CN109361508B - Data transmission method, electronic device and computer readable storage medium - Google Patents
Data transmission method, electronic device and computer readable storage medium Download PDFInfo
- Publication number
- CN109361508B CN109361508B CN201811186139.4A CN201811186139A CN109361508B CN 109361508 B CN109361508 B CN 109361508B CN 201811186139 A CN201811186139 A CN 201811186139A CN 109361508 B CN109361508 B CN 109361508B
- Authority
- CN
- China
- Prior art keywords
- data
- application service
- encrypted data
- electronic equipment
- data transmission
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/045—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3066—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Algebra (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Analysis (AREA)
- Mathematical Optimization (AREA)
- Mathematical Physics (AREA)
- Pure & Applied Mathematics (AREA)
- Physics & Mathematics (AREA)
- Power Engineering (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a data transmission method, electronic equipment and a computer readable storage medium. The data transmission method comprises the following steps: when a data transmission instruction is received, acquiring a signature of a security element in the electronic equipment; sending the signature to the key management system for verification; when the signature passes the verification, receiving an application service certificate sent by the key management system, first encrypted data generated by the key management system and first random data; generating second encrypted data according to the application service certificate; verifying the first encrypted data; when the first encrypted data passes verification, the second encrypted data is sent to the key management system for verification; and logging in the application service platform for data transmission when the second encrypted data passes the verification. The invention can effectively ensure the safety and the high efficiency of data transmission, is convenient to operate and has better user experience.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a data transmission method, an electronic device, and a computer-readable storage medium.
Background
With the rapid development of the technology of the internet of things, the internet of things equipment is distributed in various industries of the whole society. Such as intelligent household appliances, door locks and other devices in an intelligent home system, trains, automobiles and public bicycles in vehicles, and devices for remote monitoring of enterprise operation and the like. Most of the devices are based on a dedicated Data Transmission Unit (DTU) as a gateway to interact with a cloud platform, and the internet of things technology brings high intelligence and simplicity to the whole society, but the security of Data Transmission also brings challenges to the society.
The data transmission unit or gateway commonly used at present can only realize the transparent transmission characteristic of data, and the security of the data depends on the processing of the terminal equipment. The manufacturers of the terminal equipment are distributed in various industries, so that the terminal equipment cannot be required to be added with the security technology and capital investment is not required. In order to ensure the safety of data transmission, part of terminal equipment manufacturers adopt a fixed secret key to encrypt the system, and the processor on the board is used for encrypting and decrypting data separately. The method specifically comprises the following 3 modes:
(1) And transmitting the original data of the data transmission unit.
The method cannot meet the requirement of the existing equipment for networking, and particularly, equipment in the industrial field is expensive, the deployment time and the service life are long, namely 3 years is short, and 10 years is long.
(2) The encryption of data is done using a MCU (Micro-Controller Unit).
The method generally comprises the steps of setting fixed encryption keys at a server and a device end, implementing symmetric encryption and decryption of data, enhancing the security, but easily monitoring and cracking the encryption information of the device by a network, and once one device is cracked, cracking other devices with corresponding models
(3) The encryption and decryption system uses the RSA (RSA algorithm) encryption algorithm.
The method has high resource consumption and time delay, and is mainly used for high-end application processors.
The 3 modes can not effectively solve the safety problem of data transmission, and inconvenience is brought to users.
Disclosure of Invention
In view of the above, there is a need to provide a data transmission method, an electronic device, and a computer-readable storage medium, which can effectively ensure the security and efficiency of data transmission, and can update in real time, and the hybrid encryption method is convenient for operation, and brings better experience to users.
A data transmission method is applied to electronic equipment, the electronic equipment is communicated with a key management system and an application service platform, and the method comprises the following steps:
when a data transmission instruction is received, acquiring a signature of a security element in the electronic equipment;
sending the signature to the key management system for verification;
when the signature passes the verification, receiving an application service certificate sent by the key management system, first encrypted data generated by the key management system and first random data;
generating second encrypted data according to the application service certificate;
verifying the first encrypted data;
when the first encrypted data passes verification, sending the second encrypted data to the key management system for verification;
and logging in the application service platform for data transmission when the second encrypted data passes the verification.
According to the preferred embodiment of the present invention, the receiving of the data transmission instruction includes any one of the following manners:
detecting a signal that the electronic equipment is disconnected; or
Receiving a signal for triggering data transmission of the electronic equipment at preset time intervals; or
Receiving a signal which is configured by the electronic equipment and triggers data transmission at preset time; or
A signal is received that the user triggers the data transmission.
According to a preferred embodiment of the present invention, the generating of the second encrypted data according to the application service credential comprises:
acquiring a user identity UID of a secure element in the electronic equipment;
generating a second session key of the electronic equipment by adopting an elliptic cryptography (ECC) cryptographic algorithm and combining the application service certificate and the UID;
encrypting the first random data using an Advanced Encryption Standard (AES) encryption algorithm in combination with the second session key to generate the second encrypted data.
According to the preferred embodiment of the present invention, the logging in the application service platform for data transmission includes:
receiving the uploaded initial data;
when the initial data is the configuration data of the electronic equipment, configuring the electronic equipment according to the configuration data; or
And when the initial data is to-be-transmitted data, encrypting the to-be-transmitted data by adopting an AES encryption algorithm, and transmitting the encrypted to-be-transmitted data.
According to the preferred embodiment of the present invention, the transmitting the encrypted data to be transmitted includes:
when the data to be transmitted is uploaded by the terminal equipment communicated with the electronic equipment, the data to be transmitted is sent to the application service platform; or
And when the data to be transmitted is uploaded by the application service platform, sending the data to be transmitted to the terminal equipment.
According to a preferred embodiment of the invention, the method further comprises:
and when the second encrypted data is not verified, prohibiting the electronic equipment from logging in the application service platform.
A data transmission method is applied to a key management system, the key management system is communicated with electronic equipment and an application service platform, and the method comprises the following steps:
receiving a signature of a secure element in the electronic equipment;
verifying the signature;
when the signature passes the verification, acquiring an application service certificate from the application service platform;
generating first encrypted data according to the application service certificate;
generating first random data;
sending the application service certificate, the first encrypted data and the first random data to the electronic equipment so that the electronic equipment verifies the first encrypted data;
when the first encrypted data passes verification, receiving second encrypted data sent by the electronic equipment;
the second encrypted data is verified.
According to a preferred embodiment of the present invention, the generating first encrypted data according to the application service credential comprises:
acquiring a UID of a secure element in the electronic equipment and second random data generated by the electronic equipment;
generating a first session key of the key management system by adopting a secure hash algorithm and combining the application service certificate and the UID;
encrypting the second random data using an AES encryption algorithm in combination with the first session key to generate the first encrypted data.
A data transmission apparatus, operating in an electronic device, the electronic device communicating with a key management system and an application service platform, the apparatus comprising:
the acquisition unit is used for acquiring a signature of a security element in the electronic equipment when a data transmission instruction is received;
the sending unit is used for sending the signature to the key management system for verification;
the receiving unit is used for receiving an application service certificate sent by the key management system, first encrypted data generated by the key management system and first random data when the signature passes verification;
a generating unit, configured to generate second encrypted data according to the application service credential;
an authentication unit for authenticating the first encrypted data;
the sending unit is further configured to send the second encrypted data to the key management system for verification when the first encrypted data passes verification;
and the login unit is used for logging in the application service platform to carry out data transmission when the second encrypted data passes the verification.
According to the preferred embodiment of the present invention, the receiving of the data transmission instruction includes any one of the following manners:
detecting a signal that the electronic equipment is disconnected; or
Receiving a signal for triggering data transmission of the electronic equipment at preset time intervals; or
Receiving a signal which is configured by the electronic equipment and triggers data transmission at preset time; or
A signal is received that the user triggers the data transmission.
According to a preferred embodiment of the present invention, the generating unit is specifically configured to:
acquiring a user identity UID of a secure element in the electronic equipment;
generating a second session key of the electronic equipment by adopting an elliptic cryptography (ECC) cryptographic algorithm and combining the application service certificate and the UID;
encrypting the first random data using an Advanced Encryption Standard (AES) encryption algorithm in combination with the second session key to generate the second encrypted data.
According to a preferred embodiment of the present invention, the login unit is specifically configured to:
receiving the uploaded initial data;
when the initial data is the configuration data of the electronic equipment, configuring the electronic equipment according to the configuration data; or
And when the initial data is to-be-transmitted data, encrypting the to-be-transmitted data by adopting an AES encryption algorithm, and transmitting the encrypted to-be-transmitted data.
According to the preferred embodiment of the present invention, the transmitting the encrypted data to be transmitted includes:
when the data to be transmitted is uploaded by terminal equipment communicated with the electronic equipment, the data to be transmitted is sent to the application service platform; or alternatively
And when the data to be transmitted is uploaded by the application service platform, sending the data to be transmitted to the terminal equipment.
According to a preferred embodiment of the invention, the apparatus further comprises:
and the forbidding unit is used for forbidding the electronic equipment to log in the application service platform when the second encrypted data is not verified.
A data transmission system operating in a key management system, the key management system in communication with an electronic device and an application service platform, the system comprising:
the receiving module is used for receiving a signature of a secure element in the electronic equipment;
a verification module for verifying the signature;
the acquisition module is used for acquiring an application service certificate from the application service platform when the signature passes the verification;
the generating module is used for generating first encrypted data according to the application service certificate;
the generation module is further used for generating first random data;
a sending module, configured to send the application service credential, the first encrypted data, and the first random data to the electronic device, so that the electronic device verifies the first encrypted data;
the receiving module is further configured to receive second encrypted data sent by the electronic device when the first encrypted data passes verification;
the verification module is further configured to verify the second encrypted data.
According to a preferred embodiment of the present invention, the generating module is specifically configured to:
acquiring a UID of a secure element in the electronic equipment and second random data generated by the electronic equipment;
generating a first session key of the key management system by adopting a secure hash algorithm and combining the application service certificate and the UID;
encrypting the second random data using an AES encryption algorithm in combination with the first session key to generate the first encrypted data.
An electronic device, the electronic device comprising:
a processor; and
a memory, instructions stored in the memory being executed by the processor to implement the data transfer method.
A computer-readable storage medium having instructions stored therein for execution by a processor in an electronic device to implement the data transfer method.
A key management system, the key management system comprising:
a processing device; and
a storage device, instructions stored in the storage device being executed by the processing device to implement the data transfer method.
A computer readable storage medium having instructions stored therein for execution by a processing device in a key management system to implement the data transfer method.
According to the technical scheme, the first session key sent by the key management system can be verified after the signature is verified, and the second session key is generated according to the application service certificate when the first session key passes the verification, so that the safety of data transmission is ensured.
Drawings
FIG. 1 is a diagram of an application environment of a preferred embodiment of the method for implementing data transmission according to the present invention.
FIG. 2 is a flow chart of a preferred embodiment of the data transmission method of the present invention.
FIG. 3 is a flow chart of another preferred embodiment of the data transmission method of the present invention.
Fig. 4 is a functional block diagram of a data transmission device according to a preferred embodiment of the present invention.
Fig. 5 is a functional block diagram of a preferred embodiment of the data transmission system of the present invention.
Fig. 6 is a schematic structural diagram of an electronic device implementing a data transmission method according to a preferred embodiment of the invention.
FIG. 7 is a block diagram of a key management system for implementing a data transmission method according to a preferred embodiment of the present invention.
Description of the main elements
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in detail with reference to the accompanying drawings and specific embodiments.
As shown in fig. 1, fig. 1 is an application environment diagram of a preferred embodiment of the method for implementing data transmission according to the present invention. The electronic device 1 communicates with the key management system 2 and the application service platform 3, and the electronic device 1 further communicates with the terminal device 4.
Wherein, the electronic device 1 may be an information Transmission Unit (DUT) and has a secure element;
the Key Management System (KMS) 2 is configured to authenticate the electronic device 1 and implement data communication between the electronic device 1 and the application service platform 3;
the application service platform 3 is used for providing login services for the electronic device 1 and providing services and data for the electronic device 1;
the terminal device 4 is configured to upload data to the electronic device 1.
Fig. 2 is a flow chart of a data transmission method according to a preferred embodiment of the present invention. The order of the steps in the flow chart may be changed and some steps may be omitted according to different needs.
The data transmission method is applied to one or more electronic devices 1, where the electronic device 1 is a device capable of automatically performing numerical calculation and/or information processing according to a preset or stored instruction, and hardware thereof includes, but is not limited to, a microprocessor, an Application Specific Integrated Circuit (ASIC), a Programmable Gate Array (FPGA), a Digital Signal Processor (DSP), an embedded device, and the like.
The electronic device 1 may be any electronic product capable of performing human-computer interaction with a user, for example, a Personal computer, a tablet computer, a smart phone, a Personal Digital Assistant (PDA), a game machine, an interactive web Television (IPTV), an intelligent wearable device, and the like.
The electronic device 1 may also comprise a network device and/or a user device. The network device includes, but is not limited to, a single network server, a server group consisting of a plurality of network servers, or a Cloud Computing (Cloud Computing) based Cloud consisting of a large number of hosts or network servers.
The Network where the electronic device 1 is located includes, but is not limited to, the internet, a wide area Network, a metropolitan area Network, a local area Network, a Virtual Private Network (VPN), and the like.
S10, when a data transmission instruction is received, the electronic equipment 1 acquires a signature of a security element in the electronic equipment 1.
In at least one embodiment of the present invention, the Secure Element (SE) is a chip, which can prevent external malicious analysis attack and protect data security, and the chip has an encryption and decryption logic circuit, and the written private key information of the Secure Element is unreadable, wherein for the processing of the electromagnetic field of the algorithm, a hacker can be prevented from cracking the system by analyzing the parameters of the electromagnetic field and the like of the Secure Element, so that even if the hacker can crack one device, if other devices are to be cracked, the hacker can crack the device at the same cost, and the device of the whole system is not cracked due to the cracking of one device.
In at least one embodiment of the present invention, the secure element has a signature therein, and the identity of the electronic device 1 can be further identified by verifying the signature, so as to confirm whether the electronic device 1 has the right of corresponding operation.
In at least one embodiment of the present invention, the electronic device 1 receives the data transmission instruction, which includes, but is not limited to, any of the following manners:
(1) The electronic device 1 detects a signal that the electronic device 1 is disconnected.
Specifically, in the process of data transmission, if the electronic device 1 is suddenly disconnected, the data transmission is interrupted, and at this time, the electronic device 1 reestablishes the connection to implement the continuous transmission of data.
(2) The electronic device 1 receives a signal that triggers data transmission at preset time intervals by the electronic device 1.
Specifically, the electronic device 1 adopts a timing trigger mode.
Further, the preset time interval may be configured by the electronic device 1, or may be configured by the electronic device 1 receiving a setting of a user, which is not limited herein.
For example: the preset time interval may include 1 hour, 12 hours, etc.
(3) The electronic device 1 receives a signal configured by the electronic device 1 and triggering data transmission at a preset time.
Specifically, the preset time may be configured by the electronic device 1, or the preset time may also be configured by the user in a customized manner, so as to meet the actual requirements of the user more, which is not limited in the present invention.
Further, when the preset time is configured by the electronic device 1, the electronic device 1 may obtain a historical configuration mode, and configure the preset time according to the historical configuration mode, so as to improve the accuracy of the preset time configuration.
For example: the preset time may be 9 am on 12 months and 12 days, etc.
(4) The electronic device 1 receives a signal that a user triggers data transmission.
In particular, the signal for user-triggered data transmission may include, but is not limited to, one or more of the following:
1) The user touches a signal of a configuration key. The configuration key may be a physical key or a virtual key.
2) A configuration voice signal input by the user. For example: the configuration voice signal may include voice such as "initiate data transfer". The configuration voice signal may be custom set by the user. Of course, the electronic device 1 may also verify the configuration voice signal input by the user (including verifying the content of the voice and the tone of the voice, etc.) to determine whether the user has the right to start data transmission.
S11, the electronic device 1 sends the signature to the key management system 2 for verification.
In at least one embodiment of the present invention, the key management system 2 may connect the electronic device 1 and the application service platform 3, and the key management system 2 has the right to decrypt and verify the signature.
And S12, when the signature passes the verification, the electronic device 1 receives the application service certificate sent by the key management system 2, the first encrypted data and the first random data generated by the key management system 2.
In at least one embodiment of the present invention, the application service credential is generated by the application service platform 3 without a specific data format and composition, and the application service credential is data related to an application service.
S13, the electronic equipment 1 generates second encrypted data according to the application service certificate.
In at least one embodiment of the present invention, the electronic device 1 generating the second encrypted data according to the application service credential includes:
the electronic device 1 obtains a User Identification (UID) of a secure element in the electronic device 1, generates a second session key of the electronic device 1 by using an ECC (Elliptic cryptogram) Encryption algorithm in combination with the application service certificate and the UID, and encrypts the first random data by using an Advanced Encryption Standard (AES) Encryption algorithm in combination with the second session key to generate the second encrypted data.
Specifically, the ECC encryption algorithm is an asymmetric encryption algorithm, and the AES encryption algorithm is a symmetric encryption algorithm. The electronic device 1 encrypts the data by using a hybrid encryption algorithm (an asymmetric encryption algorithm ECC and a symmetric encryption algorithm AES), so as to ensure security. And due to the randomness of the second random data, the data security is ensured.
S14, the electronic equipment 1 verifies the first encrypted data.
In at least one embodiment of the present invention, the electronic device 1 verifying the first encrypted data includes:
the electronic device 1 decrypts the first encrypted data to obtain second random data used for generating the first encrypted data, and determines whether the second random data is correct to verify the first encrypted data. Wherein the second encrypted data is generated by the key management system 2.
Specifically, when the first encrypted data is correct, the subsequent steps are executed; when the first encrypted data is incorrect, the step of transmitting data is stopped.
And S15, when the first encrypted data passes the verification, the electronic equipment 1 sends the second encrypted data to the key management system 2 for verification.
In at least one embodiment of the present invention, the electronic device 1 sends the second encrypted data to the key management system 2 for verification to obtain permission to log in the application service platform 3.
And S16, when the second encrypted data passes the verification, the electronic equipment 1 logs in the application service platform 3 to perform data transmission.
In at least one embodiment of the present invention, the logging in the application service platform 3 by the electronic device 1 for data transmission includes:
the electronic equipment 1 receives the uploaded initial data, and when the initial data is configuration data of the electronic equipment 1, the electronic equipment 1 configures the electronic equipment 1 according to the configuration data; or, when the initial data is to-be-transmitted data, the electronic device 1 encrypts the to-be-transmitted data by using an AES encryption algorithm, and the electronic device 1 transmits the encrypted to-be-transmitted data.
Further, the electronic device 1 transmitting the encrypted data to be transmitted includes:
when the data to be transmitted is uploaded by the terminal equipment 4 communicated with the electronic equipment, the electronic equipment 1 sends the data to be transmitted to the application service platform 3;
or, when the data to be transmitted is uploaded by the application service platform 3, the electronic device 1 sends the data to be transmitted to the terminal device 4.
Through the above embodiment, the electronic device 1 can implement data transmission between the terminal device 4 and the application service platform 3, thereby avoiding insecurity of directly transmitting data.
Specifically, the configuration data is a configuration item of the electronic device 1, such as: firmware updates, etc., to enable management of the electronic device 1.
In at least one embodiment of the present invention, when the second encrypted data is not verified, the electronic device 1 is prohibited from logging in the application service platform 3, so as to ensure the security of data transmission.
In summary, when a data transmission instruction is received, a signature of a secure element in the electronic device is obtained; sending the signature to the key management system for verification; when the signature passes the verification, receiving an application service certificate sent by the key management system, first encrypted data generated by the key management system and first random data; generating second encrypted data according to the application service certificate; verifying the first encrypted data; when the first encrypted data passes verification, sending the second encrypted data to the key management system for verification; and logging in the application service platform for data transmission when the second encrypted data passes the verification. The invention can effectively ensure the safety of data transmission, has simple and flexible encryption mode, is convenient to operate and brings better experience to users.
Fig. 3 is a flow chart of another preferred embodiment of the data transmission method according to the present invention. The order of the steps in the flow chart may be changed and some steps may be omitted according to different needs.
S20, the key management system 2 receives a signature of a secure element in the electronic device 1.
S21, the key management system 2 verifies the signature.
S22, when the signature passes the verification, the key management system 2 obtains an application service credential from the application service platform 3.
In at least one embodiment of the present invention, the key management system 2 may obtain application service credentials from the application service platform 3 according to the signature, such that the application service credentials correspond to the request of the electronic device 1.
Of course, in other embodiments, the electronic device 1 may also obtain the application service credential in other manners, and the present invention is not limited thereto.
S23, the key management system 2 generates first encrypted data according to the application service certificate.
In at least one embodiment of the present invention, the key management system 2 generating first encryption data from the application service credential comprises:
the key management system 2 obtains the UID of the Secure element in the electronic device 1 and second random data generated by the electronic device 1, and generates a first session key of the key management system 2 by using a Secure Hash Algorithm (SHA) in combination with the application service credential and the UID, and the key management system 2 encrypts the second random data by using an AES encryption Algorithm in combination with the first session key to generate the first encrypted data.
S24, the key management system 2 generates first random data.
S25, the key management system 2 sends the application service credential, the first encrypted data, and the first random data to the electronic device 1, so that the electronic device 1 verifies the first encrypted data.
And S26, when the first encrypted data passes the verification, the key management system 2 receives second encrypted data sent by the electronic device 1.
S27, the key management system 2 verifies the second encrypted data.
In summary, the key management system 2 receives a signature of a secure element in the electronic device; verifying the signature; when the signature passes the verification, acquiring an application service certificate from the application service platform; generating first encrypted data according to the application service certificate; generating first random data; sending the application service certificate, the first encrypted data and the first random data to the electronic equipment so that the electronic equipment verifies the first encrypted data; when the first encrypted data passes verification, receiving second encrypted data sent by the electronic equipment; the second encrypted data is verified. The invention can effectively ensure the safety of data transmission, has simple and flexible encryption mode, is convenient to operate and brings better experience to users.
Fig. 4 is a functional block diagram of a data transmission device according to a preferred embodiment of the present invention. The data transmission device 11 includes an acquisition unit 110, a transmission unit 111, a reception unit 112, an authentication unit 113, a generation unit 114, a login unit 115, and a prohibition unit 116. The module/unit referred to in the present invention refers to a series of computer program segments that can be executed by the processor 13 and that can perform a fixed function, and that are stored in the memory 12. In the present embodiment, the functions of the modules/units will be described in detail in the following embodiments.
When receiving the data transmission instruction, the obtaining unit 110 obtains the signature of the secure element in the electronic device 1.
In at least one embodiment of the present invention, the secure element is a chip capable of preventing external malicious analysis attack and protecting data security, the chip has an encryption and decryption logic circuit, and the written private key information of the secure element is unreadable, wherein processing of an electromagnetic field of an algorithm can prevent a hacker from cracking a system by analyzing parameters such as electromagnetism of the secure element, so that even if the hacker can crack one device, if other devices are to be cracked, the hacker will spend the same cost to crack the device, and the whole system device will not be cracked due to the cracking of one device.
In at least one embodiment of the present invention, the secure element has a signature therein, and the identity of the electronic device 1 can be further identified by verifying the signature, so as to confirm whether the electronic device 1 has the corresponding operation right.
In at least one embodiment of the present invention, the electronic device 1 receives the data transmission instruction, which includes, but is not limited to, any of the following manners:
(1) The electronic device 1 detects a signal that the electronic device 1 is disconnected.
Specifically, in the process of data transmission, if the electronic device 1 is suddenly disconnected, the data transmission is interrupted, and at this time, the electronic device 1 reestablishes the connection to implement the continuous transmission of data.
(2) The electronic device 1 receives a signal that triggers data transmission at preset time intervals by the electronic device 1.
Specifically, the electronic device 1 adopts a timing trigger mode.
Further, the preset time interval may be configured by the electronic device 1, or may be configured by the electronic device 1 receiving a setting of a user, which is not limited herein.
For example: the preset time interval may include 1 hour, 12 hours, etc.
(3) The electronic device 1 receives a signal configured by the electronic device 1 and triggering data transmission at a preset time.
Specifically, the preset time may be configured by the electronic device 1, or the preset time may also be configured by the user in a user-defined manner, so as to better meet the actual requirement of the user, which is not limited in the present invention.
Further, when the preset time is configured by the electronic device 1, the electronic device 1 may obtain a historical configuration mode, and configure the preset time according to the historical configuration mode, so as to improve the accuracy of the preset time configuration.
For example: the preset time may be 9 am on 12 months and 12 days, etc.
(4) The electronic device 1 receives a signal that a user triggers data transmission.
In particular, the signal for user-triggered data transmission may include, but is not limited to, one or more of the following:
1) The user touches a signal of a configuration key. The configuration key may be a physical key or a virtual key.
2) A configuration voice signal input by the user. For example: the configuration voice signal may include voice such as "initiate data transfer". The configuration voice signal may be custom set by the user. Of course, the electronic device 1 may also verify the configuration voice signal input by the user (including verifying the content of the voice and the tone of the voice, etc.) to determine whether the user has the right to start data transmission.
The transmission unit 111 transmits the signature to the key management system 2 for verification.
In at least one embodiment of the present invention, the key management system 2 may connect the electronic device 1 and the application service platform 3, and the key management system 2 has the right to decrypt and verify the signature.
When the signature is verified, the receiving unit 112 receives the application service credential sent by the key management system 2, the first encrypted data generated by the key management system 2, and the first random data.
In at least one embodiment of the present invention, the application service credential is generated by the application service platform 3 without a specific data format and composition, and the application service credential is data related to an application service.
The generating unit 114 generates second encrypted data according to the application service credential.
In at least one embodiment of the present invention, the generating unit 114 generates the second encrypted data according to the application service credential includes:
the generating unit 114 obtains a User Identification (UID) of a secure element in the electronic device 1, generates a second session key of the electronic device 1 by using an ECC (Elliptic cryptogram) Encryption algorithm in combination with the application service credential and the UID, and encrypts the first random data by using an Advanced Encryption Standard AES Encryption algorithm in combination with the second session key to generate the second encrypted data.
Specifically, the ECC encryption algorithm is an asymmetric encryption algorithm, and the AES encryption algorithm is a symmetric encryption algorithm. The generation unit 114 performs encryption using a hybrid encryption algorithm (an asymmetric encryption algorithm ECC and a symmetric encryption algorithm AES), thereby further ensuring security. And due to the randomness of the second random data, the data security is ensured.
The authentication unit 113 authenticates the first encrypted data.
In at least one embodiment of the present invention, the verification unit 113 verifies the first encrypted data includes:
the verification unit 113 decrypts the first encrypted data, obtains second random data used to generate the first encrypted data, and determines whether the second random data is correct to verify the first encrypted data. Wherein the second encrypted data is generated by the key management system 2.
Specifically, when the first encrypted data is correct, the subsequent steps are executed; when the first encrypted data is incorrect, the step of transmitting data is stopped.
When the first encrypted data passes the verification, the transmission unit 111 transmits the second encrypted data to the key management system 2 for verification.
In at least one embodiment of the present invention, the sending unit 111 sends the second encrypted data to the key management system 2 for verification to obtain the permission to log in the application service platform 3.
When the second encrypted data passes the verification, the login unit 115 logs in the application service platform 3 for data transmission.
In at least one embodiment of the present invention, the logging unit 115 logs in the application service platform 3 for data transmission, including:
the login unit 115 receives the uploaded initial data, and when the initial data is configuration data of the electronic device 1, the login unit 115 configures the electronic device 1 according to the configuration data; or, when the initial data is to-be-transmitted data, the login unit 115 encrypts the to-be-transmitted data by using an AES encryption algorithm, and the login unit 115 transmits the encrypted to-be-transmitted data.
Further, the login unit 115 transmits the encrypted data to be transmitted, including:
when the data to be transmitted is uploaded by the terminal device 4 communicating with the electronic device, the login unit 115 sends the data to be transmitted to the application service platform 3;
or, when the data to be transmitted is uploaded by the application service platform 3, the login unit 115 sends the data to be transmitted to the terminal device 4.
Through the above embodiment, the login unit 115 can implement data transmission between the terminal device 4 and the application service platform 3, thereby avoiding insecurity of directly transmitting data.
Specifically, the configuration data is a configuration item of the electronic device 1, such as: firmware updates, etc., to enable management of the electronic device 1.
In at least one embodiment of the present invention, when the second encrypted data is not verified, the prohibiting unit 116 prohibits the logging unit 115 from logging in the application service platform 3, so as to ensure the security of data transmission.
In summary, when a data transmission instruction is received, a signature of a secure element in the electronic device is acquired; sending the signature to the key management system for verification; when the signature passes the verification, receiving an application service certificate sent by the key management system, first encrypted data generated by the key management system and first random data; generating second encrypted data according to the application service certificate; verifying the first encrypted data; when the first encrypted data passes verification, the second encrypted data is sent to the key management system for verification; and logging in the application service platform for data transmission when the second encrypted data passes the verification. The invention can effectively ensure the safety of data transmission, has simple and flexible encryption mode, is convenient to operate and brings better experience to users.
Fig. 5 is a functional block diagram of a data transmission system according to a preferred embodiment of the present invention. The data transmission system 20 includes a receiving module 220, a verifying module 221, an obtaining module 222, a generating module 223, and a sending module 224. The module/unit referred to in the present invention refers to a series of computer program segments that can be executed by the processing device 23 and that can perform a fixed function, and that are stored in the storage device 22. In the present embodiment, the functions of the modules/units will be described in detail in the following embodiments.
The receiving module 220 receives the signature of the secure element in the electronic device 1.
The verification module 221 verifies the signature.
When the signature is verified, the obtaining module 222 obtains the application service credential from the application service platform 3.
In at least one embodiment of the present invention, the obtaining module 222 may obtain the application service credential from the application service platform 3 according to the signature, so that the application service credential corresponds to the request of the electronic device 1.
Of course, in other embodiments, the obtaining module 222 may also obtain the application service credential in other manners, and the present invention is not limited thereto.
The generating module 223 generates the first encrypted data according to the application service credential.
In at least one embodiment of the present invention, the generating module 223 generating the first encrypted data according to the application service credential includes:
the generating module 223 obtains the UID of the secure element in the electronic device 1 and the second random data generated by the electronic device 1, and generates the first session key of the key management system 2 by using a secure hash algorithm in combination with the application service credential and the UID, and the generating module 223 encrypts the second random data by using an AES encryption algorithm in combination with the first session key to generate the first encrypted data.
The generating module 223 generates first random data.
The sending module 224 sends the application service credential, the first encrypted data and the first random data to the electronic device 1, so that the electronic device 1 verifies the first encrypted data.
When the first encrypted data passes the verification, the receiving module 220 receives second encrypted data sent by the electronic device 1.
The authentication module 221 authenticates the second encrypted data.
In conclusion, receiving a signature of a secure element in the electronic device; verifying the signature; when the signature passes the verification, acquiring an application service certificate from the application service platform; generating first encrypted data according to the application service certificate; generating first random data; sending the application service certificate, the first encrypted data and the first random data to the electronic equipment so that the electronic equipment verifies the first encrypted data; when the first encrypted data passes verification, receiving second encrypted data sent by the electronic equipment; the second encrypted data is verified. The invention can effectively ensure the safety of data transmission, has simple and flexible encryption mode, is convenient to operate and brings better experience to users.
Fig. 6 is a schematic structural diagram of an electronic device implementing a data transmission method according to a preferred embodiment of the invention.
The electronic device 1 is a device capable of automatically performing numerical calculation and/or information processing according to a preset or stored instruction, and its hardware includes, but is not limited to, a microprocessor, an Application Specific Integrated Circuit (ASIC), a Programmable Gate Array (FPGA), a Digital Signal Processor (DSP), an embedded device, and the like.
The electronic device 1 may be, but not limited to, any electronic product that can perform man-machine interaction with a user through a keyboard, a mouse, a remote controller, a touch panel, or a voice control device, for example, a Personal computer, a tablet computer, a smart phone, a Personal Digital Assistant (PDA), a game console, an Internet Protocol Television (IPTV), an intelligent wearable device, and the like.
The electronic device 1 may also be a desktop computer, a notebook, a palm computer, a cloud server, or other computing devices.
The Network where the electronic device 1 is located includes, but is not limited to, the internet, a wide area Network, a metropolitan area Network, a local area Network, a Virtual Private Network (VPN), and the like.
In one embodiment of the present invention, the electronic device 1 includes, but is not limited to, a memory 12, a processor 13, and a computer program, such as a data transfer program, stored in the memory 12 and executable on the processor 13.
It will be appreciated by a person skilled in the art that the schematic diagram is only an example of the electronic device 1 and does not constitute a limitation of the electronic device 1, and that it may comprise more or less components than shown, or some components may be combined, or different components, e.g. the electronic device 1 may further comprise an input output device, a network access device, a bus, etc.
The Processor 13 may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic, discrete hardware components, etc. The processor 13 is an operation core and a control center of the electronic device 1, and is connected with various parts of the whole electronic device 1 by various interfaces and lines, and executes an operating system of the electronic device 1 and various installed application programs, program codes and the like.
The processor 13 executes an operating system of the electronic device 1 and various installed application programs. The processor 13 executes the application program to implement the steps in the above-described respective data transmission method embodiments, such as steps S10, S11, S12, S13, S14, S15, S16 shown in fig. 1.
Alternatively, the processor 13, when executing the computer program, implements the functions of each module/unit in the foregoing device embodiments, for example: when a data transmission instruction is received, acquiring a signature of a security element in the electronic equipment; sending the signature to the key management system for verification; when the signature passes the verification, receiving an application service certificate sent by the key management system, first encrypted data generated by the key management system and first random data; generating second encrypted data according to the application service certificate; verifying the first encrypted data; when the first encrypted data passes verification, sending the second encrypted data to the key management system for verification; and logging in the application service platform for data transmission when the second encrypted data passes the verification.
Illustratively, the computer program may be partitioned into one or more modules/units, which are stored in the memory 12 and executed by the processor 13 to implement the present invention. The one or more modules/units may be a series of computer program instruction segments capable of performing specific functions, which are used to describe the execution process of the computer program in the electronic device 1. For example, the computer program may be divided into an acquisition unit 110, a transmission unit 111, a reception unit 112, an authentication unit 113, a generation unit 114, a login unit 115, and a prohibition unit 116.
The memory 12 can be used for storing the computer programs and/or modules, and the processor 13 implements various functions of the electronic device 1 by running or executing the computer programs and/or modules stored in the memory 12 and calling data stored in the memory 12. The memory 12 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data (such as audio data, a phonebook, etc.) created according to the use of the cellular phone, and the like. Further, the memory 12 may include high speed random access memory, and may also include non-volatile memory, such as a hard disk, a memory, a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), at least one magnetic disk storage device, a Flash memory device, or other volatile solid state storage device.
The memory 12 may be an external memory and/or an internal memory of the electronic device 1. Further, the Memory 12 may be a circuit having a Memory function without any physical form In the integrated circuit, such as a RAM (Random-Access Memory), a FIFO (First In First Out), and the like. Alternatively, the memory 12 may be a memory in a physical form, such as a memory stick, a TF Card (Trans-flash Card), or the like.
The integrated modules/units of the electronic device 1 may be stored in a computer-readable storage medium if they are implemented in the form of software functional units and sold or used as separate products. Based on such understanding, all or part of the flow of the method according to the embodiments of the present invention may also be implemented by a computer program, which may be stored in a computer-readable storage medium, and when the computer program is executed by a processor, the steps of the method embodiments may be implemented.
Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer-readable medium may include: any entity or device capable of carrying the computer program code, recording medium, usb disk, removable hard disk, magnetic disk, optical disk, computer Memory, read-Only Memory (ROM), random Access Memory (RAM), electrical carrier wave signals, telecommunications signals, software distribution medium, and the like. It should be noted that the computer-readable medium may contain suitable additions or subtractions depending on the requirements of legislation and patent practice in jurisdictions, for example, in some jurisdictions, computer-readable media may not include electrical carrier signals or telecommunication signals in accordance with legislation and patent practice.
In conjunction with fig. 2, the memory 12 in the electronic device 1 stores a plurality of instructions to implement a data transfer method, and the processor 13 can execute the plurality of instructions to implement: when a data transmission instruction is received, acquiring a signature of a security element in the electronic equipment; sending the signature to the key management system for verification; when the signature passes the verification, receiving an application service certificate sent by the key management system, first encrypted data generated by the key management system and first random data; generating second encrypted data according to the application service certificate; verifying the first encrypted data; when the first encrypted data passes verification, sending the second encrypted data to the key management system for verification; and logging in the application service platform for data transmission when the second encrypted data passes the verification.
According to the preferred embodiment of the present invention, the receiving of the data transmission instruction includes any one of the following manners:
detecting a signal that the electronic equipment is disconnected; or
Receiving a signal for triggering data transmission of the electronic equipment at preset time intervals; or
Receiving a signal which is configured by the electronic equipment and triggers data transmission at preset time; or
A signal is received that the user triggers the data transmission.
According to a preferred embodiment of the present invention, the processor 13 further executes a plurality of instructions including:
acquiring a user identity UID of a secure element in the electronic equipment;
generating a second session key of the electronic equipment by adopting an elliptic cryptography (ECC) cryptographic algorithm and combining the application service certificate and the UID;
encrypting the first random data by using an Advanced Encryption Standard (AES) encryption algorithm in combination with the second session key to generate the second encrypted data.
According to a preferred embodiment of the present invention, the processor 13 further executes a plurality of instructions including:
receiving the uploaded initial data;
when the initial data is the configuration data of the electronic equipment, configuring the electronic equipment according to the configuration data; or
And when the initial data is to-be-transmitted data, encrypting the to-be-transmitted data by adopting an AES encryption algorithm, and transmitting the encrypted to-be-transmitted data.
According to a preferred embodiment of the present invention, the processor 13 further executes a plurality of instructions including:
when the data to be transmitted is uploaded by terminal equipment communicated with the electronic equipment, the data to be transmitted is sent to the application service platform; or
And when the data to be transmitted is uploaded by the application service platform, transmitting the data to be transmitted to the terminal equipment.
According to a preferred embodiment of the present invention, the processor 13 further executes a plurality of instructions including:
and when the second encrypted data is not verified, prohibiting the electronic equipment from logging in the application service platform.
Specifically, the processor 13 may refer to the description of the relevant steps in the embodiment corresponding to fig. 2, and details thereof are not repeated herein.
Fig. 7 is a schematic structural diagram of a key management system for implementing a data transmission method according to a preferred embodiment of the present invention.
The key management system 2 is a device capable of automatically performing numerical calculation and/or information processing according to a preset or stored instruction, and its hardware includes, but is not limited to, a microprocessor, an Application Specific Integrated Circuit (ASIC), a Programmable Gate Array (FPGA), a Digital Signal Processor (DSP), an embedded device, and the like.
The key management system 2 may also be a desktop computer, a notebook, a palm computer, a cloud server, or other computing devices.
The Network where the key management system 2 is located includes, but is not limited to, the internet, a wide area Network, a metropolitan area Network, a local area Network, a Virtual Private Network (VPN), and the like.
In one embodiment of the present invention, the key management system 2 includes, but is not limited to, a storage device 22, a processing device 23, and a computer program, such as a data transfer program, stored in the storage device 22 and executable on the processing device 23.
It will be appreciated by those skilled in the art that the schematic diagram is merely an example of the key management system 2 and does not constitute a limitation of the key management system 2 and may include more or fewer components than shown, or some components may be combined, or different components, e.g., the key management system 2 may also include input-output devices, network access devices, buses, etc.
The Processing device 23 may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic, discrete hardware components, etc. The general purpose processor may be a microprocessor or the processor may be any conventional processor, and the processing device 23 is an operation core and a control center of the key management system 2, connects various parts of the whole key management system 2 by various interfaces and lines, and executes an operating system of the key management system 2 and various installed application programs, program codes, and the like.
The processing device 23 executes the operating system of the key management system 2 and various types of applications installed. The processing device 23 executes the application program to implement the steps in the above-described respective data transmission method embodiments, such as steps S20, S21, S22, S23, S24, S25, S26, S27 shown in fig. 3.
Alternatively, the processing device 23, when executing the computer program, implements the functions of the modules/units in the above device embodiments, for example: receiving a signature of a secure element in the electronic equipment; verifying the signature; when the signature passes the verification, acquiring an application service certificate from the application service platform; generating first encrypted data according to the application service certificate; generating first random data; sending the application service certificate, the first encrypted data and the first random data to the electronic equipment so that the electronic equipment verifies the first encrypted data; when the first encrypted data passes verification, receiving second encrypted data sent by the electronic equipment; the second encrypted data is verified.
Illustratively, the computer program may be divided into one or more modules/units, which are stored in the storage device 22 and executed by the processing device 23 to accomplish the present invention. The one or more modules/units may be a series of computer program instruction segments capable of performing specific functions, which are used to describe the execution of the computer program in the key management system 2. For example, the computer program may be divided into a receiving module 220, a verifying module 221, an obtaining module 222, a generating module 223, and a sending module 224.
The storage device 22 may be used to store the computer programs and/or modules, and the processing device 23 may implement various functions of the key management system 2 by running or executing the computer programs and/or modules stored in the storage device 22 and calling data stored in the storage device 22. The storage device 22 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data (such as audio data, a phonebook, etc.) created according to the use of the cellular phone, and the like. In addition, the storage device 22 may include high speed random access memory, and may also include non-volatile memory, such as a hard disk, a memory, a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), at least one magnetic disk storage device, a Flash memory device, or other volatile solid state storage device.
The storage device 22 may be an external memory and/or an internal memory of the key management system 2. Further, the storage device 22 may be a circuit with a storage function, such as a RAM (Random-Access Memory), a FIFO (First In First Out), or the like, which is not In a physical form In an integrated circuit. Alternatively, the storage device 22 may be a memory having a physical form, such as a memory stick, a TF Card (Trans-flash Card), and the like.
The integrated modules/units of the key management system 2 may be stored in a computer-readable storage medium if they are implemented as software functional units and sold or used as separate products. Based on such understanding, all or part of the flow of the method according to the embodiments of the present invention may also be implemented by a computer program, which may be stored in a computer-readable storage medium, and when the computer program is executed by a processor, the steps of the method embodiments may be implemented.
Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer-readable medium may include: any entity or device capable of carrying the computer program code, recording medium, usb disk, removable hard disk, magnetic disk, optical disk, computer Memory, read-Only Memory (ROM), random Access Memory (RAM), electrical carrier wave signals, telecommunications signals, software distribution medium, and the like. It should be noted that the computer readable medium may contain content that is subject to appropriate increase or decrease as required by legislation and patent practice in jurisdictions, for example, in some jurisdictions, computer readable media does not include electrical carrier signals and telecommunications signals as is required by legislation and patent practice.
With reference to fig. 3, the storage device 22 in the key management system 2 stores a plurality of instructions to implement a data transmission method, and the processing device 23 can execute the plurality of instructions to implement: receiving a signature of a secure element in the electronic equipment; verifying the signature; when the signature passes the verification, acquiring an application service certificate from the application service platform; generating first encrypted data according to the application service certificate; generating first random data; sending the application service certificate, the first encrypted data and the first random data to the electronic equipment so that the electronic equipment verifies the first encrypted data; when the first encrypted data passes verification, receiving second encrypted data sent by the electronic equipment; the second encrypted data is verified.
According to a preferred embodiment of the present invention, the processing device 23 further executing a plurality of instructions comprises:
acquiring a UID of a secure element in the electronic equipment and second random data generated by the electronic equipment;
generating a first session key of the key management system by adopting a secure hash algorithm and combining the application service certificate and the UID;
encrypting the second random data using an AES encryption algorithm in combination with the first session key to generate the first encrypted data.
Specifically, the specific implementation method of the instruction by the processing device 23 may refer to the description of the relevant steps in the embodiment corresponding to fig. 3, which is not described herein again.
In the embodiments provided in the present invention, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the modules is only one logical functional division, and other divisions may be realized in practice.
The modules described as separate parts may or may not be physically separate, and parts displayed as modules may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, functional modules in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional module.
It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential attributes thereof.
The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference signs in the claims shall not be construed as limiting the claim concerned.
Furthermore, it will be obvious that the term "comprising" does not exclude other elements or steps, and the singular does not exclude the plural. A plurality of units or means recited in the system claims may also be implemented by one unit or means in software or hardware. The terms second, etc. are used to denote names, but not any particular order.
Finally, it should be noted that the above embodiments are only for illustrating the technical solutions of the present invention and not for limiting, and although the present invention is described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that modifications or equivalent substitutions may be made on the technical solutions of the present invention without departing from the spirit and scope of the technical solutions of the present invention.
Claims (9)
1. A data transmission method is applied to electronic equipment, and is characterized in that the electronic equipment is communicated with a key management system and an application service platform, and the method comprises the following steps:
when a data transmission instruction is received, acquiring a signature of a security element in the electronic equipment;
sending the signature to the key management system for verification;
when the signature passes the verification, receiving an application service certificate sent by the key management system, first encrypted data generated by the key management system and first random data;
generating second encrypted data according to the application service certificate;
verifying the first encrypted data;
when the first encrypted data passes verification, the second encrypted data is sent to the key management system for verification;
logging in the application service platform for data transmission when the second encrypted data passes verification;
the generating second encrypted data according to the application service credential comprises:
acquiring a user identity UID of a secure element in the electronic equipment;
generating a second session key of the electronic equipment by adopting an elliptic cryptography (ECC) cryptographic algorithm and combining the application service certificate and the UID;
encrypting the first random data using an Advanced Encryption Standard (AES) encryption algorithm in combination with the second session key to generate the second encrypted data.
2. The data transmission method of claim 1, wherein the receiving of the data transmission command comprises any one of:
detecting a signal that the electronic equipment is disconnected; or alternatively
Receiving a signal for triggering data transmission of the electronic equipment at preset time intervals; or
Receiving a signal which is configured by the electronic equipment and triggers data transmission at preset time; or alternatively
A signal is received that the user triggers the data transmission.
3. The data transmission method of claim 1, wherein the logging in the application service platform for data transmission comprises:
receiving the uploaded initial data;
when the initial data is the configuration data of the electronic equipment, configuring the electronic equipment according to the configuration data; or
And when the initial data is the data to be transmitted, encrypting the data to be transmitted by adopting an AES encryption algorithm, and transmitting the encrypted data to be transmitted.
4. The data transmission method according to claim 3, wherein the transmitting the encrypted data to be transmitted includes:
when the data to be transmitted is uploaded by the terminal equipment communicated with the electronic equipment, the data to be transmitted is sent to the application service platform; or
And when the data to be transmitted is uploaded by the application service platform, sending the data to be transmitted to the terminal equipment.
5. The data transmission method of claim 1, wherein the method further comprises:
and when the second encrypted data is not verified, prohibiting the electronic equipment from logging in the application service platform.
6. A data transmission method is applied to a key management system, and is characterized in that the key management system is communicated with an electronic device and an application service platform, and the method comprises the following steps:
receiving a signature of a secure element in the electronic equipment;
verifying the signature;
when the signature passes the verification, acquiring an application service certificate from the application service platform;
generating first encrypted data according to the application service certificate;
generating first random data;
sending the application service certificate, the first encrypted data and the first random data to the electronic equipment so that the electronic equipment verifies the first encrypted data;
when the first encrypted data passes verification, receiving second encrypted data sent by the electronic equipment;
the second encrypted data is verified.
7. The data transmission method of claim 6, wherein the generating first encrypted data according to the application service credential comprises:
acquiring a UID of a secure element in the electronic equipment and second random data generated by the electronic equipment;
generating a first session key of the key management system by adopting a secure hash algorithm and combining the application service certificate and the UID;
encrypting the second random data using an AES encryption algorithm in combination with the first session key to generate the first encrypted data.
8. An electronic device, characterized in that the electronic device comprises:
a processor; and
memory, the instructions stored in the memory being executable by the processor to implement the data transfer method of any one of claims 1 to 5.
9. A computer-readable storage medium characterized by: the instructions stored in the computer-readable storage medium are executed by a processor in an electronic device to implement the data transmission method of any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811186139.4A CN109361508B (en) | 2018-10-11 | 2018-10-11 | Data transmission method, electronic device and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811186139.4A CN109361508B (en) | 2018-10-11 | 2018-10-11 | Data transmission method, electronic device and computer readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109361508A CN109361508A (en) | 2019-02-19 |
| CN109361508B true CN109361508B (en) | 2022-11-18 |
Family
ID=65348866
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811186139.4A Active CN109361508B (en) | 2018-10-11 | 2018-10-11 | Data transmission method, electronic device and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109361508B (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110011995B (en) * | 2019-03-26 | 2021-04-09 | 创新先进技术有限公司 | Encryption and decryption method and device in multicast communication |
| CN110324143B (en) * | 2019-05-24 | 2022-03-11 | 平安科技(深圳)有限公司 | Data transmission method, electronic device and storage medium |
| CN112242901B (en) * | 2019-07-16 | 2023-09-19 | 中国移动通信集团浙江有限公司 | Service verification method, device, equipment and computer storage medium |
| CN111080296B (en) * | 2019-12-05 | 2023-12-01 | 深圳前海微众银行股份有限公司 | Verification method and device based on blockchain system |
| CN113098830B (en) * | 2019-12-23 | 2022-05-17 | 华为技术有限公司 | Communication method and related product |
| CN111400701A (en) * | 2020-03-31 | 2020-07-10 | 广东金宇恒软件科技有限公司 | Public financial system for processing data at high speed |
| CN114710359B (en) * | 2022-04-15 | 2024-02-06 | 沈阳邦粹科技有限公司 | Industrial network dynamic key management method and industrial network encryption communication method |
| CN114785596A (en) * | 2022-04-22 | 2022-07-22 | 贵州爱信诺航天信息有限公司 | Industrial control service platform, method and storage medium based on domestic password |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101277234A (en) * | 2007-03-28 | 2008-10-01 | 华为技术有限公司 | Household network and entry method |
| EP3079298B1 (en) * | 2007-11-30 | 2018-03-21 | Telefonaktiebolaget LM Ericsson (publ) | Key management for secure communication |
| CN103346885B (en) * | 2013-06-26 | 2016-02-24 | 飞天诚信科技股份有限公司 | A kind of Activiation method of token device |
| CN106549966B (en) * | 2016-10-31 | 2020-09-04 | 美的智慧家居科技有限公司 | Method and system for switching communication security level, household appliance and mobile terminal |
| CN107094156B (en) * | 2017-06-21 | 2020-02-28 | 北京明朝万达科技股份有限公司 | Secure communication method and system based on P2P mode |
-
2018
- 2018-10-11 CN CN201811186139.4A patent/CN109361508B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN109361508A (en) | 2019-02-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109361508B (en) | Data transmission method, electronic device and computer readable storage medium | |
| US11757662B2 (en) | Confidential authentication and provisioning | |
| CN108092776B (en) | System based on identity authentication server and identity authentication token | |
| EP2999189B1 (en) | Network authentication method for secure electronic transactions | |
| US9467430B2 (en) | Device, method, and system for secure trust anchor provisioning and protection using tamper-resistant hardware | |
| CN101212293B (en) | Identity authentication method and system | |
| US8724819B2 (en) | Credential provisioning | |
| US20160080157A1 (en) | Network authentication method for secure electronic transactions | |
| CN108737106B (en) | User authentication method and device on block chain system, terminal equipment and storage medium | |
| US20160125180A1 (en) | Near Field Communication Authentication Mechanism | |
| US11050570B1 (en) | Interface authenticator | |
| WO2015192670A1 (en) | User identity authentication method, terminal and service terminal | |
| KR20200013764A (en) | Method for mutual symmetric authentication between first application and second application | |
| CN101588245A (en) | A kind of method of authentication, system and memory device | |
| WO2023083007A1 (en) | Internet of things device identity authentication method, apparatus and system, and storage medium | |
| CN110598429B (en) | Data encryption storage and reading method, terminal equipment and storage medium | |
| CN109618334A (en) | Control method and relevant device | |
| US20120124378A1 (en) | Method for personal identity authentication utilizing a personal cryptographic device | |
| CN114780923A (en) | Electronic seal management and control method and system | |
| Alzomai et al. | The mobile phone as a multi OTP device using trusted computing | |
| CN110838919A (en) | Communication method, storage method, operation method and device | |
| CN113366461A (en) | Accessing firmware settings using asymmetric cryptography | |
| JP2017530636A (en) | Authentication stick | |
| CN2914498Y (en) | Information security device based on universal serial bus human-computer interaction type device | |
| CN110098915B (en) | Authentication method and system, and terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20221028 Address after: Room 701, 702, 705, Floor 6, Building 3, Yard 29, North Third Ring Road Middle, Xicheng District, Beijing 100032 Applicant after: Lianyang Guorong (Beijing) Technology Co.,Ltd. Address before: 518,000 1502 Tianliao Building, Tianliao Industrial Zone A, Taoyuan Street, Nanshan District, Shenzhen, Guangdong Applicant before: SHENZHEN JEANSWAY TECHNOLOGY Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |