN108156112 A CN 108156112A
Authority
CN
China
Prior art keywords
key
electronic equipment
session
root
session key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201611096712.3A
Other languages
Chinese (zh)
Other versions
CN108156112B (en
Inventor
廖红卫
侯乐武
张闯
赵建森
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
TD Tech Ltd
TD Tech Chengdu Co Ltd
Original Assignee
TD Tech Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by TD Tech Ltd filed Critical TD Tech Ltd
Priority to CN201611096712.3A priority Critical patent/CN108156112B/en
Publication of CN108156112A publication Critical patent/CN108156112A/en
Application granted granted Critical
Publication of CN108156112B publication Critical patent/CN108156112B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/161Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields
    • H04L69/162Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields involving adaptations of sockets based mechanisms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention provides a kind of data ciphering method, electronic equipment and network side equipment, wherein, data ciphering method includes:The second session key that key management distributing center KDC is sent is received, the first session key is encrypted to obtain by the second session key by KDC;Second session key is decrypted according to root key and obtains the first session key, root key is uniquely corresponding with electronic equipment, and root key stores in the electronic device, and root key is that KDC is distributed as electronic equipment when electronic equipment is registered;The data of electronic equipment are handled according to the first session key.Data ciphering method provided by the invention, electronic equipment and network side equipment, uniquely safety to ensure the first session key is encrypted for the first session key in corresponding root key with electronic equipment by being stored in electronic equipment, so as to improving the safety of communication.

