CN109150906A - A kind of real-time data communication safety method - Google Patents

A kind of real-time data communication safety method Download PDF

Info

Publication number
CN109150906A
CN109150906A CN201811144260.0A CN201811144260A CN109150906A CN 109150906 A CN109150906 A CN 109150906A CN 201811144260 A CN201811144260 A CN 201811144260A CN 109150906 A CN109150906 A CN 109150906A
Authority
CN
China
Prior art keywords
data
key
session
real
client
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201811144260.0A
Other languages
Chinese (zh)
Inventor
田有亮
杨新欢
李秋贤
王缵
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guizhou University
Original Assignee
Guizhou University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guizhou University filed Critical Guizhou University
Priority to CN201811144260.0A priority Critical patent/CN109150906A/en
Publication of CN109150906A publication Critical patent/CN109150906A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of real-time data communication safety methods, firstly, determining the two big critical issues for influencing data communications security, the i.e. transmission problem of validated user Verify Your Identity questions and sensitive data by the architecture and data characteristics of analysis data communication;Secondly, transmitting encryption system in conjunction with existing identity identifying technology and data, a kind of security service scheme suitable for data communication is proposed;The validity and safety of the program are analyzed again.Using HMAC identifying algorithm, user identity authentication and authority acquiring in realization system guarantee the reliability of private services device visitor, solve first of security protection of entire communication system security.Establish a safe and reliable communication channel, realize safety of the sensitive data on network transmission channel, guarantee data integrality and can not being tampered property.

Description

A kind of real-time data communication safety method
Technical field
The technology more particularly to a kind of real time data communicated the invention belongs to data safety in real-time data communication system is logical Believe safety method.
Background technique
With the gradually maturing of Internet technology and the acceleration of network construction, the communication security of real time data in network Problem emerges one after another, such as the report about virus, hacker etc. is commonplace, and means mode is also various.So how to have The protection for carrying out data communications security in network of effect, is a research hotspot and demand point.Although China is sufficiently realized To importance of the data communications security technology in future development, it is also evolving this safe practice, but is still lacked Data communications security system in complete network channel, and it is weak to remain unchanged for the consciousness of self-protection of data communications security, lacks Long-term planning fails to formulate a long-term action plan.It is shown according to related data, network user's usage amount in China is The communication flows of real time sensitive data through leaping into the front ranks of the world, and in network also constantly rises, but due to data communication It loses caused by safety and is also constantly increasing, be all a huge threat for individual interest and national collective interests, So the protection for carrying out data communications security is very necessary.
Data communications security problem is mainly made of two aspects, the transmission including effective authentication and real time data Safety.Artificial attack includes passive attack and active attack, brings great challenge safely to computer network communication, is endangered Seriously.Passive attack will not change system information, but invade the confidentiality of information.Pretend to be the identity using user, it is right Information in Networks and Communications route is monitored and is stolen, and is analyzed and researched to the data information of intercepting and capturing, causes data complete The destruction of whole property and the leakage of information, bring security risk.
At present in the communication process of real time data, what is generallyd use is network physical isolation or Virtual Private Network (VPN) mode.It proposes the conception encrypted to real time data in most of data communication researchs, but and makes and specifically grinding Study carefully scheme.And there is also difficult points for data communications security method: formulation, data transmission procedure such as effective authentication system In the generation of session key, the cipher mode of session key and real time data Encryption Algorithm selection, guaranteeing not shadow The safe transmission of data is realized under conditions of sound message transmission rate.For these reasons, real-time data communication secure side is carried out The research of method provides objective basis and support for the safety of data in data communication system, the peace of data communication in Logistics networks Entirely, the safety and reliability of data is improved.
Summary of the invention
The technical problem to be solved by the present invention is providing a kind of method of real time data secure communication.Combined data communication The security architecture of system proposes a kind of safety approach suitable for the level framework, using HMAC Hash identifying algorithm, realizes system User identity authentication and authority acquiring in system guarantee the reliability of private services device visitor, solve entire communication system security First of security protection.A safe and reliable communication channel is established, realizes peace of the real time data on network transmission channel Quan Xing, guarantee data integrality and can not being tampered property, solve data transmission procedure in second security protection;Pass through body Part certification and Hybrid Encryption Protocol, the final communication security for realizing real time data, solve data safety protection question.
3. the technical scheme is that a kind of real-time data communication safety method, it is characterised in that: include following step Rapid: step (1) authentication procedures: user carries out logging request Q, server by user name and login password at client After termination receives logging request Q, the random number K with timeliness is returned to client in response, and in a session K is recorded, then client will obtain its equipment unique identifier mac value automatically, and this mac value and K are done HMAC operation, obtain Informative abstract HMAC (K, mac), then sends server end for this informative abstract;Meanwhile server end uses random number K HMAC operation is carried out with the address mac for being stored in the user in server database, then by the operation result of server and visitor The operation result at family end compares, if result is consistent, by certification, user gets the Service Privileges of access data, if knot Fruit is inconsistent, then rejects application, login failure;(2) foundation of safe lane: during system real-time data communication, pass through Trusted third party's KDC key distribution center generates session key KS, is realized using SM2 elliptic curve public key cryptographic and digital signature Session key KS's is shared between client and server end, establishes safe lane;(3) management of session key: algorithm is used To generate disposable session key, while key is effectively distributed, stored and cancelled;(4) transmission of real time data: It establishes after safe lane, communicating pair carries out AES symmetric cryptography transmission to real time data with shared session key KS, realizes To the safe transmission of data;KDC can be cancelled when secondary session key after a conversation end, realize the encryption of " one-time pad " Mode is to guarantee the safety of data transmission procedure.The disposable session key: I=E [K] (DT)
Newly
Wherein, DT is date/time value, and K is key, and the initial value of H is HMAC (K, mac), and as communicating pair is in body Cryptographic Hash made by part authentication phase regards the seed of secrecy as, and every all to be replaced with its primary value, cryptographic operation uses AES encryption, using the value of R as newly generated key value.
Beneficial effects of the present invention: present invention discusses a kind of real-time data communication safety methods, logical by analysis data The architecture and data characteristics of letter system determine the two big critical issues for influencing data communications security, i.e. validated user body The transmission problem of part authentication question and sensitive data.Secondly, encryption system is transmitted in conjunction with existing identity identifying technology and data, I.e. HMAC identity identifying technology constructs Model of Identity Authentication System, by certification decoder and authenticates compiling of the encoder to message, with And cipher key source generates the random key K value with timeliness, the operation of server end and client HMAC (K, mac) are realized effective Authentication.Again by the building that key distribution center KDC is serviced, the management of KDC cipher key list, one-time pad is with secret The foundation of safe lane is completed in the distribution of key.Finally by SM2 ellipse curve public key cipher algorithm and AES symmetric encipherment algorithm Combination, guarantee under the premise of not influencing message transmission rate complete real time data safe transmission.
Using HMAC identifying algorithm, user identity authentication and authority acquiring in realization system guarantee the access of private services device The reliability of person solves first of security protection of entire communication system security.A safe and reliable communication channel is established, it is real Existing safety of the sensitive data on network transmission channel, guarantee data integrality and can not being tampered property.
Present invention primarily contemplates data communications security problem present in current network, in conjunction with existing safe practice, On data communication system structure, it is logical that data safety is completed in terms of effective authentication and data security transmission two The process of letter, solution security is higher, and feasibility is higher.It can be seen that building real-time data communication method is significant.
Detailed description of the invention
Fig. 1 is data communications security architecture diagram;
Fig. 2 is authentication procedures flow chart;
Fig. 3 is the session key shared procedure based on KDC;
Fig. 4 is real-time data encryption transmission process.
Specific embodiment
Further refinement explanation is made to real-time data communication safety method below, it includes the following steps:
Step 1, the parsing of data communications security framework: according to data communication system integral structural system, combined data communication Data communications security framework can be divided into 3 bulks by the demand for security of process.Wherein, the area I is external network, and client passes through External network carries out the access and data manipulation of built-in system in local area network.First of firewall, to realize to center local Its mutual access control between higher level's net, Internet is realized in the safeguard protection of net using the filtering function of firewall.
The area II middling speed leads to the intrusion detection module of firewall, realizes to the safeguard protection of scheduling central office domain net, utilizes speed Logical firewall can detect in network data flow automatically potentially invades, attacks and abuse route, realizes and joins with firewall module Dynamic, adjust automatically control rule provides dynamic network protection for entire local area network.
The area III is intranet, includes application server, data server and KDC Key Management Center.Three is constituted Internal private clound, stores the information of the sensitive data and other equipment in system.The second on its Intranet boundary is prevented fires The included authentication function of wall, may be implemented internal user certification, at the same can in conjunction with the original domain user authentication of user or Radius certification, realizes the access control of user class.
Step 2, data communications security analysis: two important problems involved in general data communication process: 1. recognize (identification) problem of card, it is ensured that the legitimacy of communicating pair and the authenticity of data prevent from the active attacks such as distorting, pretend to be.② Privacy concerns prevent attacker from decoding the confidential information in system server.It, can be with by data communications security Architecture Analysis Seeing has following 3 for data communications security threat.
(1) authentication and unauthorized access
The certification that User ID and password are only relied in the Generally Recognized as safe prevention of system is very dangerous, is easy to be hypothesized or steal It takes, very big security risk can be brought.Unauthorized user violates the operation of security strategy by personation, identity attack etc., keeps away The defects of security mechanism or utilization security system of open system, carry out non-normal use to internal server resource.Therefore it needs User identity authentication and authorization control mechanism based on Unified Policy are established based on application service and external information system, with area Not different users and message reference person, and authorize their different message references and issued transaction permission.
(2) it the monitoring of data and steals
Monitoring refers to that attacker transmits information by means of acquisitions such as technical equipment, technological means.Client and server end During transmitting data by network channel, it is understood that there may be situations such as information is monitored, and data are stolen, so in entire net Situations such as data transmitted in network channel must be the ciphertext by strictly handling, and prevent loss of data.
(3) it the corrupt of unauthorized and distorts
Attacker destroys data or is distorted in network transmission channel midway intercepted data.Communicating pair can lead to It crosses and completeness check is carried out to data to detect integrality.However a threat is still remained, if attacker is complete to data Property check code itself modify, receive user still will be considered that data integrity is destroyed and abandons data.So communicating During both sides carry out data transmission, identity authentication scheme and timestamp are introduced in the packet to prevent corrupt and usurp Change.
For above-mentioned safety analysis, in conjunction with client and server communication mechanism in system, propose that HMAC identity is recognized Card technology carries out Hash operation using the interim conversation random value that mobile phone mac value with uniqueness and server end generate, real Existing ID authentication mechanism.By the Key Management Center of KDC, the session key with timeliness is generated, SM2 elliptic curve is utilized Public key encryption and digital signature realize shared and communication two party effective certification of session key, while being added using AES data It is close to construct Hybrid Encryption Protocol to complete the safe transmission of sensitive data, so that attacker is (not over security system certification User) even if intercepted data, it is failed due to that can not decrypt.
Step 3, authentication selection: in safe communication system, when client will access private services device, first have to Authentication of the server to client is carried out, to verify the legitimacy of client user's identity.HMAC body is used in the system Part authentication techniques, entire authentication model is by certification encoder, cipher key source and certification decoder three parts composition.Authenticate encoder pair The message of transmission generates authentication code, and cipher key source generates timeliness random key K, and certification decoder tests the message received Card.Message authentication process is as follows:
1) client issues logging request;
2) being generated by the cipher key source of server end, there is the random key K of timeliness to return to client;
3) the certification encoder of client generates certification message with message of the random key K to sending, and is sent to service Device end;
4) after received server-side to certification message, by the legitimacy of certification decoder verifying message, then receive if legal, Otherwise it abandons.
Step 4, authentication procedures: the characteristics of according to data user, data communication system will distribute to user without repeating Work number.User carries out logging request Q by user name and login password at client.Received server-side is to logging request After Q, the random number K with timeliness is returned to client in response, and record K in a session.Then client To obtain its equipment unique identifier mac value automatically, and this mac value and K are done into HMAC operation, obtain informative abstract HMAC (K, mac).Then server end is sent by this informative abstract.
Meanwhile server end is carried out using random number K with the address mac for being stored in the user in server database HMAC operation.Then the operation result of the operation result of server and client is compared.If result is consistent, by recognizing Card, user get the Service Privileges of access data.If result is inconsistent, application, login failure are rejected.
Wherein hmac algorithm indicates are as follows:
HMAC message authentication technology can verify the authorization data and authentication data of communicating pair receiving, can be confirmed simultaneously The command request that server end receives is the request authorized, and can guarantee that order is not changed during transmission It moved.Random value k during simultaneous session has timeliness, can reduce the harm of Key Exposure bring.
The foundation of step 5, safe lane: in data communication system, safe user identity authentication system guarantee is The access safety of system, and the data transmission security in system is also important research contents.When user accesses system Intranet, visitor The data of family end and server end transmission, it should use end-to-end cipher mode, data on channel and switching node with The form of ciphertext exists.During system real-time data communication, session is generated by trusted third party's KDC key distribution center Key KS realizes session key KS between client and server end using SM2 elliptic curve public key cryptographic and digital signature It is shared, to establish safe lane.
Step 6, the one-time-pad system design based on KDC: during data communication, in order to guarantee the secret of message Property require communicating pair to carry out identity validation by signature simultaneously during session key is shared, complete communicating pair and shake hands Process guarantees the safety of session to establish safe lane.Assuming that needing when A wishes to be communicated with B locally generated Respective public key pair, by public key PKAAnd PKBIt is stored in the list of public keys of KDC, A and B respectively possess private key SKAAnd SKB, specific Process is as follows:
(1) KDC receives the session key request of A sending
Secret key request message includes the identification identifier of A and B, indicates that A wishes to obtain the session key communicated with B.
(2) A receives the key request response message of KDC reply i.e.:
Key response message includes 4 contents, and guarantees that the message only has A that could decrypt with the public key encryption of A.First Item content is disposable session key KS;Section 2 content is the public key PK of BB;Section 3 content is encrypted with the public key of B Disposable session key KS and A public key, this content A is directly forwarded to B after receiving, for proving oneself identity;The Four contents are current time node T1, to determine response message not by Replay Attack.
(3) A carries out corresponding decryption oprerations i.e.:
Thus to obtain session key KS and timing node T1, and it is sent to by KDC the data packet of B.
(4) A sends data packet to B
Its content sent includes 2 contents.First item content is the data packet to B that KDC cipher key center generates, by A In generation, issues B;Section 2 content is the A session key of the private key signature of oneself and two timing node T1, T2, for being carried out with B Authentication, to determine that data are not leaked and distorted by stealing in transmission process.
(5) data packet is decrypted in B
It whether consistent obtains session key KS, the KS that comparison is sent by KDC and the KS that customer end A is sent, and compares two The interval of secondary timing node, it is ensured that the reliability of session.
(6) B sends data packet as the response to A to A
Response message is added again with the session key KS and three times of the private key signature of B later by the public key encryption of A Point, T1, T2, T3, it is used as the acknowledgement messaging to A.
(7) A authenticates the message that B is sent
A and B carries out again authentication in cipher key transmitting process, guarantees the authenticity of communicating pair, to T1、T2And T3 The inspection of timestamp more ensures not to be intercepted or distort in cipher key transmitting process.Pass through above step, session key KS It has been securely distributed to A and B.
The management of step 7, session key: for KDC cipher key center, the generation of session key is one very crucial Problem, should ensure that generation session key be randomly or pseudo-randomly, in order to meet this demand, here using following algorithm come Generate disposable session key:
I=E [K] (DT)
Newly
Wherein, DT is date/time value, and K is key, and the initial value of H is HMAC (K, mac), and as communicating pair is in body Cryptographic Hash made by part authentication phase regards the seed of secrecy as, every all to be replaced with its primary value, cryptographic operation is adopted Use AES encryption.Using the value of R as newly generated key value.Since date/time value has nonrepeatability and aes algorithm Superperformance, therefore generate key have very strong unpredictability, meet the random demand to key.
Before user carries out secret communication, needs to generate session key by key distribution center and distribute to user couple Side.The session key needs to be protected by encryption key, and encryption key general life cycle is longer, can pass through craft Mode is distributed between KDC and user.
After all keys generate, key list can be stored in ciphertext form.In key list each single item the main contents include: Mark, key name, our identity, other party identity, ciphertext etc..Point out whether the key can be used by mark domain.
When needing to cancel a certain key that user both sides share, the key is found according to key name in key list, The mark domain for setting this is " unavailable ".In general, data key life cycle is very short, once intercommunication finishes, just by institute Data key is cancelled, so realizing the cipher mode of " one-time pad " to a certain extent.
The transmission of step 8, real time data: it after communicating pair A and B establish safe lane, is secondly counted in real time According to transmission, transmission process is as follows.
(1) A is encrypted to obtain ciphertext using aes algorithm with session key KS to the plaintext to be transmitted first, sufficiently benefit With the fast advantage of the enciphering rate of aes algorithm.
(2) content received is decrypted using AES using session key KS by network transmission to the end B, B for ciphertext, It quickly obtains in plain text.B uses same step to the process that A sends information.
(3) current sessions once terminate, and session key is dropped, and it is close that next session needs to regenerate new session Key.
Step 9, safety analysis: may be the random key that cipher key source generates by security attack in entire verification process K and sender's HMAC message authentication code can not extrapolate user information, the random key K that cipher key source generates according to the two values Only in current sessions effectively, so greatly strengthening safety and practicability.HMAC identity is applied in data communication system Authentication techniques can verify the information source and the stay of two nights of message, can more ensure the certification to informed source;Secondly, verifying message exists It is not forged and distorts in transmit process, i.e., to the certification of message content;In addition, verifying message is not retransmitted in transmit process Or delay etc., i.e. the certification to message timeliness.
(1) verifying of session both sides identity.Lack effectively recognizing to session both sides' identity in traditional one-time-pad system Card, so that the exchange process of information, there are security risk, it is double right that " one-time pad " scheme of being somebody's turn to do realizes communication in a session The authentication again of side, ensure that the identity reality and trustworthiness of session both sides, prevents the attack of network cheating.
(2) session initiated every time all joined current timing node in message transmitting procedure, for identifying this The time state of session, the validity of verification time node during generating session key, and each session setup Time is all different, to prevent Replay Attack.
(3) since the state at each moment of session is different, the random seed value during communicating pair is also different, this Sample ensure that each interim conversation key be all it is different, be truly realized " one-time pad ", enormously simplify key Distribution and management, so that user can be convenient, pellucidly using this encryption system without being concerned about concrete details problem.
(4) the advantages of taking full advantage of AES and SM2 elliptic curve encryption algorithm, using the highly-safe feature of SM2 come The session key that encrypted confidential is higher, data volume is small encrypts a large amount of of ession for telecommunication using the fireballing advantage of AES encryption Real time data meets and transmits the requirement in speed in the data during interim conversation.

Claims (2)

1. a kind of real-time data communication safety method, it is characterised in that: comprise the steps of: step (1) authentication procedures: using Family carries out logging request Q by user name and login password at client, after received server-side to logging request Q, returns The random number K with timeliness is returned to client in response, and record K in a session, then client will obtain automatically Its equipment unique identifier mac value is taken, and this mac value and K are done into HMAC operation, obtains informative abstract HMAC (K, mac), then Server end is sent by this informative abstract;Meanwhile server end using random number K and is stored in this in server database The address mac of user carries out HMAC operation, then compares the operation result of the operation result of server and client, if knot Fruit is consistent, then by certification, user gets the Service Privileges of access data, if result is inconsistent, rejects application, logs in and lose It loses;(2) it the foundation of safe lane: during system real-time data communication, is produced by trusted third party's KDC key distribution center Raw session key KS realizes that session is close between client and server end using SM2 elliptic curve public key cryptographic and digital signature Key KS's is shared, establishes safe lane;(3) management of session key: disposable session key is generated using algorithm, while right Key is effectively distributed, stored and is cancelled;(4) transmission of real time data: after establishing safe lane, communicating pair is used Shared session key KS carries out the transmission of AES symmetric cryptography to real time data, realizes the safe transmission to data;In a session After KDC can cancel when time session key, realize the cipher mode of " one-time pad " to guaranteeing data transmission procedure Safety.
2. a kind of real-time data communication safety method according to claim 1, it is characterised in that: the disposable session Key: I=E [K] (DT)
Newly
Wherein, DT is date/time value, and K is key, and the initial value of H is HMAC (K, mac), and as communicating pair is recognized in identity Cryptographic Hash made by the card stage regards the seed of secrecy as, and every all to be replaced with its primary value, cryptographic operation uses AES Encryption, using the value of R as newly generated key value.
CN201811144260.0A 2018-09-29 2018-09-29 A kind of real-time data communication safety method Pending CN109150906A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811144260.0A CN109150906A (en) 2018-09-29 2018-09-29 A kind of real-time data communication safety method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811144260.0A CN109150906A (en) 2018-09-29 2018-09-29 A kind of real-time data communication safety method

Publications (1)

Publication Number Publication Date
CN109150906A true CN109150906A (en) 2019-01-04

Family

ID=64813295

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811144260.0A Pending CN109150906A (en) 2018-09-29 2018-09-29 A kind of real-time data communication safety method

Country Status (1)

Country Link
CN (1) CN109150906A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109657426A (en) * 2019-01-30 2019-04-19 贵州大学 A kind of data source tracing method based on digital signature and digital watermarking
CN111917796A (en) * 2020-08-12 2020-11-10 杨银平 Power grid equipment communication method
CN113259306A (en) * 2020-12-31 2021-08-13 上海自动化仪表有限公司 Temperature transmitter integrating function safety and information safety and operation method thereof
CN114258013A (en) * 2020-09-11 2022-03-29 中国联合网络通信集团有限公司 Data encryption method, device and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101039225A (en) * 2007-04-04 2007-09-19 北京佳讯飞鸿电气有限责任公司 Method for realizing data safe transmission of distribution cooperating intrusion detection system
CN103997484A (en) * 2014-02-28 2014-08-20 山东量子科学技术研究院有限公司 SIP (Session Initiation Protocol) signaling safety communication system and method of quantum cryptography network
US20150281195A1 (en) * 2014-03-31 2015-10-01 EXILANT Technologies Private Limited Increased communication security
CN105721499A (en) * 2016-04-07 2016-06-29 周文奇 Information security system of industrial communication security gateway
CN106411525A (en) * 2016-09-23 2017-02-15 浙江神州量子网络科技有限公司 Message authentication method and system
CN107506668A (en) * 2017-08-31 2017-12-22 北京计算机技术及应用研究所 A kind of USB flash disk access method based on communication information real-time authentication

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101039225A (en) * 2007-04-04 2007-09-19 北京佳讯飞鸿电气有限责任公司 Method for realizing data safe transmission of distribution cooperating intrusion detection system
CN103997484A (en) * 2014-02-28 2014-08-20 山东量子科学技术研究院有限公司 SIP (Session Initiation Protocol) signaling safety communication system and method of quantum cryptography network
US20150281195A1 (en) * 2014-03-31 2015-10-01 EXILANT Technologies Private Limited Increased communication security
CN105721499A (en) * 2016-04-07 2016-06-29 周文奇 Information security system of industrial communication security gateway
CN106411525A (en) * 2016-09-23 2017-02-15 浙江神州量子网络科技有限公司 Message authentication method and system
CN107506668A (en) * 2017-08-31 2017-12-22 北京计算机技术及应用研究所 A kind of USB flash disk access method based on communication information real-time authentication

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
杨新欢,等: ""电网数据通信安全服务系统应用研究"", 《通信技术》 *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109657426A (en) * 2019-01-30 2019-04-19 贵州大学 A kind of data source tracing method based on digital signature and digital watermarking
CN109657426B (en) * 2019-01-30 2023-08-15 贵州大学 Data tracing method based on digital signature and digital watermark
CN111917796A (en) * 2020-08-12 2020-11-10 杨银平 Power grid equipment communication method
CN111917796B (en) * 2020-08-12 2022-04-26 怀化建南电子科技有限公司 Power grid equipment communication method
CN114258013A (en) * 2020-09-11 2022-03-29 中国联合网络通信集团有限公司 Data encryption method, device and storage medium
CN114258013B (en) * 2020-09-11 2023-10-31 中国联合网络通信集团有限公司 Data encryption method, device and storage medium
CN113259306A (en) * 2020-12-31 2021-08-13 上海自动化仪表有限公司 Temperature transmitter integrating function safety and information safety and operation method thereof

Similar Documents

Publication Publication Date Title
CN111371730B (en) Lightweight authentication method supporting anonymous access of heterogeneous terminal in edge computing scene
CN103491072B (en) A kind of border access control method based on double unidirection insulation network brakes
US10243742B2 (en) Method and system for accessing a device by a user
CN103354498B (en) A kind of file encryption transmission method of identity-based
CN109327313A (en) A kind of Bidirectional identity authentication method with secret protection characteristic, server
CN114553568A (en) Resource access control method based on zero-trust single packet authentication and authorization
Chattaraj et al. A new two-server authentication and key agreement protocol for accessing secure cloud services
CA2949847A1 (en) System and method for secure deposit and recovery of secret data
CN105162808B (en) A kind of safe login method based on national secret algorithm
Rahman et al. Security in wireless communication
CN109150906A (en) A kind of real-time data communication safety method
CN103001976A (en) Safe network information transmission method
CN104767731A (en) Identity authentication protection method of Restful mobile transaction system
CN101686127A (en) Novel USBKey secure calling method and USBKey device
CN109729523A (en) A kind of method and apparatus of terminal networking certification
CN110493162A (en) Identity identifying method and system based on wearable device
CN110602083B (en) Secure transmission and storage method of digital identity authentication data
Alizai et al. Key-based cookie-less session management framework for application layer security
CN105245338B (en) A kind of authentication method and apparatus system
Zhang et al. Is Today's End-to-End Communication Security Enough for 5G and Its Beyond?
CN106230840B (en) A kind of command identifying method of high security
CN109067774A (en) A kind of safety access system and its safety access method based on trust tokens
CN110248334A (en) A kind of car-ground communication Non-Access Stratum authentication method of LTE-R
Xiao et al. Security mechanisms, attacks and security enhancements for the IEEE 802.11 WLANs
KR101451163B1 (en) System and method for access authentication for wireless network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20190104

WD01 Invention patent application deemed withdrawn after publication