Description

Data ciphering method, electronic equipment and network side equipment
Technical field
The present invention relates to a kind of communication technology more particularly to data ciphering method, electronic equipment and network side equipments.
Background technology
With the development of the communication technology, requirement of the people to the security performance of communication is also more stringent.Such as:It was communicating It needs that the content of communication is encrypted in journey, to ensure the safety of communication, ensures that Content of Communication is not stolen by others.
In the prior art, every time before communication, by key distribution center (key distribution center, abbreviation: KDC the key of this encryption of communicated data) is sent to the transmitting terminal of communication and receiving terminal, transmitting terminal utilizes cipher key pair communication data It being sent after being encrypted, receiving terminal can just obtain communication data after being decrypted using the encryption data that key pair receives, from And the safety of communication is ensured.
The prior art is used, if the key of communication data is leaked or is trapped, the performance of encryption of communicated data can be influenced, Reduce the safety of communication.
Invention content
The present invention provides a kind of data ciphering method, electronic equipment and network side equipment, improves the safety of communication.
The present invention provides a kind of data ciphering method, including:
The second session key that key management distributing center KDC is sent is received, second session key will by the KDC First session key is encrypted to obtain;
Second session key is decrypted according to root key and obtains first session key, the root key is set with electronics Standby unique corresponding, the root key is stored in the electronic equipment, described in when the root key is registered for the electronic equipment KDC is distributed for the electronic equipment;
The data of the electronic equipment are handled according to first session key.
In an embodiment of the present invention, second session key by the KDC according to the first business cipher key by described One session key is encrypted to obtain;
It is further included before second session key for receiving KDC and sending:
The second business cipher key that the KDC is sent is received, second business cipher key is by the KDC according to the root key First business cipher key is encrypted to obtain;
It is described second session key decrypted according to root key obtain first session key include:
Second business cipher key is decrypted according to the root key and obtains first business cipher key;
Second session key is decrypted according to first business cipher key and obtains first session key.
In an embodiment of the present invention, the electronic equipment is by the root key, first business cipher key, described second Business cipher key, first session key and second session key are stored in the credible performing environment behaviour of the electronic equipment Make in system TeeOS;
It is described second session key decrypted according to root key obtain first session key include:
Second session key is decrypted according to root key in the TeeOS and obtains first session key.
In an embodiment of the present invention, it is described according to first session key to data carry out processing include:
Second data are obtained by the first session key encrypted primary data;
Send second data;
Before second session key for receiving key management distributing center KDC and sending, further include:
To the KDC transmission datas CIPHERING REQUEST.
In an embodiment of the present invention, it is described according to first session key to data carry out processing include:
Receive the second data;
Second data are decrypted by first session key and obtain the first data.
In an embodiment of the present invention, the root key is asymmetric cryptographic key, and the KDC generates the root key After the private key of public key and the root key, the KDC preserves the public key of the root key, and the KDC is sent out to the electronic equipment Send the private key of the root key;
It is described second session key decrypted according to root key obtain first session key include:
Second session key is decrypted according to the private key of root key and obtains first session key.
In an embodiment of the present invention, pass through Secure Socket Layer SSL traffic between the KDS and the electronic equipment.
The present invention provides a kind of data ciphering method, including:
It encrypts the first session key and obtains the second session key;
The second session key is sent to electronic equipment, so that the electronic equipment decrypts second session according to root key Key obtains first session key, and the root key is uniquely corresponding with electronic equipment, and the root key is stored in the electricity In sub- equipment, the root key is that key management distributing center KDC is distributed as the electronic equipment when electronic equipment is registered, And the electronic equipment is made to be handled according to first session key data.
In an embodiment of the present invention, the first session key of the encryption obtains the second session key and includes:
First session key is encrypted according to the first business cipher key and obtains second session key;
Before the first session key of the encryption obtains the second session key, further include:
The first business cipher key obtains the second business cipher key according to the root key encryption of the electronic equipment;
After the first session key of the encryption obtains the second session key, further include:
Second business cipher key is sent to the electronic equipment.
In an embodiment of the present invention, the root key is asymmetric cryptographic key, and the KDC generates the root key After the private key of public key and the root key, the KDC preserves the public key of the root key, and the KDC is sent out to the electronic equipment Send the private key of the root key;
First business cipher key according to the root key encryption of the electronic equipment obtains the second business cipher key and includes:
The first business cipher key obtains the second business cipher key according to the public key encryption of the root key of the electronic equipment.
The present invention provides a kind of electronic equipment, including:
Receiving module, the receiving module are used to receive the second session key of key management distributing center KDC transmissions, institute The second session key is stated to encrypt to obtain by the first session key by the KDC;
Deciphering module, the processing module are used to obtain first meeting according to root key decryption second session key Key is talked about, the root key is uniquely corresponding with electronic equipment, and the root key is stored in the electronic equipment, the root key The KDC is distributed as the electronic equipment when being registered for the electronic equipment;
Processing module, the processing module are used to carry out the data of the electronic equipment according to first session key Processing.
In an embodiment of the present invention, second session key by the KDC according to the first business cipher key by described One session key is encrypted to obtain;
The receiving module is additionally operable to receive the second business cipher key that the KDC is sent, and second business cipher key is by institute KDC is stated to encrypt to obtain by first business cipher key according to the root key;
The deciphering module is specifically used for:
Second business cipher key is decrypted according to the root key and obtains first business cipher key;
Second session key is decrypted according to first business cipher key and obtains first session key.
In an embodiment of the present invention, the electronic equipment is by the root key, first business cipher key, described second Business cipher key, first session key and second session key are stored in the credible performing environment behaviour of the electronic equipment Make in system TeeOS;
The deciphering module is specifically used in the TeeOS obtaining institute according to root key decryption second session key State the first session key.
In an embodiment of the present invention, the processing module is specifically used for:
Second data are obtained by the first session key encrypted primary data;
Send second data;
The electronic equipment further includes:Sending module, the sending module is used for please to KDC transmission datas encryption It asks.
In an embodiment of the present invention, the root key is asymmetric cryptographic key, and the KDC generates the root key After the private key of public key and the root key, the KDC preserves the public key of the root key, and the KDC is sent out to the electronic equipment Send the private key of the root key;
The deciphering module is specifically used for obtaining described first according to the private key of root key decryption second session key Session key.
In an embodiment of the present invention, the processing module is specifically used for:
Receive the second data;
Second data are decrypted by first session key and obtain the first data.
In an embodiment of the present invention, pass through Secure Socket Layer SSL traffic between the KDS and the electronic equipment.
The present invention provides a kind of network side equipment, including:
Encrypting module, the encrypting module obtain the second session key for encrypting the first session key;
Sending module, the sending module is used to send the second session key to electronic equipment, so that the electronic equipment Second session key is decrypted according to root key and obtains first session key, the root key and electronic equipment are uniquely right Should, the root key is stored in the electronic equipment, key management distribution when the root key is registered for the electronic equipment Center KDC is distributed for the electronic equipment, and the electronic equipment is made to be handled according to first session key data.
In an embodiment of the present invention, the encrypting module is specifically used for encrypting first meeting according to the first business cipher key Words key obtains second session key;
The encrypting module is additionally operable to the first business cipher key according to the root key encryption of the electronic equipment and obtains Two business cipher keys;
The sending module is additionally operable to send second business cipher key to the electronic equipment.
In an embodiment of the present invention, the root key is asymmetric cryptographic key, and the KDC generates the root key After the private key of public key and the root key, the KDC preserves the public key of the root key, and the KDC is sent out to the electronic equipment Send the private key of the root key;
It is close that the encrypting module is specifically used for the first business according to the public key encryption of the root key of the electronic equipment Key obtains the second business cipher key.
The present invention provides a kind of data ciphering method, electronic equipment and network side equipment, wherein, data ciphering method packet It includes:Receive the second session key that key management distributing center KDC is sent, the second session key is by KDC by the first session key Encryption obtains;Second session key to be decrypted according to root key and obtains the first session key, root key is uniquely corresponding with electronic equipment, Root key stores in the electronic device, and root key is that KDC is distributed as electronic equipment when electronic equipment is registered;It is close according to the first session Key handles the data of electronic equipment.Data ciphering method provided by the invention, electronic equipment and network side equipment, pass through Stored in electronic equipment uniquely corresponding root key is encrypted to ensure the first meeting for the first session key with electronic equipment The safety of key is talked about, so as to improve the safety of communication.
Description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, to embodiment or will show below There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this Some embodiments of invention, for those of ordinary skill in the art, without having to pay creative labor, may be used also To obtain other attached drawings according to these attached drawings.
Fig. 1 is the flow diagram of data ciphering method embodiment one of the present invention;
Fig. 2 is the flow diagram of data ciphering method embodiment two of the present invention;
Fig. 3 is the flow diagram of data ciphering method embodiment three of the present invention;
Fig. 4 is the flow diagram of data ciphering method example IV of the present invention;
Fig. 5 is the flow diagram of data ciphering method embodiment five of the present invention;
Fig. 6 is the flow diagram of data ciphering method embodiment six of the present invention;
Fig. 7 is the structure diagram of electronic equipment embodiment one of the present invention;
Fig. 8 is the structure diagram of electronic equipment embodiment two of the present invention;
Fig. 9 is the structure diagram of inventive network side apparatus embodiment.
Specific embodiment
Below in conjunction with the attached drawing in the embodiment of the present invention, the technical solution in the embodiment of the present invention is carried out clear, complete Site preparation describes, it is clear that described embodiment is only part of the embodiment of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, those of ordinary skill in the art are obtained every other without making creative work Embodiment shall fall within the protection scope of the present invention.
Term " first ", " second ", " third " in description and claims of this specification and above-mentioned attached drawing, " The (if present)s such as four " are the objects for distinguishing similar, and specific sequence or precedence are described without being used for.It should manage The data that solution uses in this way can be interchanged in the appropriate case, so that the embodiment of the present invention described herein for example can be to remove Sequence other than those for illustrating or describing herein is implemented.In addition, term " comprising " and " having " and theirs is any Deformation, it is intended that cover it is non-exclusive include, for example, containing the process of series of steps or unit, method, system, production Product or equipment are not necessarily limited to those steps or unit clearly listed, but may include not listing clearly or for this The intrinsic other steps of processes, method, product or equipment or unit a bit.
Technical scheme of the present invention is described in detail with specifically embodiment below.These specific implementations below Example can be combined with each other, and the same or similar concept or process may be repeated no more in some embodiments.
Fig. 1 is the flow diagram of data ciphering method embodiment one of the present invention.The present embodiment data ciphering method is held Row main body is to have access to communication network to have the electronic equipment of communication function, such as:Mobile terminal, tablet computer and notebook electricity Brain etc..As shown in Figure 1, the present embodiment data ciphering method includes the following steps:
S101:Receive key distribution center (key distribution center, abbreviation:KDC) the second session sent First session key is encrypted to obtain by key, the second session key by KDC.
Specifically, electronic equipment needs to set electronics by KDC the first session keys of distribution to realize encryption of communicated data Standby data are encrypted, and since the first session key is symmetric key, the electronic equipment as transmission data side passes through First session key is sent to the electronic equipment for receiving data side after data are encrypted, the electronic equipment for receiving data passes through Encryption data is decrypted in first session key, obtains initial data and communicates so as to fulfill data encryption.In S101, KDC Electronic equipment is not sent directly to after distributing the first session key for electronic equipment, but the first session key is encrypted as second Session key, electronic equipment receive the first session key in the form of the second session key.
S102:Second session key is decrypted according to root key and obtains the first session key, root key is unique with electronic equipment Corresponding, root key stores in the electronic device, and root key is that KDC is distributed as electronic equipment when electronic equipment is registered.
After electronic equipment receives the second session key that KDC in S101 is sent, in order to obtain for the of encryption data One session key decrypts the second session key to obtain the first session key according to root key.Wherein, root key and electronic equipment Unique corresponding, root key stores in the electronic device, and root key is that KDC is distributed as electronic equipment when electronic equipment is registered.
Wherein, refer to electronic equipment when electronic equipment is registered when accessing network first time using business, such as:Mobile equipment Middle client identification module (Subscriber Identification Module, the abbreviation being inserted into for accessing network:SIM) block For the first time during access SIM card operator network, electronic equipment actively can apply for root key to KDC, can also be by KDC actively Root key is distributed for electronic equipment.Optionally, root key is stored in the credible performing environment operating system of electronic equipment (Trusted Execution Environment, referred to as:TeeOS in).
Specifically, root key is that KDC is distributed for electronic equipment, since root key is uniquely corresponding with electronic equipment, Ke Yiyou KDC distributes unique root key for electronic equipment, can also use the International Mobile Equipment Identity code of electronic equipment (International Mobile Equipment Identity, referred to as:) and international mobile subscriber identity IMEI (International Mobile Subscriber Identification Number, referred to as:) etc. IMSI electricity can be distinguished The coding of sub- equipment identities is as root key.
S103:The data of electronic equipment are handled according to the first session key.
After S101 and S102, electronic equipment has obtained the first session key for encryption data distributed by KDC, Then electronic equipment is handled the data of electronic equipment according to the first session key, and processing mode includes:If electronic equipment is Data sending terminal is then encrypted data by the first session key, if electronic equipment is data receiver, passes through first Data are decrypted in session key, this is not construed as limiting in S103.Optionally, this step is held in the TeeOS of electronic equipment Row.
The present embodiment provides a kind of data ciphering method, wherein, receive the second meeting that key management distributing center KDC is sent Key is talked about, the first session key is encrypted to obtain by the second session key by KDC;The second session key is decrypted according to root key to obtain First session key, root key is uniquely corresponding with electronic equipment, and root key stores in the electronic device, and root key is electronic equipment KDC is distributed as electronic equipment when registering;The data of electronic equipment are handled according to the first session key.The present embodiment provides Data ciphering method, by stored in electronic equipment with electronic equipment uniquely corresponding root key for the first session key into Row encryption is to ensure the safety of the first session key, so as to improve the safety of communication.
Fig. 2 is the flow diagram of data ciphering method embodiment two of the present invention.As shown in Fig. 2, embodiment shown in Fig. 1 On the basis of one, the present embodiment data ciphering method includes the following steps:
S201:The second business cipher key that KDC is sent is received, the second business cipher key is by KDC according to root key by the first business Key is encrypted to obtain.
Specifically, the first business cipher key is the key that KDC is the different traffic assignments of electronic equipment, and different business uses Different keys is to distinguish different business in data encryption, specific this step of encrypted form of the first business cipher key In be not construed as limiting.Electronic equipment receives the second business cipher key that KDC is sent, and wherein KDC is close for the first business of electronic equipment distribution Electronic equipment is not sent directly to after key, but the first business cipher key is encrypted as the second business cipher key, electronic equipment is with second The form of business cipher key receives the first business cipher key.
S202:Receive the second session key that KDC is sent, the second session key is by KDC according to the first business cipher key by the One session key is encrypted to obtain.
Specifically, electronic equipment needs to set electronics by KDC the first session keys of distribution to realize encryption of communicated data Standby data are encrypted, and since the first session key is symmetric key, the electronic equipment as transmission data side passes through First session key is sent to the electronic equipment for receiving data side after data are encrypted, the electronic equipment for receiving data passes through Encryption data is decrypted in first session key, obtains initial data and communicates so as to fulfill data encryption.In this step, KDC is not sent directly to electronic equipment after distributing the first session key for electronic equipment, but the first session key is passed through the One business cipher key is encrypted as the second session key, and the first business cipher key is that KDC is electronic equipment distribution in S201, electronic equipment with The form of second session key receives the first session key.
S203:Second business cipher key is decrypted according to root key and obtains the first business cipher key.
After electronic equipment receives the second business cipher key that KDC is sent in S201, in order to obtain for the first session of encryption First business cipher key of key decrypts the second business cipher key to obtain the first business cipher key according to root key.Wherein, root key with Electronic equipment uniquely corresponds to, and root key stores in the electronic device, and root key is that KDC divides as electronic equipment when electronic equipment is registered Match.Optionally, this step performs in the TeeOS of electronic equipment.
S204:Second session key is decrypted according to the first business cipher key and obtains the first session key.
Specifically, electronic equipment obtains first using the first business cipher key obtained in S203, the second session key of decryption Session key, wherein, the first session key is encrypted to obtain by the second session key for KDC according to the first business cipher key.Optionally, This step performs in the TeeOS of electronic equipment.
S205:The data of electronic equipment are handled according to the first session key.
The same S103 of principle and specific implementation of this step, repeats no more.
Optionally, in above-described embodiment two, electronic equipment is by root key, the first business cipher key, the second business cipher key, One session key and the second session key are stored in the credible performing environment operating system TeeOS of electronic equipment.Then S203 packets It includes:The second session key is decrypted according to root key in TeeOS and obtains the first session key, S204 includes:The basis in TeeOS First business cipher key decrypts the second session key and obtains the first session key.That is, electronic equipment carries out all add in TeeOS The step of close and decryption.
Fig. 3 is the flow diagram of data ciphering method embodiment three of the present invention.If Fig. 3 shows, embodiment two shown in Fig. 2 On the basis of, the executive agent of the present embodiment is the electronic equipment of transmission data, and the present embodiment data ciphering method includes as follows Step:
S301:To KDC transmission data CIPHERING REQUESTs.
Specifically, when the first electronic equipment is needed to the second electronic equipment transmission data, the first electronic equipment and second After connection establishes between electronic equipment, from the first electronic equipment to KDC transmission data CIPHERING REQUESTs, encrypted with asking First session key of data.
Distinguishingly, when the data sent between the first electronic equipment and the second electronic equipment are voice communication data, the One electronic equipment is caller device, and the second electronic equipment is called equipment, i.e., please from caller device to the encryption of KDC transmission datas It asks.
S302:The second business cipher key that KDC is sent is received, the second business cipher key is by KDC according to root key by the first business Key is encrypted to obtain.
The same S201 of principle and specific implementation of this step, repeats no more.
S303:Receive the second session key that KDC is sent, the second session key is by KDC according to the first business cipher key by the One session key is encrypted to obtain.
The same S202 of principle and specific implementation of this step, repeats no more.
S304:Second business cipher key is decrypted according to root key and obtains the first business cipher key.
The same S203 of principle and specific implementation of this step, repeats no more.
S305:Second session key is decrypted according to the first business cipher key and obtains the first session key
The same S204 of principle and specific implementation of this step, repeats no more.
S306:Second data are obtained by the first session key encrypted primary data.
Specifically, the first session key encrypted electronic equipment that electronic equipment is obtained using the multistage decryption of S304 to S305 First data to be sent obtain the second data.Optionally, this step performs in the TeeOS of electronic equipment.
S307:Send the second data.
Specifically, electronic equipment sends the first data in the form of encrypted second data.Its sending method can be straight It receives and sends to the electronic equipment of receiving terminal or is sent to carrier network other electronics are sent to by carrier network again and set It is standby.
Fig. 4 is the flow diagram of data ciphering method example IV of the present invention.If Fig. 4 shows, embodiment two shown in Fig. 2 On the basis of, the executive agent of the present embodiment is the electronic equipment for receiving data, and the present embodiment data ciphering method includes as follows Step:
S401:The second business cipher key that KDC is sent is received, the second business cipher key is by KDC according to root key by the first business Key is encrypted to obtain.
The same S201 of principle and specific implementation of this step, repeats no more.
S402:Receive the second session key that KDC is sent, the second session key is by KDC according to the first business cipher key by the One session key is encrypted to obtain.
The same S202 of principle and specific implementation of this step, repeats no more.
S403:Second business cipher key is decrypted according to root key and obtains the first business cipher key.
The same S203 of principle and specific implementation of this step, repeats no more.
S404:Second session key is decrypted according to the first business cipher key and obtains the first session key.
The same S204 of principle and specific implementation of this step, repeats no more.
S405:Receive the second data.
Specifically, electronic equipment receives the second data, wherein the second data are by the first session key encrypted first Data.
S406:Second data are decrypted by the first session key and obtain the first data.
Specifically, electronic equipment decrypts electronic equipment using the first session key that the multistage decryption of S403 to S404 obtains The second data received obtain the first data.Optionally, this step performs in the TeeOS of electronic equipment.
Optionally, root key is asymmetric cryptographic key.Then the root key of KDC generations includes public key and private key, KDC generations After the public key of root key and the private key of root key, KDC preserves the public key of root key, and KDC sends the private of root key to electronic equipment Key.Then S203 includes:Second session key is decrypted according to the private key of root key and obtains the first session key.
Specifically, the public key of root key and private key are the key mutually to match, and one for when encrypting, then another to be corresponding Ground is used to decrypt.In the present embodiment, the first business cipher key of public key encryption of KDC root keys obtains the second business cipher key, then The private key of electronic equipment root key decrypts the second business cipher key and obtains the first business cipher key.
Optionally, in the above-described embodiments, pass through Secure Socket Layer (Secure Sockets between KDS and electronic equipment Layer, referred to as:SSL it) communicates, to ensure the safety between electronic equipment and KDS communications.
Fig. 5 is the flow diagram of data ciphering method embodiment five of the present invention.The executive agent of the present embodiment is network KDC in side apparatus.If Fig. 5 shows, the present embodiment data ciphering method includes the following steps:
S501:It encrypts the first session key and obtains the second session key.
Specifically, network side equipment is to realize the encryption of communicated data of electronic equipment, from KDC to electronic equipment distribution the The data of one session key pair electronic equipment are encrypted.KDC is distributed after the first session key not for electronic equipment in S501 Electronic equipment is sent directly to, but the first session key is encrypted as the second session key.Optionally, this step is set in electronics It is performed in standby TeeOS.
S502:The second session key is sent to electronic equipment, so that electronic equipment is close according to root key the second session of decryption Key obtains the first session key, and root key is uniquely corresponding with electronic equipment, and root key stores in the electronic device, and root key is electricity Key management distributing center KDC is distributed for electronic equipment during sub- facility registration, and makes electronic equipment according to the first session key pair Data are handled.
Specifically, KDC sends the first session key in a manner of the second session key encrypted in S501 to electronic equipment. So that after electronic equipment receives the second session key, it is close according to root in order to obtain for the first session key of encryption data Key decrypts the second session key to obtain the first session key.Wherein, root key is uniquely corresponding with electronic equipment, root key storage In the electronic device, root key is that KDC is distributed as electronic equipment when electronic equipment is registered.
Wherein, refer to electronic equipment when electronic equipment is registered when accessing network first time using business, such as:Mobile equipment When middle insertion accesses SIM card operator network for the first time for accessing SIM card, electronic equipment actively can apply for root to KDC Key can also be actively electronic equipment distribution root key by KDC.Optionally, root key is stored in the TeeOS of electronic equipment In.
Specifically, root key is that KDC is distributed for electronic equipment, since root key is uniquely corresponding with electronic equipment, Ke Yiyou KDC distributes unique root key for electronic equipment, can also use IMEI and IMSI of electronic equipment etc. that can distinguish electronics and set The coding of standby identity is as root key.
Fig. 6 is the flow diagram of data ciphering method embodiment six of the present invention.If Fig. 6 shows, embodiment one shown in Fig. 5 On the basis of, the present embodiment data ciphering method includes the following steps:
S601:Second business cipher key is obtained according to the first business cipher key of root key encryption of electronic equipment.
Specifically, the first business cipher key is the key that KDC is the different traffic assignments of electronic equipment, and different business uses Different keys is to distinguish different business in data encryption, specific this step of encrypted form of the first business cipher key In be not construed as limiting.Wherein KDC is not sent directly to electronic equipment after distributing the first business cipher key for electronic equipment, but by first Business cipher key is the second business cipher key according to the root key encryption of electronic equipment.
S602:First session key is encrypted according to the first business cipher key and obtains the second session key.
In this step, KDC is distributed after the first session key for electronic equipment and is not sent directly to electronic equipment, but will First session key is encrypted as the second session key by the first business cipher key, and the first business cipher key is that KDC is electronics in S601 Equipment is distributed.
S603:The second business cipher key is sent to electronic equipment.
Specifically, the first business cipher key is sent in the form of the second business cipher key to electronic equipment.
S604:The second session key is sent to electronic equipment.
Specifically, KDC sends the first session key to electronic equipment in the form of the second session key.
Optionally, root key is asymmetric cryptographic key.Then the root key of KDC generations includes public key and private key, KDC generations After the public key of root key and the private key of root key, KDC preserves the public key of root key, and KDC sends the private of root key to electronic equipment Key.Then S601 includes:Second business cipher key is obtained according to the first business cipher key of public key encryption of the root key of electronic equipment.
Specifically, the public key of root key and private key are the key mutually to match, and one for when encrypting, then another to be corresponding Ground is used to decrypt.In the present embodiment, the first business cipher key of public key encryption of KDC root keys obtains the second business cipher key, then The private key of electronic equipment root key decrypts the second business cipher key and obtains the first business cipher key.
Fig. 7 is the structure diagram of electronic equipment embodiment one of the present invention.As shown in fig. 7, the present embodiment electronic equipment packet It includes:Receiving module 701, deciphering module 702 and processing module 703.Wherein, receiving module is used to receive in key management distribution First session key is encrypted to obtain by the second session key that heart KDC is sent, the second session key by KDC, and deciphering module 702 is used The first session key is obtained in decrypting the second session key according to root key, root key is uniquely corresponding with electronic equipment, root key In the electronic device, root key is that KDC is distributed as electronic equipment when electronic equipment is registered for storage.Processing module 703 is used for basis First session key handles the data of electronic equipment.
The device of the present embodiment accordingly can be used for performing the technical solution of embodiment of the method shown in Fig. 1, realization principle Similar with technique effect, details are not described herein again.
Further, in the above-described embodiments, the second session key is close by the first session according to the first business cipher key by KDC Key is encrypted to obtain, then receiving module 701 be additionally operable to receive KDC send the second business cipher key, the second business cipher key by KDC according to First business cipher key is encrypted to obtain by root key.Deciphering module, which is specifically used for decrypting the second business cipher key according to root key, obtains the One business cipher key decrypts the second session key according to the first business cipher key and obtains the first session key.
The device of the present embodiment accordingly can be used for performing the technical solution of embodiment of the method shown in Fig. 2, realization principle Similar with technique effect, details are not described herein again.
Optionally, in the above-described embodiments, electronic equipment is by root key, the first business cipher key, the second business cipher key, first Session key and the second session key are stored in the credible performing environment operating system TeeOS of electronic equipment, then deciphering module 702 are specifically used in TeeOS obtaining the first session key according to root key the second session key of decryption.
Optionally, in the above-described embodiments, processing module 703 is specifically used for, and receives the second data, passes through the first session The second data of secret key decryption obtain the first data.
The device of the present embodiment accordingly can be used for performing the technical solution of embodiment of the method shown in Fig. 4, realization principle Similar with technique effect, details are not described herein again.
Fig. 8 is the structure diagram of electronic equipment embodiment two of the present invention.As shown in figure 8, the present embodiment electronic equipment exists On the basis of embodiment one shown in Fig. 7, including:Receiving module 701, deciphering module 702, processing module 703 and sending module 801.Wherein, processing module 703 is specifically used for obtaining the second data by the first session key encrypted primary data, sends second Data.Sending module 801 is used for KDC transmission data CIPHERING REQUESTs.
The device of the present embodiment accordingly can be used for performing the technical solution of embodiment of the method shown in Fig. 3, realization principle Similar with technique effect, details are not described herein again.
Further, in the above-described embodiments, root key is asymmetric cryptographic key, the public key of KDC generation root keys and After the private key of root key, KDC preserves the public key of root key, and KDC sends the private key of root key to electronic equipment.Deciphering module 702 The first session key is obtained specifically for decrypting the second session key according to the private key of root key.
Optionally, in the above-described embodiments, by Secure Socket Layer SSL traffic between KDS and electronic equipment, to ensure electricity Safety between sub- equipment and KDS communications.
Fig. 9 is the structure diagram of inventive network side apparatus embodiment.As shown in figure 9, the present embodiment electronic equipment packet It includes:Encrypting module 901 and sending module 902.Wherein, encrypting module 901 obtains the second session for encrypting the first session key Key.Sending module 902 is used to send the second session key to electronic equipment, so that electronic equipment decrypts second according to root key Session key obtains the first session key, and root key is uniquely corresponding with electronic equipment, and root key stores in the electronic device, and root is close Key is that key management distributing center KDC is distributed as electronic equipment, and makes electronic equipment according to the first session when electronic equipment is registered Data key is handled.
The device of the present embodiment accordingly can be used for performing the technical solution of embodiment of the method shown in Fig. 5, realization principle Similar with technique effect, details are not described herein again.
Further, in the above-described embodiments, encrypting module 901 is specifically used for encrypting the first meeting according to the first business cipher key Words key obtains the second session key, and encrypting module 901 is additionally operable to the first business cipher key of root key encryption according to electronic equipment Obtain the second business cipher key.Sending module 902 is additionally operable to send the second business cipher key to electronic equipment.
The device of the present embodiment accordingly can be used for performing the technical solution of embodiment of the method shown in Fig. 6, realization principle Similar with technique effect, details are not described herein again.
Optionally, in the above-described embodiments, root key is asymmetric cryptographic key, and KDC generates the public key and root of root key After the private key of key, KDC preserves the public key of root key, and KDC sends the private key of root key to electronic equipment, then encrypting module 901 The second business cipher key is obtained specifically for the first business cipher key of public key encryption of the root key according to electronic equipment.
One of ordinary skill in the art will appreciate that:Realizing all or part of step of above-mentioned each method embodiment can lead to The relevant hardware of program instruction is crossed to complete.Aforementioned program can be stored in a computer read/write memory medium.The journey Sequence when being executed, performs the step of including above-mentioned each method embodiment;And aforementioned storage medium includes:ROM, RAM, magnetic disc or The various media that can store program code such as person's CD.
Finally it should be noted that:The above embodiments are only used to illustrate the technical solution of the present invention., rather than its limitations;To the greatest extent Pipe is described in detail the present invention with reference to foregoing embodiments, it will be understood by those of ordinary skill in the art that:Its according to Can so modify to the technical solution recorded in foregoing embodiments either to which part or all technical features into Row equivalent replacement;And these modifications or replacement, various embodiments of the present invention technology that it does not separate the essence of the corresponding technical solution The range of scheme.

Claims (20)

1. a kind of data ciphering method, which is characterized in that including:
Receive the second session key that key management distributing center KDC is sent, second session key is by the KDC by first Session key is encrypted to obtain;
Second session key is decrypted according to root key and obtains first session key, the root key and electronic equipment are only One corresponds to, and the root key is stored in the electronic equipment, the root key be when the electronic equipment is registered the KDC as The electronic equipment distribution;
The data of the electronic equipment are handled according to first session key.
2. according to the method described in claim 1, it is characterized in that,
First session key is encrypted to obtain by second session key by the KDC according to the first business cipher key;
It is further included before second session key for receiving KDC and sending:
Receive the second business cipher key that the KDC is sent, second business cipher key is by the KDC according to the root key by institute The first business cipher key is stated to encrypt to obtain;
It is described second session key decrypted according to root key obtain first session key include:
Second business cipher key is decrypted according to the root key and obtains first business cipher key;
Second session key is decrypted according to first business cipher key and obtains first session key.
3. according to the method described in claim 2, it is characterized in that, the electronic equipment is by the root key, first industry Business key, second business cipher key, first session key and second session key are stored in the electronic equipment Credible performing environment operating system TeeOS in;
It is described second session key decrypted according to root key obtain first session key include:
Second session key is decrypted according to root key in the TeeOS and obtains first session key.
4. according to the method described in claim 3, it is characterized in that,
It is described according to first session key to data carry out processing include:
Second data are obtained by the first session key encrypted primary data;
Send second data;
Before second session key for receiving key management distributing center KDC and sending, further include:
To the KDC transmission datas CIPHERING REQUEST.
5. according to the method described in claim 3, it is characterized in that, it is described according to first session key to data at Reason includes:
Receive the second data;
Second data are decrypted by first session key and obtain the first data.
6. method according to claim 4 or 5, which is characterized in that
The root key is asymmetric cryptographic key, and the KDC generates the public key of the root key and the private key of the root key Afterwards, the KDC preserves the public key of the root key, and the KDC sends the private key of the root key to the electronic equipment;
It is described second session key decrypted according to root key obtain first session key include:
Second session key is decrypted according to the private key of root key and obtains first session key.
7. according to the method described in claim 6, it is characterized in that,
Pass through Secure Socket Layer SSL traffic between the KDS and the electronic equipment.
8. a kind of data ciphering method, which is characterized in that including:
It encrypts the first session key and obtains the second session key;
The second session key is sent to electronic equipment, so that the electronic equipment decrypts second session key according to root key First session key is obtained, the root key is uniquely corresponding with electronic equipment, and the root key is stored in the electronics and sets In standby, the root key is that key management distributing center KDC is distributed, and make as the electronic equipment when electronic equipment is registered The electronic equipment is handled data according to first session key.
9. according to the method described in claim 8, it is characterized in that,
The first session key of the encryption obtains the second session key and includes:
First session key is encrypted according to the first business cipher key and obtains second session key;
Before the first session key of the encryption obtains the second session key, further include:
The first business cipher key obtains the second business cipher key according to the root key encryption of the electronic equipment;
After the first session key of the encryption obtains the second session key, further include:
Second business cipher key is sent to the electronic equipment.
10. according to the method described in claim 9, it is characterized in that,
The root key is asymmetric cryptographic key, and the KDC generates the public key of the root key and the private key of the root key Afterwards, the KDC preserves the public key of the root key, and the KDC sends the private key of the root key to the electronic equipment;
First business cipher key according to the root key encryption of the electronic equipment obtains the second business cipher key and includes:
The first business cipher key obtains the second business cipher key according to the public key encryption of the root key of the electronic equipment.
11. a kind of electronic equipment, which is characterized in that including:
Receiving module, the receiving module are used to receive the second session key of key management distributing center KDC transmissions, and described the First session key is encrypted to obtain by two session keys by the KDC;
Deciphering module, the processing module are close for obtaining first session according to root key decryption second session key Key, the root key is uniquely corresponding with electronic equipment, and the root key is stored in the electronic equipment, and the root key is institute KDC when electronic equipment is registered is stated to distribute as the electronic equipment;
Processing module, the processing module be used for according to first session key to the data of the electronic equipment at Reason.
12. electronic equipment according to claim 11, which is characterized in that
First session key is encrypted to obtain by second session key by the KDC according to the first business cipher key;
The receiving module is additionally operable to receive the second business cipher key that the KDC is sent, and second business cipher key is by the KDC First business cipher key is encrypted to obtain according to the root key;
The deciphering module is specifically used for:
Second business cipher key is decrypted according to the root key and obtains first business cipher key;
Second session key is decrypted according to first business cipher key and obtains first session key.
13. electronic equipment according to claim 12, which is characterized in that the electronic equipment is by the root key, described First business cipher key, second business cipher key, first session key and second session key are stored in the electricity In the credible performing environment operating system TeeOS of sub- equipment;
The deciphering module, which is specifically used in the TeeOS decrypting second session key according to root key, obtains described the One session key.
14. electronic equipment according to claim 13, which is characterized in that the processing module is specifically used for:
Second data are obtained by the first session key encrypted primary data;
Send second data;
The electronic equipment further includes:Sending module, the sending module are used for the KDC transmission datas CIPHERING REQUEST.
15. electronic equipment according to claim 13, which is characterized in that the processing module is specifically used for:
Receive the second data;
Second data are decrypted by first session key and obtain the first data.
16. the electronic equipment according to claims 14 or 15, which is characterized in that
The root key is asymmetric cryptographic key, and the KDC generates the public key of the root key and the private key of the root key Afterwards, the KDC preserves the public key of the root key, and the KDC sends the private key of the root key to the electronic equipment;
The deciphering module is specifically used for obtaining first session according to the private key of root key decryption second session key Key.
17. electronic equipment according to claim 16, which is characterized in that
Pass through Secure Socket Layer SSL traffic between the KDS and the electronic equipment.
18. a kind of network side equipment, which is characterized in that including:
Encrypting module, the encrypting module obtain the second session key for encrypting the first session key;
Sending module, the sending module be used for electronic equipment send the second session key so that the electronic equipment according to Root key decrypts second session key and obtains first session key, and the root key is uniquely corresponding with electronic equipment, The root key is stored in the electronic equipment, key management distributing center when the root key is registered for the electronic equipment KDC is distributed for the electronic equipment, and the electronic equipment is made to be handled according to first session key data.
19. network side equipment according to claim 18, which is characterized in that
The encrypting module is specifically used for obtaining second session according to the first business cipher key encryption first session key Key;
The encrypting module is additionally operable to the first business cipher key according to the root key encryption of the electronic equipment and obtains the second industry Business key;
The sending module is additionally operable to send second business cipher key to the electronic equipment.
20. network side equipment according to claim 19, which is characterized in that the root key is asymmetric cryptographic key, After the KDC generates the public key of the root key and the private key of the root key, the KDC preserves the public key of the root key, The KDC sends the private key of the root key to the electronic equipment;
The encrypting module is obtained specifically for the first business cipher key according to the public key encryption of the root key of the electronic equipment To the second business cipher key.
CN201611096712.3A 2016-12-02 2016-12-02 Data encryption method, electronic equipment and network side equipment Active CN108156112B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611096712.3A CN108156112B (en) 2016-12-02 2016-12-02 Data encryption method, electronic equipment and network side equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611096712.3A CN108156112B (en) 2016-12-02 2016-12-02 Data encryption method, electronic equipment and network side equipment

Publications (2)

Publication Number Publication Date
CN108156112A true CN108156112A (en) 2018-06-12
CN108156112B CN108156112B (en) 2021-06-22

Family

ID=62470414

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611096712.3A Active CN108156112B (en) 2016-12-02 2016-12-02 Data encryption method, electronic equipment and network side equipment

Country Status (1)

Country Link
CN (1) CN108156112B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112422487A (en) * 2019-08-23 2021-02-26 北京小米移动软件有限公司 Data transmission method, device, system and computer readable storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1389042A (en) * 2000-06-15 2003-01-01 索尼公司 System and mehtod for processing information using encryption key block
US7366900B2 (en) * 1997-02-12 2008-04-29 Verizon Laboratories, Inc. Platform-neutral system and method for providing secure remote operations over an insecure computer network
CN101282211A (en) * 2008-05-09 2008-10-08 西安西电捷通无线网络通信有限公司 Method for distributing key
CN101364866A (en) * 2008-09-24 2009-02-11 西安西电捷通无线网络通信有限公司 Entity secret talk establishing system based on multiple key distribution centers and method therefor
CN101867898A (en) * 2010-07-02 2010-10-20 中国电信股份有限公司 Short message encrypting communication system, method and secret key center
CN105792190A (en) * 2014-12-25 2016-07-20 成都鼎桥通信技术有限公司 Data encryption, decryption and transmission method in communication system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7366900B2 (en) * 1997-02-12 2008-04-29 Verizon Laboratories, Inc. Platform-neutral system and method for providing secure remote operations over an insecure computer network
CN1389042A (en) * 2000-06-15 2003-01-01 索尼公司 System and mehtod for processing information using encryption key block
CN101282211A (en) * 2008-05-09 2008-10-08 西安西电捷通无线网络通信有限公司 Method for distributing key
CN101364866A (en) * 2008-09-24 2009-02-11 西安西电捷通无线网络通信有限公司 Entity secret talk establishing system based on multiple key distribution centers and method therefor
CN101867898A (en) * 2010-07-02 2010-10-20 中国电信股份有限公司 Short message encrypting communication system, method and secret key center
CN105792190A (en) * 2014-12-25 2016-07-20 成都鼎桥通信技术有限公司 Data encryption, decryption and transmission method in communication system

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112422487A (en) * 2019-08-23 2021-02-26 北京小米移动软件有限公司 Data transmission method, device, system and computer readable storage medium

Also Published As

Publication number Publication date
CN108156112B (en) 2021-06-22

Similar Documents

Publication Publication Date Title
CN105553951B (en) Data transmission method and device
CN109495274B (en) Decentralized intelligent lock electronic key distribution method and system
CN110169102B (en) Privacy protection method and device
CN101340443A (en) Session key negotiating method, system and server in communication network
CN109194523A (en) The multi-party diagnostic model fusion method and system, cloud server of secret protection
WO2012176076A9 (en) Key generation using multiple sets of secret shares
CN105554760B (en) Wireless access point authentication method, apparatus and system
CN103986723B (en) A kind of secret communication control, secret communication method and device
CN104901803A (en) Data interaction safety protection method based on CPK identity authentication technology
CN105208028A (en) Data transmission method and related device and equipment
US11177950B2 (en) Key generation for use in secured communication
EP2745461A1 (en) Management of group secrets by group members
CN110212991B (en) Quantum wireless network communication system
CN103997405B (en) A kind of key generation method and device
CN112822021B (en) Key management method and related device
CN113365264A (en) Block chain wireless network data transmission method, device and system
CN104253692B (en) Key management method and device based on SE
CN103577763A (en) Mobile terminal device with data protection function and data protection method
KR101760376B1 (en) Terminal and method for providing secure messenger service
CN101047945B (en) Mobile communication system and customer temporary identity distribution method
CN107493281A (en) encryption communication method and device
CN108156112A (en) Data ciphering method, electronic equipment and network side equipment
CN102036194A (en) Method and system for encrypting MMS
JPH10243470A (en) Portable telephone security code assignment system and method
CN105791301B (en) A kind of facing multiple users group believes close isolated key distribution management method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant