CN109450881B - A kind of data transmission system, method and device - Google Patents
A kind of data transmission system, method and device Download PDFInfo
- Publication number
- CN109450881B CN109450881B CN201811259224.9A CN201811259224A CN109450881B CN 109450881 B CN109450881 B CN 109450881B CN 201811259224 A CN201811259224 A CN 201811259224A CN 109450881 B CN109450881 B CN 109450881B
- Authority
- CN
- China
- Prior art keywords
- key
- data
- data transmission
- ciphertext
- secrete
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/045—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/16—Obfuscation or hiding, e.g. involving white box
Abstract
The invention discloses a kind of data transmission system, method and device, be applied to technical field of data transmission, to solve the problems, such as communication data easily reveal, key maintenance cost it is high.Specifically: first data transmission client encrypts communication data using data encryption key to obtain ciphertext data, after data encryption key is converted to secrete key, data transport service end is sent by ciphertext data and secrete key by digital envelope, the second data transmission client is forwarded to by data transport service end;After secrete key is reduced into data encryption key by the second data transmission client, the first ciphertext data are decrypted to obtain communication data using data encryption key.In this way, data transport service end can only obtain secrete key, and communication data can not be decrypted using secrete key, ensure that the safety of communication data, moreover, a large amount of shared key of data transmission client Maintenance free, thereby reduces key maintenance cost.
Description
Technical field
The present invention relates to Data Encryption Transmission technical field more particularly to a kind of data transmission systems, method and device.
Background technique
Currently, for encrypted transmission there are mainly two types of the method for communication data:
(1) based on the encrypted transmission method of digital envelope.Specifically, data transmission client is using symmetric key to communication
Data are encrypted, and obtain the ciphertext data of communication data, and using the service public key at data transport service end to symmetric key
It is encrypted, obtains the ciphertext data of symmetric key, by the ciphertext number of the ciphertext data of obtained communication data and symmetric key
According to data transport service end is sent to, target data transmission client is transmitted to by data transport service end.
Obviously, in this encrypted transmission method based on digital envelope, data transport service end can decrypt all
Communication data, it is understood that there may be the security risk that communication data is leaked.
(2) based on the encrypted transmission method of shared key.Specifically, data transmission client is using shared key to communication
Data are encrypted, and after obtaining the ciphertext data of communication data, the ciphertext data of shared key and communication data are sent together
Data transport service end is given, data transport service end relays to the target data transmission client.
Obviously, in the encrypted transmission method based on shared key, as long as having cracked shared key, anyone can be solved
Close communication data out, to cause the leakage of communication data.Moreover, data transmission client need safeguard largely share it is close
Key can carry out data transmission from different target data transmission clients, to increase the maintenance cost of shared key.
Summary of the invention
The embodiment of the invention provides a kind of data transmission system, method, apparatus, equipment and media, existing to solve
The encrypted transmission method based on digital envelope in technology exists since communication data is easy to be led by the decryption of data transport service end
The problems such as causing communication data leakage, and there are communication datas easily to reveal, key dimension based on the encrypted transmission method of shared key
Protect the problems such as at high cost.
Specific technical solution provided in an embodiment of the present invention is as follows:
A kind of data transmission system, comprising: first data transmission client, data transport service end and the second data
Transmission client, wherein
First data transmission client for obtaining communication data, and generates data encryption key;It is close using data encryption
Key encrypts communication data, obtains the first ciphertext data;Key conversion processing is carried out to data encryption key, is hidden
Key, and using the service public key at data transport service end, secrete key is encrypted, the second ciphertext data are obtained;By
One ciphertext data and the second ciphertext data are sent to data transport service end;Wherein, secrete key is used in data transport service
End carries out leakage-preventing protection to data encryption key;
Data transport service end, for receiving the first ciphertext data and the second ciphertext data;Utilize data transport service end
Service private key, the second ciphertext data are decrypted, obtain secrete key, and utilize the communication of the second data transmission client
Public key encrypts secrete key, obtains third ciphertext data;First ciphertext data and third ciphertext data are sent to
Two data transmission clients;
Second data transmission client, for receiving the first ciphertext data and third ciphertext data;It is passed using the second data
The communication private key of defeated client is decrypted third ciphertext data, obtains secrete key;Key recovery is carried out to secrete key
Processing, is obtained data encryption key, and the first ciphertext data are decrypted using data encryption key, obtains communication data.
In data transmission system provided in an embodiment of the present invention, first data transmission client, for based on built-in
Transition key carries out key conversion processing to data encryption key, obtains secrete key;
Second data transmission client, for carrying out key recovery processing to secrete key based on built-in transition key,
Obtain data encryption key.
Data transmission system provided in an embodiment of the present invention further include: cipher key management services end, wherein
Cipher key management services end, for generating transition key;Using the communication public key of first data transmission client, to turning
It changes key to be encrypted, obtains the first conversion ciphertext data, and the first conversion ciphertext data are sent to first data transmission visitor
Family end;Using the communication public key of the second data transmission client, transition key is encrypted, obtains the second conversion ciphertext number
According to, and the second conversion ciphertext data are sent to the second data transmission client;
First data transmission client, it is close to the first conversion for the communication private key using first data transmission client
Literary data are decrypted, and obtain transition key;Based on the transition key decrypted, data encryption key is carried out at key conversion
Reason, obtains secrete key;
Second data transmission client, it is close to the second conversion for the communication private key using the second data transmission client
Literary data are decrypted, and obtain transition key;Based on the transition key decrypted, key recovery processing is carried out to secrete key,
Obtain data encryption key.
In data transmission system provided in an embodiment of the present invention, first data transmission client, for data encryption
Key and transition key carry out exclusive or processing, obtain secrete key;Alternatively, data encryption key and transition key are carried out or are located
Reason, obtains secrete key;Alternatively, carried out to data encryption key and transition key and operation, hidden and key, and to hidden
Hiding and key carry out Hash processing, obtain secrete key;
Second data transmission client obtains data encryption for carrying out exclusive or processing to secrete key and transition key
Key;Alternatively, secrete key and transition key are carried out or handled, data encryption key is obtained;Alternatively, to secrete key and turning
It changes key to carry out and operation, is restored and key, and Hash processing is carried out to reduction and key, obtain data encryption key.
In data transmission system provided in an embodiment of the present invention, first data transmission client is also used to if it is determined that logical
Letter data corresponds to multiple second data transmission clients, then obtains the corresponding mark letter of multiple second data transmission clients
Breath, and according to multiple corresponding identification informations of target data transmission client, user list is generated, and user is arranged
Table, the first ciphertext data and the second ciphertext data are sent to data transport service end;
Data transport service end is also used to receive user list, the first ciphertext data and the second ciphertext data;Utilize data
The service private key for transmitting server-side, is decrypted the second ciphertext data, after obtaining secrete key, records according in user list
Multiple corresponding identification informations of second data transmission client, determine that multiple second data transmission clients respectively correspond to
Communication public key, and utilize the corresponding communication public key of multiple second data transmission clients, secrete key is carried out respectively
Encryption, obtains the corresponding third ciphertext data of multiple second data transmission clients;Multiple second data are transmitted into client
Corresponding third ciphertext data and the first ciphertext data are held to be sent to corresponding second data transmission client.
A kind of data transmission method is applied to first data transmission client, comprising:
Communication data is obtained, and generates data encryption key;
Communication data is encrypted using data encryption key, obtains the first ciphertext data;
Key conversion processing is carried out to data encryption key, obtains secrete key, and utilize the clothes at data transport service end
Business public key, encrypts secrete key, obtains the second ciphertext data;Wherein, secrete key is used at data transport service end
Leakage-preventing protection is carried out to data encryption key;
First ciphertext data and the second ciphertext data are sent to data transport service end.
In data transmission method provided in an embodiment of the present invention, key conversion processing is carried out to data encryption key, is obtained
To secrete key, comprising:
Read built-in transition key;
Based on transition key, key conversion processing is carried out to data encryption key, obtains secrete key.
In data transmission method provided in an embodiment of the present invention, key conversion processing is carried out to data encryption key, is obtained
To secrete key, comprising:
Using the communication private key of first data transmission client, the first conversion ciphertext number that cipher key management services end is sent
According to being decrypted, transition key is obtained;Wherein, the first conversion ciphertext data are that cipher key management services end utilizes first data transmission
The communication public key of client, encrypts the transition key of generation;
Based on transition key, key conversion processing is carried out to data encryption key, obtains secrete key.
In data transmission method provided in an embodiment of the present invention, it is based on transition key, data encryption key is carried out close
Key conversion process, obtains secrete key, comprising:
Exclusive or processing is carried out to data encryption key and transition key, obtains secrete key;Alternatively,
Data encryption key and transition key are carried out or handled, secrete key is obtained;Alternatively,
Data encryption key and transition key are carried out and operation, hidden and key, and to hiding and key progress
Hash processing, obtains secrete key.
In data transmission method provided in an embodiment of the present invention, however, it is determined that communication data corresponds to multiple second data transmission
Client, then further include:
Obtain multiple corresponding identification informations of second data transmission client;
According to multiple corresponding identification informations of target data transmission client, user list is generated;
User list, the first ciphertext data and the second ciphertext data are sent to data transport service end.
A kind of data transmission method is applied to data transport service end, comprising:
Receive the first ciphertext data and the second ciphertext data that first data transmission client is sent;Wherein, the first ciphertext
Data are first data transmission clients using the data encryption key generated, are encrypted to obtain to the communication data of acquisition
's;Second ciphertext data are that first data transmission client carries out key conversion processing to data encryption key, obtain hiding close
Key, and secrete key is encrypted using the service public key at data transport service end;
Using the service private key at data transport service end, the second ciphertext data are decrypted, obtain secrete key, and benefit
With the communication public key of the second data transmission client, secrete key is encrypted, obtains third ciphertext data;
First ciphertext data and third ciphertext data are sent to the second data transmission client.
In data transmission method provided in an embodiment of the present invention, the record of first data transmission client transmission is received
There are user list, the first ciphertext data and the second ciphertext data of the identification information of multiple second data transmission clients, then also
Include:
According to the multiple corresponding identification informations of second data transmission client recorded in user list, determine multiple
The corresponding communication public key of second data transmission client;
Using the corresponding communication public key of multiple second data transmission clients, secrete key is encrypted respectively,
Obtain the corresponding third ciphertext data of multiple second data transmission clients;
The corresponding third ciphertext data of multiple second data transmission clients and the first ciphertext data are sent to phase
The the second data transmission client answered.
A kind of data transmission method is applied to the second data transmission client, comprising:
The the first ciphertext data for receiving the transmission of data transport service end and data transport service end are according to the second ciphertext number
According to obtained third ciphertext data;Wherein, the first ciphertext data are that first data transmission client utilizes the data encryption generated
Key encrypts the communication data of acquisition to obtain and be sent to data transport service end;Second ciphertext data are first
Data transmission client carries out key conversion processing to data encryption key, after obtaining secrete key, utilizes data transport service
The service public key at end encrypts secrete key to obtain and be sent to the data transport service end;Third ciphertext data are
Data transport service end utilizes the service private key at data transport service end, is decrypted to the second ciphertext data, obtains hiding close
Key, and using the communication public key of the second data transmission client, secrete key is encrypted;Wherein, secrete key
For carrying out leakage-preventing protection to data encryption key at data transport service end;
Using the communication private key of the second data transmission client, third ciphertext data are decrypted, secrete key is obtained;
Key recovery processing is carried out to secrete key, obtains data encryption key, and using data encryption key to first
Ciphertext data are decrypted, and obtain communication data.
In data transmission method provided in an embodiment of the present invention, key recovery processing is carried out to secrete key, is counted
According to encryption key, comprising:
Read built-in transition key;
Based on transition key, key recovery processing is carried out to secrete key, obtains data encryption key.
In data transmission method provided in an embodiment of the present invention, key recovery processing is carried out to secrete key, is counted
According to encryption key, comprising:
Using the communication private key of the second data transmission client, the second conversion ciphertext number that cipher key management services end is sent
According to being decrypted, transition key is obtained;Wherein, the second conversion ciphertext data are that cipher key management services end is transmitted using the second data
The communication public key of client, encrypts the transition key of generation;
Based on transition key, key recovery processing is carried out to secrete key, obtains data encryption key.
In data transmission method provided in an embodiment of the present invention, it is based on transition key, key is carried out also to secrete key
Original place reason, obtains data encryption key, comprising:
Exclusive or processing is carried out to secrete key and transition key, obtains data encryption key;Alternatively,
Secrete key and transition key are carried out or handled, data encryption key is obtained;Alternatively,
Secrete key and transition key are carried out and operation, restored and key, and Hash is carried out to reduction and key
Processing, obtains data encryption key.
A kind of data transmission device is applied to first data transmission client, comprising:
Data capture unit, for obtaining communication data;
First encryption unit for generating data encryption key, and utilizes data encryption key, obtains to data capture unit
The communication data obtained is encrypted, and the first ciphertext data are obtained;
Key converting unit, the data encryption key for generating to the first encryption unit carry out key conversion, obtain hidden
Hide key;Wherein, secrete key is used to carry out leakage-preventing protection to data encryption key at data transport service end;
Second encryption unit, for the service public key using data transport service end, to the hidden of key converting unit conversion
Hiding key is encrypted, and the second ciphertext data are obtained;
Data transmission unit, what the first ciphertext data and the second encryption unit for obtaining the first encryption unit obtained
Second ciphertext data are sent to data transport service end.
A kind of data transmission device is applied to data transport service end, comprising:
Data receipt unit, for receiving the first ciphertext data and the second ciphertext number of the transmission of first data transmission client
According to;Wherein, the first ciphertext data are first data transmission clients using the data encryption key generated, to the communication number of acquisition
According to what is encrypted;Second ciphertext data are that first data transmission client carries out at key conversion data encryption key
Reason, obtains secrete key, and secrete key is encrypted using the service public key at data transport service end;
Data encrypting and deciphering unit receives data receipt unit for the service private key using data transport service end
The second ciphertext data be decrypted, secrete key is obtained, and using the communication public key of the second data transmission client, to hiding
Key is encrypted, and third ciphertext data are obtained;
Data forwarding unit, the first ciphertext data and data encryption/decryption element for receiving data receipt unit obtain
The third ciphertext data obtained are sent to the second data transmission client.
A kind of data transmission device is applied to the second data transmission client, comprising:
Data receipt unit transmits the first ciphertext data and data transport service that server-side is sent for receiving data
Hold the third ciphertext data obtained according to the second ciphertext data;Wherein, the first ciphertext data are first data transmission client benefits
With the data encryption key of generation, the communication data of acquisition is encrypted to obtain and be sent to the data transport service end
's;Second ciphertext data are that first data transmission client carries out key conversion processing to data encryption key, obtain hiding close
After key, secrete key is encrypted to obtain and be sent to data transport service end using the service public key at data transport service end
's;Third ciphertext data be data transport service end utilize data transport service end service private key, to the second ciphertext data into
Row decryption obtains secrete key, and using the communication public key of the second data transmission client, is encrypted to obtain to secrete key
's;Wherein, secrete key is used to carry out leakage-preventing protection to data encryption key at data transport service end;
First decryption unit receives data receipt unit for the communication private key using the second data transmission client
To third ciphertext data be decrypted, obtain secrete key;
Key recovery unit, the secrete key for decrypting to the first decryption unit carry out key recovery processing, obtain
Data encryption key;
Second decryption unit connects data receipt unit for the data encryption key using the reduction of key recovery unit
The the first ciphertext data received are decrypted, and obtain communication data.
A kind of data transmission set, comprising: memory, the computer program of processor and storage on a memory, processing
The step of device realizes data transmission method provided in an embodiment of the present invention when executing computer program.
A kind of computer storage medium, computer storage medium are stored with executable program, executable code processor
Execute the step of realizing data transmission method provided in an embodiment of the present invention.
The embodiment of the present invention has the beneficial effect that:
In the embodiment of the present invention, since data encryption key is converted to secrete key by data transmission client, so,
Even if data transport service end can using service private key the second ciphertext data are decrypted, be only able to get hide it is close
Key, and the secrete key is not the key of coded communication data, data transport service end can not decrypt communication data, to the greatest extent may be used
The easy leakage problem of communication data is avoided to energy, the safety of communication data has effectively been ensured, moreover, data transmission client
The a large amount of shared key of Maintenance free, can also realize the secure encrypted transmission of communication data, significantly reduce key maintenance at
This.
Detailed description of the invention
Figure 1A is a kind of system framework schematic diagram of the data transmission system provided in the embodiment of the present invention;
Figure 1B is the system framework schematic diagram of another data transmission system provided in the embodiment of the present invention;
Fig. 2 is the flow diagram of the data transmission method provided in the embodiment of the present invention;
Fig. 3 is to be provided in the embodiment of the present invention when with " data transmission system is that mailbox system, sender are objective by mailbox
Family end A shows to the process that mailbox customer end B and mailbox client C mass-send data transmission method when file D " is concrete application scene
It is intended to;
Fig. 4 is the function of the data transmission device applied to first data transmission client provided in the embodiment of the present invention
Structural schematic diagram;
Fig. 5 is the function of the data transmission device applied to the second data transmission client provided in the embodiment of the present invention
Structural schematic diagram;
Fig. 6 is the functional structure of the data transmission device applied to data transport service end provided in the embodiment of the present invention
Schematic diagram;
Fig. 7 is the hardware structural diagram of the data transmission set provided in the embodiment of the present invention.
Specific embodiment
Exist to solve the encrypted transmission method based on digital envelope since communication data is easy by data transport service
End decryption lead to problems such as communication data reveal and there are communication datas easily to reveal based on the encrypted transmission method of shared key,
The problems such as key maintenance cost is high, inventors have seen that, data transmission client can use the data encryption of generation
Cipher key pair communication data are encrypted, and are obtained the first ciphertext data, and carry out key conversion to the data encryption key of generation, are obtained
To after secrete key, using the service public key at data transport service end, which is encrypted, obtains the second ciphertext number
According to, and by the first ciphertext data and the second ciphertext data send data transport service end;It data transport service end can benefit
With service private key, the second ciphertext data are decrypted, after obtaining secrete key, utilize the communication of target data transmission client
Public key encrypts secrete key, obtains third ciphertext data, and the first ciphertext data and third ciphertext data are sent to
Target data transmission client;Target data transmission client can use communication private key, and third ciphertext data are decrypted,
After obtaining secrete key, key recovery processing is carried out to secrete key, obtains data encryption key, and is close using data encryption
The first ciphertext data are decrypted in key, obtain communication data and are shown to user.In this way, since data transmission client will count
It is converted to secrete key according to encryption key, so, even if data transport service end can be using service private key to the second ciphertext
Data are decrypted, and are only able to get secrete key, and the secrete key is not the key of coded communication data, data
Transmission server-side can not decrypt communication data, be avoided as much as the easy leakage problem of communication data, effectively ensure logical
The safety of letter data, moreover, a large amount of shared key of data transmission client Maintenance free, can also realize the peace of communication data
Full encrypted transmission significantly reduces key maintenance cost.
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, is not whole embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall within the protection scope of the present invention.
To facilitate the understanding of the present invention, portion of techniques term involved in the embodiment of the present invention is illustrated first.
Data transmission client is a kind of application software that can be transmitted data and can interact with user, such as:
Mailbox, cloud storage software, communication software etc..
Data transport service end for that can safeguard the data that user is transmitted by data transmission client, and passes for data
Defeated client provides the running background equipment of the functions such as memory space.
Cipher key management services end, for the communication public key of data transmission client and the clothes of data transmission server-side can be managed
Business public key, and be the running background equipment of management data transmission client configuration transition key.
Data transmission set, to support wire communication and/or terminal, the server of wireless communication etc., such as: mobile phone is put down
It plate computer, personal digital assistant (Personal Digital Assistant, PDA), computer or other can be realized
The equipment etc. for stating function.
Data encryption key, the key for coded communication data generated at random for data transmission client.
Transition key, for be built in data transmission client or cipher key management services end be allocated to data transmit client
The key for being converted to data encryption key at end.
Secrete key, to be used in data to what is obtained after data encryption key progress key conversion using transition key
Transmission server-side carries out the key of leakage-preventing protection to data encryption key.
It should be noted that referenced herein " first ", " second " etc. are to be used to distinguish similar objects, without
It is used to describe a particular order or precedence order.It should be understood that the data used in this way are interchangeable under appropriate circumstances, so as to
The embodiments described herein can be implemented with the sequence other than the content for illustrating or describing herein.In addition, herein
" multiple " referred to refer to two or more."and/or" describes the incidence relation of affiliated partner, indicates may exist three
Kind relationship, for example, A and/or B, can indicate: individualism A exists simultaneously A and B, these three situations of individualism B.Character
"/" typicallys represent the relationship that forward-backward correlation object is a kind of "or".
Secondly, data transmission system provided in an embodiment of the present invention is described in detail, specifically, A institute refering to fig. 1
Show, the data transmission system 100 of example embodiment of the present invention includes: first data transmission client 101, data transport service
End 102 and the second data transmission client 103, wherein
First data transmission client 101 for obtaining communication data, and generates data encryption key;Using data plus
Close cipher key pair communication data are encrypted, and the first ciphertext data are obtained;Key conversion processing is carried out to data encryption key, is obtained
Secrete key, and using the service public key at data transport service end 102, secrete key is encrypted, the second ciphertext number is obtained
According to;First ciphertext data and the second ciphertext data are sent to data transport service end 102;Wherein, secrete key is used in number
Leakage-preventing protection is carried out to data encryption key according to transmission server-side 102;
Data transport service end 102, for receiving the first ciphertext data and the second ciphertext data;Utilize data transport service
The service private key at end 102, is decrypted the second ciphertext data, obtains secrete key, and utilize the second data transmission client
103 communication public key, encrypts secrete key, obtains third ciphertext data;By the first ciphertext data and third ciphertext number
According to being sent to the second data transmission client 103;
Second data transmission client 103, for receiving the first ciphertext data and third ciphertext data;Utilize the second data
The communication private key of transmission client 103 is decrypted third ciphertext data, obtains secrete key;Secrete key is carried out close
Key reduction treatment is obtained data encryption key, and the first ciphertext data is decrypted using data encryption key, is communicated
Data.
In the data transmission system 100 of exemplary embodiment of the invention, first data transmission client 101 is used for
Based on built-in transition key, key conversion processing is carried out to data encryption key, obtains secrete key;
Second data transmission client 103, for being carried out at key recovery to secrete key based on built-in transition key
Reason, obtains data encryption key.
Refering to fig. 1 shown in B, the data transmission system 100 of exemplary embodiment of the invention further include: cipher key management services
End 104, wherein
Cipher key management services end 104, for generating transition key;It is public using the communication of first data transmission client 101
Key encrypts transition key, obtains the first conversion ciphertext data, and the first conversion ciphertext data are sent to the first data
Transmission client 101;Using the communication public key of the second data transmission client 103, transition key is encrypted, obtains second
Ciphertext data are converted, and the second conversion ciphertext data are sent to the second data transmission client 103;
First data transmission client 101, for the communication private key using first data transmission client 101, to first
Conversion ciphertext data are decrypted, and obtain transition key;Based on the transition key decrypted, key is carried out to data encryption key
Conversion process obtains secrete key;
Second data transmission client 103, for the communication private key using the second data transmission client 103, to second
Conversion ciphertext data are decrypted, and obtain transition key;Based on transition key is decrypted, secrete key is carried out at key recovery
Reason, obtains data encryption key.
In the data transmission system 100 of exemplary embodiment of the invention, first data transmission client 101 is used for
Exclusive or processing is carried out to data encryption key and transition key, obtains secrete key;Alternatively, to data encryption key and converting close
Key carries out or processing, obtains secrete key;Alternatively, carried out to data encryption key and transition key and operation, obtain hiding and
Key, and Hash processing is carried out to hiding and key, obtain secrete key;
Second data transmission client 103 obtains data and adds for carrying out exclusive or processing to secrete key and transition key
Key;Alternatively, secrete key and transition key are carried out or handled, data encryption key is obtained;Alternatively, to secrete key and
Transition key carries out and operation, is restored and key, and carries out Hash processing to reduction and key, and it is close to obtain data encryption
Key.
In the data transmission system 100 of exemplary embodiment of the invention, first data transmission client 101 is also used
In if it is determined that communication data corresponds to multiple second data transmission clients, then it is respectively right to obtain multiple second data transmission clients
The identification information answered, and according to multiple corresponding identification informations of target data transmission client, user list is generated, and
User list, the first ciphertext data and the second ciphertext data are sent to data transport service end 102;
Data transport service end 102 is also used to receive user list, the first ciphertext data and the second ciphertext data;It utilizes
The service private key at data transport service end 102 is decrypted the second ciphertext data, after obtaining secrete key, is arranged according to user
The multiple corresponding identification informations of second data transmission client recorded in table, determine multiple second data transmission clients
Corresponding communication public key, and the corresponding communication public key of multiple second data transmission clients is utilized, to secrete key
It is encrypted respectively, obtains the corresponding third ciphertext data of multiple second data transmission clients;By multiple second data
The corresponding third ciphertext data of transmission client and the first ciphertext data are sent to corresponding second data transmission client.
Step 201: first data transmission client 101 obtains communication data.
Step 202: first data transmission client 101 generates data encryption key.
Step 203: first data transmission client 101 encrypts communication data using data encryption key, obtains
First ciphertext data.
Step 204: first data transmission client 101 carries out key conversion processing to data encryption key, is hidden
Key.
In the specific implementation, first data transmission client 101 can use transition key and carry out change data encryption key.
In practical applications, transition key can be built in first data transmission client 101, can also be by cipher key management services end
104 issue, specifically, cipher key management services end 104 can use but be not limited to following manner to come to first data transmission visitor
Family end 101 issues transition key: cipher key management services end 104 generates transition key, and utilizes first data transmission client 101
Communication public key, transition key is encrypted, obtains the first conversion ciphertext data, and the first conversion ciphertext data are sent
To first data transmission client 101.
It is corresponding, if transition key is built in first data transmission client 101, first data transmission client
101 are carrying out key conversion processing to data encryption key, and when obtaining secrete key, it is close that built-in conversion can be read directly
Key, and the transition key based on reading carry out key conversion processing to data encryption key, obtain secrete key;If converting close
Key is issued by cipher key management services end 104, then first data transmission client 101 is carrying out key change to data encryption key
Processing is changed, can be first with communication private key when obtaining secrete key, the first conversion sent to cipher key management services end 104 is close
Literary data are decrypted, and after obtaining transition key, then based on the transition key decrypted, carry out key change to data encryption key
Processing is changed, secrete key is obtained.
Specifically, first data transmission client 101 is being based on transition key, key conversion is carried out to data encryption key
Processing, when obtaining secrete key, can use but be not limited to following manner:
First way: first data transmission client 101 carries out exclusive or processing to data encryption key and transition key,
Obtain secrete key.
The second way: first data transmission client 101 is carried out to data encryption key and transition key or processing, obtains
To secrete key.
The third mode: first data transmission client 101 is to data encryption key and transition key carries out and operation, obtains
Hash processing is carried out to hiding and key, and to hiding and key, obtains secrete key.
Step 205: first data transmission client 101 utilizes the service public key at data transport service end 102, close to hiding
Key is encrypted, and the second ciphertext data are obtained.
Step 206: the first ciphertext data and the second ciphertext data are sent to data and passed by first data transmission client 101
Defeated server-side 102.
It is tellable to be, in the current encrypted transmission mode based on digital envelope, if first data transmission client
101 need to mass-send communication data to multiple second data transmission clients 103, then first data transmission client 101 needs
A public key encryption operation is executed to communication data respectively for each second data transmission client 103, it is clear that this can be accounted for
With a large amount of process resources of first data transmission client 101, moreover, data group volatility is also poor, for this purpose, the present invention shows
In the data transmission method of example property embodiment, when first data transmission client 101 determines that communication data corresponds to multiple second
When data transmission client 103, the corresponding identification information of available multiple second data transmission client 103, and
According to the identification information of multiple second data transmission client 103, user list is generated, and by the user list and first
Ciphertext data and the second ciphertext data are sent to data transport service end 102 together, by data transport service end 102 according to user
The identification informations of the multiple second data transmission clients 103 recorded in list forwards communication data, even if in this way, needing group
Communication data is sent out, first data transmission client 101 also only need to execute a public key encryption operation to communication data, be passed by data
Defeated server-side 102 forwards communication according to the identification information for the multiple second data transmission clients 103 recorded in user list
Data, can be realized the mass-sending of communication data, to improve data group volatility.
Step 207: data transport service end 102 receives the first ciphertext data that first data transmission client 101 is sent
With the second ciphertext data.
Step 208: data transport service end 102 utilizes the service private key at data transport service end 102, to the second ciphertext number
According to being decrypted, secrete key is obtained.
Step 209: data transport service end 102 utilizes the communication public key of the second data transmission client 103, close to hiding
Key is encrypted, and third ciphertext data are obtained.
Step 210: the first ciphertext data and third ciphertext data are sent to the second data and passed by data transport service end 102
Defeated client 103.
Tellable to be, data transport service end 102 can receive the of the transmission of first data transmission client 101
After one ciphertext data and the second ciphertext data, step 207- step 209 is executed immediately, can also be passed receiving the first data
After the first ciphertext data and the second ciphertext data that defeated client 101 is sent, first save the first ciphertext data received and
Second ciphertext data only send new receipts data prompts message to the second data transmission client 103, pass receiving the second data
When the data that defeated client 103 is sent according to user instructions extract message, then step 207- step 209 is executed, concrete mode exists
This is not especially limited.
It is corresponding, if data transport service end 102 receive first data transmission client 101 transmission record have it is multiple
The user list of the identification information of second data transmission client 103, the first ciphertext data and the second ciphertext data, data transmission
Server-side 102 is decrypted the second ciphertext data using private key is serviced, can also be according to user after obtaining secrete key
The corresponding identification information of multiple second data transmission clients 103 recorded in list determines multiple second data transmission
The corresponding communication public key of client 103.And it is public using the corresponding communication of multiple second data transmission clients 103
Key encrypts secrete key respectively, obtains the corresponding third ciphertext number of multiple second data transmission clients 103
According to, and, the corresponding third ciphertext data of multiple second data transmission clients 103 and the first ciphertext data are sent to
Corresponding second data transmission client 103.
Step 211: the second data transmission client 103 receives the first ciphertext data that data transport service end 102 returns
With third ciphertext data.
Step 212: the second data transmission client 103 is decrypted third ciphertext data, obtains using communication private key
Secrete key.
Step 213: the second data transmission client 103 carries out key recovery processing to secrete key, obtains data encryption
Key.
In the specific implementation, the second data transmission client 103 can use transition key to restore secrete key.Equally
, transition key can be built in the second data transmission client 103, also, be built in the second data transmission client 103
In transition key it is identical as the transition key being built in first data transmission client 101, can also be taken by key management
End 104 be engaged in issue, specifically, cipher key management services end 104 is issuing transition key to first data transmission client 101
Transition key is issued to the second data transmission client 103 at the same time it can also use but be not limited to following manner: key management
Server-side 104 encrypts transition key, obtains the second conversion using the communication public key of the second data transmission client 103
Ciphertext data, and the second conversion ciphertext data are sent to the second data transmission client 103.In this way, the second data transmission visitor
Family end 103 can restore secrete key in the way of transition key and key recovery.
It is corresponding, if transition key is built in the second data transmission client 103, the second data transmission client
103 can be read directly built-in transition key, and the transition key based on reading, carry out at key recovery to secrete key
Reason, obtains data encryption key;If transition key is issued by cipher key management services end 104, the second data transmission client
103 can be decrypted the second conversion ciphertext data that cipher key management services end 104 is sent, obtain first with communication private key
After transition key, then based on the transition key decrypted, key recovery processing is carried out to secrete key, it is close to obtain data encryption
Key.
Specifically, the second data transmission client 103 is being based on transition key, secrete key is carried out at key recovery
Reason, when obtaining data encryption key, can use but be not limited to following manner:
First way: the second data transmission client 103 carries out exclusive or processing to secrete key and transition key, obtains
Data encryption key.
The second way: the second data transmission client 103 is carried out to secrete key and transition key or processing, is counted
According to encryption key.
The third mode: the second data transmission client 103 is to secrete key and transition key carries out and operation, is gone back
Former and key, and Hash processing is carried out to reduction and key, obtain data encryption key.
Step 214: the second data transmission client 103 is decrypted the first ciphertext data using data encryption key,
Obtain communication data.
Below with " data transmission system be mailbox system, sender by mailbox customer end A to mailbox customer end B and postal
It is concrete application scene that case client C, which mass-sends file D ", makees the data transmission method of exemplary embodiment of the invention into one
Step is described in detail, as shown in fig.3, the process of the data transmission method of exemplary embodiment of the invention is as follows:
Step 301: mailbox customer end A is instructed according to the transmission of sender, and it is corresponding to obtain file D and file D to be sent
Recipient identification " mailbox B and mailbox C ".
Step 302: mailbox customer end A generates data encryption key KD.
Step 303: mailbox customer end A encrypts file D using data encryption key KD, obtains the first ciphertext data
EncD。
Step 304: mailbox customer end A carries out exclusive or processing to data encryption key KD and transition key K, obtains hiding close
Key KD1。
Wherein, transition key K, which can be, is built in mailbox customer end A, is also possible to cipher key management services end and issues
, concrete mode repeats no more.
Step 305: mailbox customer end A utilizes the service public key SKpub at mailbox service end, to secrete key KD1Added
It is close, obtain the second ciphertext data EncKD1。
Step 306: mailbox customer end A generates recipient list according to recipient identification " mailbox B and mailbox C ".
Step 307: mailbox customer end A is by the first ciphertext data EncD, the second ciphertext data EncKD1And recipient list
It is sent to mailbox service end.
Step 308: mailbox service end saves the first ciphertext data EncD, the second ciphertext data Enc KD received1With
Recipient list.
Step 309: mailbox service end is according to the recipient identification " mailbox B and mailbox C " recorded in recipient list, respectively
New receiving emails reminder message is sent to mailbox customer end B and mailbox client C.
Step 310: if mailbox customer end B and/or mailbox client C receive the Fileview instruction of addressee's initiation,
File then, which is sent, to mailbox service end extracts request.
Step 311: the file extraction request that mailbox service termination receives mailbox customer end B and/or mailbox client C is sent
When, using service private key SKpri, to the second ciphertext data EncKD1It is decrypted, obtains secrete key KD1。
Step 312: mailbox service end is using the communication public key CKpub_B of mailbox customer end B to secrete key KD1Added
It is close, obtain third ciphertext data EncKDB, and/or, using the communication public key CKpub_C of mailbox client C, to secrete key KD1
It is encrypted, obtains third ciphertext data EncKDc.
Step 313: mailbox service end is by the first ciphertext data EncD and third ciphertext data EncKDBIt is sent to mailbox visitor
Family end B, and/or, the first ciphertext data EncD and EncKDc is sent to mailbox client C.
Step 314: mailbox customer end B is using communication private key CKpri_B, to third ciphertext data EncKDBIt is decrypted,
Obtain secrete key KD1, and/or, mailbox client C is using communication private key CKpri_C, to third ciphertext data EncKDCIt carries out
Decryption, obtains secrete key KD1。
Step 315: mailbox customer end B and/or mailbox client C are to secrete key KD1It is carried out at exclusive or with transition key K
Reason, obtains data encryption key KD.
Wherein, transition key K, which can be, is built in mailbox customer end B and/or mailbox client C, is also possible to close
Key management server end issues, and concrete mode repeats no more.
Step 316: mailbox customer end B and/or mailbox client C utilize data encryption key KD, to the first ciphertext data
EncD is decrypted, and obtains file D and is shown to addressee.
Based on the above embodiment, the embodiment of the invention provides a kind of numbers applied to first data transmission client 101
According to transmitting device, as shown in fig.4, the data transmission device 400 of exemplary embodiment of the invention includes at least:
Key converting unit 403, the data encryption key for generating to the first encryption unit 402 carry out key conversion,
Obtain secrete key;Wherein, secrete key is used to carry out leakage-preventing guarantor to data encryption key at data transport service end 102
Shield;
In the data transmission device 400 of exemplary embodiment of the invention, key change is being carried out to data encryption key
Processing is changed, when obtaining secrete key, key converting unit 403 is used for:
Read built-in transition key;
Based on transition key, key conversion processing is carried out to data encryption key, obtains secrete key.
In the data transmission device 400 of exemplary embodiment of the invention, key change is being carried out to data encryption key
Processing is changed, when obtaining secrete key, key converting unit 403 is used for:
Using the communication private key of first data transmission client 101, the first conversion that cipher key management services end 104 is sent
Ciphertext data are decrypted, and obtain transition key;Wherein, to be cipher key management services end 104 utilize the to the first conversion ciphertext data
The communication public key of one data transmission client 101, encrypts the transition key of generation;
Based on transition key, key conversion processing is carried out to data encryption key, obtains secrete key.
In the data transmission device 400 of exemplary embodiment of the invention, it is being based on transition key, it is close to data encryption
Key carries out key conversion processing, and when obtaining secrete key, key converting unit 403 is used for:
Exclusive or processing is carried out to data encryption key and transition key, obtains secrete key;Alternatively,
Data encryption key and transition key are carried out or handled, secrete key is obtained;Alternatively,
Data encryption key and transition key are carried out and operation, hidden and key, and to hiding and key progress
Hash processing, obtains secrete key.
The data transmission device 400 of exemplary embodiment of the invention further include: list generation unit 406, wherein
In addition, the embodiment of the invention also provides a kind of data applied to the second data transmission client 103 to transmit dress
It sets, as shown in fig.5, the data transmission device 500 of exemplary embodiment of the invention includes at least:
In the data transmission device 500 of exemplary embodiment of the invention, carried out at key recovery to secrete key
Reason, when obtaining data encryption key, key recovery unit 503 is used for:
Read built-in transition key;
Based on transition key, key recovery processing is carried out to secrete key, obtains data encryption key.
In the data transmission device 500 of exemplary embodiment of the invention, carried out at key recovery to secrete key
Reason, when obtaining data encryption key, key recovery unit 503 is used for:
Using the communication private key of the second data transmission client 103, the second conversion that cipher key management services end 104 is sent
Ciphertext data are decrypted, and obtain transition key;Wherein, to be cipher key management services end 104 utilize the to the second conversion ciphertext data
The communication public key of two data transmission clients 103, encrypts the transition key of generation;
Based on transition key, key recovery processing is carried out to secrete key, obtains data encryption key.
In the data transmission device 500 of exemplary embodiment of the invention, carried out at key recovery to secrete key
Reason, when obtaining data encryption key, key recovery unit 503 is used for:
Exclusive or processing is carried out to secrete key and transition key, obtains data encryption key;Alternatively,
Secrete key and transition key are carried out or handled, data encryption key is obtained;Alternatively,
Secrete key and transition key are carried out and operation, restored and key, and Hash is carried out to reduction and key
Processing, obtains data encryption key.
In addition, the embodiment of the invention also provides a kind of data transmission device applied to data transport service end 102, ginseng
It reads shown in Fig. 6, the data transmission device 600 of exemplary embodiment of the invention includes at least:
Data encrypting and deciphering unit 602, for the service private key using data transport service end 102, to data receipt unit
601 the second ciphertext data received are decrypted, and obtain secrete key, and utilize the logical of the second data transmission client 103
Believe public key, secrete key is encrypted, third ciphertext data are obtained;
In data transmission device provided in an embodiment of the present invention, if data receipt unit 601 receives the first data biography
The record that defeated client 101 is sent has the user list of the identification information of multiple second data transmission clients 103, the first ciphertext
Data and the second ciphertext data, then:
Data encrypting and deciphering unit 602 is also used to according to the multiple second data transmission clients 103 recorded in user list
Corresponding identification information determines the corresponding communication public key of multiple second data transmission clients 103, and, it utilizes
The corresponding communication public key of multiple second data transmission clients 103, encrypts secrete key respectively, obtains multiple
The corresponding third ciphertext data of two data transmission client 103;
It should be noted that being asked since above-mentioned three kinds of data transmission devices of exemplary embodiment of the invention solve technology
The principle of topic and the data transmission method of exemplary embodiment of the invention are similar, therefore, exemplary embodiment of the invention
The implementation of above-mentioned three kinds of data transmission devices may refer to the implementation of the data transmission method of exemplary embodiment of the invention, weight
Multiple place repeats no more.
After the data transmission system, method and relevant apparatus for describing exemplary embodiment of the invention, next,
The data transmission set of exemplary embodiment of the invention is simply introduced.
As shown in fig.7, the data transmission set 700 of exemplary embodiment of the invention may include processor 71, deposit
Reservoir 72 and the computer program being stored on memory 72, processor 71 realize that the present invention is exemplary when executing computer program
Step in the data transmission method of embodiment.
It should be noted that data transmission set 700 shown in Fig. 7 is only an example, the present invention should not be implemented
The function and use scope of example bring any restrictions.
The data transmission set 700 of exemplary embodiment of the invention can also include connecting (including the processing of different components
Device 71 and memory 72) bus 73.Wherein, bus 73 indicates one of a few class bus structures or a variety of, including memory
Bus, peripheral bus, local bus etc..
Data transmission set 700 can also be communicated with one or more external equipments 74 (such as keyboard, remote controler etc.), also
Can be enabled a user to one or more equipment interacted with data transmission set 700 communication, and/or with make the data
Any equipment that transmission device 700 can be communicated with one or more of the other data transmission set 700 (such as router, adjust
Modulator-demodulator etc.) communication.This communication can be carried out by input/output (Input/Output, I/O) interface 75.Also,
Data transmission set 700 can also pass through network adapter 76 and one or more network (such as local area network (Local Area
Network, LAN), wide area network (Wide Area Network, WAN) and/or public network, such as internet) communication.Such as Fig. 7
Shown, network adapter 76 is communicated by bus 73 with other modules of data transmission set 700.It will be appreciated that though in Fig. 7
It is not shown, other hardware and/or software module can be used with combined data transmission device 700, including but not limited to: microcode,
Device driver, redundant processor, external disk drive array, disk array (Redundant Arrays of
Independent Disks, RAID) subsystem, tape drive and data backup storage subsystem etc..
The non-volatile computer readable storage medium storing program for executing of exemplary embodiment of the invention is introduced below.The present invention
Embodiment provides a kind of non-volatile computer readable storage medium storing program for executing, which is stored with
Computer executable instructions, the executable code processor execute the transmission side data for realizing exemplary embodiment of the invention
The step of method.Specifically, which can be built in data transmission set 700, in this way, data transmission set 700
It can be by executing the step of built-in executable program realizes the data transmission method of exemplary embodiment of the invention.
In addition, the data transmission method of exemplary embodiment of the invention is also implemented as a kind of program product, the journey
Sequence product includes program code, and when the program product can be run on data transmission set 700, the program code is for making
Data transmission set 700 executes the step of data transmission method of exemplary embodiment of the invention.
Program product provided in an embodiment of the present invention can be using any combination of one or more readable mediums, wherein
Readable medium can be readable signal medium or readable storage medium storing program for executing, and readable storage medium storing program for executing can be but it is electric to be not limited to,
Magnetic, optical, electromagnetic, infrared ray or semiconductor system, device or device, or any above combination is specifically, readable to deposit
The more specific example (non exhaustive list) of storage media includes: electrical connection with one or more conducting wires, portable disc, hard
Disk, RAM, ROM, erasable programmable read only memory (Erasable Programmable Read Only Memory,
EPROM), optical fiber, portable compact disc read only memory (Compact Disc Read-Only Memory, CD-ROM), light are deposited
Memory device, magnetic memory device or above-mentioned any appropriate combination.
Program product provided in an embodiment of the present invention can also be set using CD-ROM and including program code in calculating
Standby upper operation.However, program product provided in an embodiment of the present invention is without being limited thereto, and in embodiments of the present invention, readable storage medium
Matter can be any tangible medium for including or store program, which, which can be commanded execution system, device or device, makes
With or it is in connection.Readable signal medium may include in a base band or the data as the propagation of carrier wave a part are believed
Number, wherein carrying readable program code.The data-signal of this propagation can take various forms, including but not limited to electromagnetism
Signal, optical signal or above-mentioned any appropriate combination.Readable signal medium can also be any other than readable storage medium storing program for executing
Readable medium, the readable medium can send, propagate or transmit for by instruction execution system, device or device use or
Person's program in connection.The program code for including on readable medium can transmit with any suitable medium, including but
It is not limited to wireless, wired, optical cable etc. or above-mentioned any appropriate combination.
The program for executing operation of the present invention can be write with any combination of one or more programming languages
Code, described program design language include object oriented program language, Java, C++ etc., further include conventional mistake
Formula programming language, such as " C " language or similar programming language.Program code can be fully in user equipment
Upper execution, partly executes on a user device, executes as an independent software package, partially execute on a user device,
Part executes on a remote computing, or executes in remote computing device or server completely.It is being related to remote computation
In the situation of equipment, remote computing device can such as pass through LAN by the network connection of any kind to user calculating equipment
Or WAN is connected to user calculating equipment;Or, it may be connected to external computing device (such as utilize ISP
To be connected by internet).
It should be noted that although being referred to several unit or sub-units of device in the above detailed description, this stroke
It point is only exemplary not enforceable.In fact, embodiment according to the present invention, it is above-described two or more
The feature and function of unit can embody in a unit.Conversely, the feature and function of an above-described unit can
It is to be embodied by multiple units with further division.In addition, although describing the method for the present invention in the accompanying drawings with particular order
Operation, still, this does not require that or implies must execute these operations in this particular order, or have to carry out complete
Operation shown in portion is just able to achieve desired result.Additionally or alternatively, it is convenient to omit certain steps merge multiple steps
It is executed for a step, and/or a step is decomposed into execution of multiple steps.
Although preferred embodiments of the present invention have been described, it is created once a person skilled in the art knows basic
Property concept, then additional changes and modifications may be made to these embodiments.So it includes excellent that the following claims are intended to be interpreted as
It selects embodiment and falls into all change and modification of the scope of the invention.Obviously, those skilled in the art can be to the present invention
Embodiment carries out various modification and variations without departing from the spirit and scope of the embodiment of the present invention.In this way, if the present invention is implemented
Within the scope of the claims of the present invention and its equivalent technology, then the present invention is also intended to encompass these modifications and variations of example
Including these modification and variations.
Claims (29)
1. a kind of data transmission system characterized by comprising first data transmission client, data transport service end, and
Second data transmission client, wherein
The first data transmission client, for obtaining communication data, and generates data encryption key;Added using the data
Communication data described in close key pair is encrypted, and the first ciphertext data are obtained;Key conversion is carried out to the data encryption key
Processing obtains secrete key, and using the service public key at the data transport service end, encrypts to the secrete key,
Obtain the second ciphertext data;The first ciphertext data and the second ciphertext data are sent to the data transport service
End;Wherein, the secrete key is used to carry out leakage-preventing protection to the data encryption key at the data transport service end;
The data transport service end, for receiving the first ciphertext data and the second ciphertext data;Utilize the number
According to the service private key of transmission server-side, the second ciphertext data are decrypted, obtain the secrete key, and described in utilization
The communication public key of second data transmission client, encrypts the secrete key, obtains third ciphertext data;By described
One ciphertext data and the third ciphertext data are sent to the second data transmission client;
The second data transmission client, for receiving the first ciphertext data and the third ciphertext data;Using institute
The communication private key for stating the second data transmission client is decrypted the third ciphertext data, obtains the secrete key;It is right
The secrete key carries out key recovery processing, obtains the data encryption key, and using the data encryption key to institute
It states the first ciphertext data to be decrypted, obtains the communication data.
2. data transmission system as described in claim 1, which is characterized in that
The first data transmission client, for carrying out key to the data encryption key based on built-in transition key
Conversion process obtains the secrete key;
The second data transmission client, for carrying out key recovery to the secrete key based on built-in transition key
Processing, obtains the data encryption key.
3. data transmission system as described in claim 1, which is characterized in that further include: cipher key management services end, wherein
The cipher key management services end, for generating transition key;Using the communication public key of the first data transmission client,
The transition key is encrypted, obtains the first conversion ciphertext data, and the first conversion ciphertext data are sent to institute
State first data transmission client;Using the communication public key of the second data transmission client, the transition key is carried out
Encryption obtains the second conversion ciphertext data, and the second conversion ciphertext data is sent to second data and transmit client
End;
The first data transmission client, for the communication private key using the first data transmission client, to described the
One conversion ciphertext data are decrypted, and obtain the transition key;Based on the transition key decrypted, the data are added
Key carries out key conversion processing, obtains the secrete key;
The second data transmission client, for the communication private key using the second data transmission client, to described the
Two conversion ciphertext data are decrypted, and obtain the transition key;Based on the transition key decrypted, to it is described hide it is close
Key carries out key recovery processing, obtains the data encryption key.
4. data transmission system as claimed in claim 3, which is characterized in that
The first data transmission client, for carrying out exclusive or processing to the data encryption key and the transition key,
Obtain the secrete key;Alternatively, the data encryption key and the transition key are carried out or handled, described hide is obtained
Key;Alternatively, carried out to the data encryption key and the transition key and operation, hidden and key, and to described
It hides and key carries out Hash processing, obtain the secrete key;
The second data transmission client is obtained for carrying out exclusive or processing to the secrete key and the transition key
The data encryption key;Alternatively, the secrete key and the transition key are carried out or handled, the data encryption is obtained
Key;Alternatively, carried out to the secrete key and the transition key and operation, restored and key, and to the reduction
Hash processing is carried out with key, obtains the data encryption key.
5. data transmission system according to any one of claims 1-4, which is characterized in that
The first data transmission client is also used to if it is determined that the communication data corresponds to multiple second data transmission clients
End, then obtain the multiple corresponding identification information of second data transmission client, and according to the multiple second data
The corresponding identification information of transmission client generates user list, and by the user list, the first ciphertext data
The data transport service end is sent to the second ciphertext data;
The data transport service end is also used to receive the user list, the first ciphertext data and second ciphertext
Data;Using the service private key at the data transport service end, the second ciphertext data are decrypted, obtain described hide
After key, according to the multiple corresponding identification information of second data transmission client recorded in the user list,
It determines the corresponding communication public key of the multiple second data transmission client, and transmits visitor using the multiple second data
The corresponding communication public key in family end, encrypts the secrete key respectively, obtains the multiple second data transmission visitor
The corresponding third ciphertext data in family end;By the corresponding third ciphertext data of the multiple second data transmission client
Corresponding second data transmission client is sent to the first ciphertext data.
6. a kind of data transmission method is applied to first data transmission client characterized by comprising
Communication data is obtained, and generates data encryption key;
The communication data is encrypted using the data encryption key, obtains the first ciphertext data;
Key conversion processing is carried out to the data encryption key, obtains secrete key, and utilize the clothes at data transport service end
Business public key, encrypts the secrete key, obtains the second ciphertext data;Wherein, the secrete key is used in the number
Leakage-preventing protection is carried out to the data encryption key according to transmission server-side;
The first ciphertext data and the second ciphertext data are sent to the data transport service end.
7. data transmission method as claimed in claim 6, which is characterized in that carry out key conversion to the data encryption key
Processing, obtains secrete key, comprising:
Read built-in transition key;
Based on the transition key, key conversion processing is carried out to the data encryption key, obtains the secrete key.
8. data transmission method as claimed in claim 6, which is characterized in that carry out key conversion to the data encryption key
Processing, obtains secrete key, comprising:
Using the communication private key of the first data transmission client, the first conversion ciphertext number that cipher key management services end is sent
According to being decrypted, transition key is obtained;Wherein, the first conversion ciphertext data are described in the cipher key management services end utilizes
The communication public key of first data transmission client, encrypts the transition key of generation;
Based on the transition key, key conversion processing is carried out to the data encryption key, obtains the secrete key.
9. data transmission method as claimed in claim 8, which is characterized in that be based on the transition key, add to the data
Key carries out key conversion processing, obtains the secrete key, comprising:
Exclusive or processing is carried out to the data encryption key and the transition key, obtains the secrete key;Alternatively,
The data encryption key and the transition key are carried out or handled, the secrete key is obtained;Alternatively,
The data encryption key and the transition key are carried out and operation, are hidden and key, and to it is described hide with
Key carries out Hash processing, obtains the secrete key.
10. data transmission method as claim in any one of claims 6-9, which is characterized in that if it is determined that the communication data pair
Multiple second data transmission clients are answered, then further include:
Obtain the multiple corresponding identification information of second data transmission client;
According to the multiple corresponding identification information of second data transmission client, user list is generated;
The user list, the first ciphertext data and the second ciphertext data are sent to the data transport service
End.
11. a kind of data transmission method is applied to data transport service end characterized by comprising
Receive the first ciphertext data and the second ciphertext data that first data transmission client is sent;Wherein, first ciphertext
Data are the first data transmission clients using the data encryption key generated, encrypt to the communication data of acquisition
It arrives;The second ciphertext data are that the first data transmission client carries out at key conversion the data encryption key
Reason, obtains secrete key, and encrypted to obtain to the secrete key using the service public key at the data transport service end
's;
Using the service private key at the data transport service end, the second ciphertext data are decrypted, obtain described hide
Key, and using the communication public key of the second data transmission client, the secrete key is encrypted, third ciphertext number is obtained
According to;
The first ciphertext data and the third ciphertext data are sent to the second data transmission client.
12. data transmission method as claimed in claim 11, which is characterized in that if receiving the first data transmission client
The record that end is sent has user list, the first ciphertext data and the institute of the identification information of multiple second data transmission clients
The second ciphertext data are stated, then further include:
According to the multiple corresponding identification information of second data transmission client recorded in the user list, determine
The multiple corresponding communication public key of second data transmission client;
Using the corresponding communication public key of the multiple second data transmission client, the secrete key is added respectively
It is close, obtain the corresponding third ciphertext data of the multiple second data transmission client;
The corresponding third ciphertext data of the multiple second data transmission client and the first ciphertext data are sent
To corresponding second data transmission client.
13. a kind of data transmission method is applied to the second data transmission client characterized by comprising
The the first ciphertext data for receiving the transmission of data transport service end and the data transport service end are according to the second ciphertext number
According to obtained third ciphertext data;Wherein, the first ciphertext data are that first data transmission client utilizes the data generated
Encryption key encrypts the communication data of acquisition to obtain and be sent to the data transport service end;Described second is close
Literary data are that the first data transmission client carries out key conversion to the data encryption key, after obtaining secrete key,
The secrete key is encrypted to obtain and be sent to the data biography using the service public key at the data transport service end
Defeated server-side;The third ciphertext data are that the data transport service end is private using the service at the data transport service end
The second ciphertext data are decrypted in key, obtain the secrete key, and utilize the second data transmission client
Public key is communicated, the secrete key is encrypted;Wherein, the secrete key is used in the data transport service
End carries out leakage-preventing protection to the data encryption key;
Using the communication private key of the second data transmission client, the third ciphertext data are decrypted, are obtained described
Secrete key;
Key recovery processing is carried out to the secrete key, obtains the data encryption key, and close using the data encryption
The first ciphertext data are decrypted in key, obtain the communication data.
14. data transmission method as claimed in claim 13, which is characterized in that carried out at key recovery to the secrete key
Reason, obtains the data encryption key, comprising:
Read built-in transition key;
Based on the transition key, key recovery processing is carried out to the secrete key, obtains the data encryption key.
15. data transmission method as claimed in claim 13, which is characterized in that carried out at key recovery to the secrete key
Reason, obtains the data encryption key, comprising:
Using the communication private key of the second data transmission client, the second conversion ciphertext number that cipher key management services end is sent
According to being decrypted, transition key is obtained;Wherein, the second conversion ciphertext data are described in the cipher key management services end utilizes
The communication public key of second data transmission client, encrypts the transition key of generation;
Based on the transition key, key recovery processing is carried out to the secrete key, obtains the data encryption key.
16. the data transmission method as described in claims 14 or 15, which is characterized in that the transition key is based on, to described
Secrete key carries out key recovery processing, obtains the data encryption key, comprising:
Exclusive or processing is carried out to the secrete key and the transition key, obtains the data encryption key;Alternatively,
The secrete key and the transition key are carried out or handled, the data encryption key is obtained;Alternatively,
The secrete key and the transition key are carried out and operation, restored and key, and to the reduction and key
Hash processing is carried out, the data encryption key is obtained.
17. a kind of data transmission device is applied to first data transmission client characterized by comprising
Data capture unit, for obtaining communication data;
First encryption unit for generating data encryption key, and utilizes the data encryption key, to the data acquisition list
The communication data that member obtains is encrypted, and the first ciphertext data are obtained;
Key converting unit, the data encryption key for generating to first encryption unit carry out at key conversion
Reason, obtains secrete key;Wherein, the secrete key be used for the data transport service end to the data encryption key into
The leakage-preventing protection of row;
Second encryption unit, for the service public key using data transport service end, to the institute of key converting unit conversion
It states secrete key to be encrypted, obtains the second ciphertext data;
Data transmission unit, the first ciphertext data and second encryption for obtaining first encryption unit are single
The second ciphertext data that member obtains are sent to the data transport service end.
18. data transmission device as claimed in claim 17, which is characterized in that carrying out key to the data encryption key
Conversion process, when obtaining secrete key, the key converting unit is used for:
Read built-in transition key;
Based on the transition key, key conversion processing is carried out to the data encryption key, obtains the secrete key.
19. data transmission device as claimed in claim 17, which is characterized in that carrying out key to the data encryption key
Conversion process, when obtaining secrete key, the key converting unit is used for:
Using the communication private key of the first data transmission client, the first conversion ciphertext number that cipher key management services end is sent
According to being decrypted, transition key is obtained;Wherein, the first conversion ciphertext data are described in the cipher key management services end utilizes
The communication public key of first data transmission client, encrypts the transition key of generation;
Based on the transition key, key conversion processing is carried out to the data encryption key, obtains the secrete key.
20. data transmission device as claimed in claim 19, which is characterized in that the transition key is being based on, to the number
Key conversion processing is carried out according to encryption key, when obtaining the secrete key, the key converting unit is used for:
Exclusive or processing is carried out to the data encryption key and the transition key, obtains the secrete key;Alternatively,
The data encryption key and the transition key are carried out or handled, the secrete key is obtained;Alternatively,
The data encryption key and the transition key are carried out and operation, are hidden and key, and to it is described hide with
Key carries out Hash processing, obtains the secrete key.
21. such as the described in any item data transmission devices of claim 17-20, which is characterized in that further include: list generates single
Member, wherein
The list generation unit is used to then obtain if it is determined that the communication data corresponds to multiple second data transmission clients
The multiple corresponding identification information of second data transmission client, and according to the multiple second data transmission client
Corresponding identification information generates user list;
The data transmission unit, for sending out the user list, the first ciphertext data and the second ciphertext data
It send to the data transport service end.
22. a kind of data transmission device is applied to data transport service end characterized by comprising
Data receipt unit, for receiving the first ciphertext data and the second ciphertext data of the transmission of first data transmission client;
Wherein, the first ciphertext data are the first data transmission clients using the data encryption key generated, to acquisition
What communication data was encrypted;The second ciphertext data are the first data transmission clients to the data encryption
Key carries out key conversion processing, obtains secrete key, and using the service public key at data transport service end to it is described hide it is close
What key was encrypted;
Data encrypting and deciphering unit connects the data receipt unit for the service private key using the data transport service end
The the second ciphertext data received are decrypted, and obtain the secrete key, and utilize the logical of the second data transmission client
Believe public key, the secrete key is encrypted, third ciphertext data are obtained;
Data forwarding unit, the first ciphertext data and the data for receiving the data receipt unit add solution
The third ciphertext data that close unit obtains are sent to the second data transmission client.
23. data transmission device as claimed in claim 22, which is characterized in that if receiving the first data transmission client
The record that end is sent has user list, the first ciphertext data and the institute of the identification information of multiple second data transmission clients
State the second ciphertext data, then:
The data encrypting and deciphering unit is also used to transmit client according to the multiple second data recorded in the user list
Corresponding identification information is held, determines the corresponding communication public key of the multiple second data transmission client, and, benefit
With the corresponding communication public key of the multiple second data transmission client, the secrete key is encrypted respectively, is obtained
To the corresponding third ciphertext data of the multiple second data transmission client;
The data forwarding unit is also used to the corresponding third ciphertext data of the multiple second data transmission client
Corresponding second data transmission client is sent to the first ciphertext data.
24. a kind of data transmission device is applied to the second data transmission client characterized by comprising
Data receipt unit transmits the first ciphertext data and the data transport service that server-side is sent for receiving data
Hold the third ciphertext data obtained according to the second ciphertext data;Wherein, the first ciphertext data are first data transmission clients
End encrypts the communication data of acquisition to obtain and be sent to the data transport service using the data encryption key generated
End;The second ciphertext data are that the first data transmission client carries out at key conversion the data encryption key
Reason, after obtaining secrete key, is encrypted to obtain using the service public key at the data transport service end to the secrete key
And it is sent to the data transport service end;The third ciphertext data are that the data transport service end utilizes the data
The service private key for transmitting server-side, is decrypted the second ciphertext data, obtains the secrete key, and utilizes described the
The communication public key of two data transmission clients, encrypts the secrete key;Wherein, the secrete key is used for
Leakage-preventing protection is carried out to the data encryption key at the data transport service end;
First decryption unit, for the communication private key using the second data transmission client, to the data receipt unit
The third ciphertext data received are decrypted, and obtain the secrete key;
Key recovery unit, the secrete key for decrypting to first decryption unit carry out key recovery processing,
Obtain the data encryption key;
Second decryption unit connects the data for the data encryption key using key recovery unit reduction
It receives the first ciphertext data that unit receives to be decrypted, obtains the communication data.
25. data transmission device as claimed in claim 24, which is characterized in that carrying out key recovery to the secrete key
Processing, when obtaining the data encryption key, the key recovery unit is used for:
Read built-in transition key;
Based on the transition key, key recovery processing is carried out to the secrete key, obtains the data encryption key.
26. data transmission device as claimed in claim 24, which is characterized in that carrying out key recovery to the secrete key
Processing, when obtaining the data encryption key, the key recovery unit is used for:
Using the communication private key of the second data transmission client, the second conversion ciphertext number that cipher key management services end is sent
According to being decrypted, transition key is obtained;Wherein, the second conversion ciphertext data are described in the cipher key management services end utilizes
The communication public key of second data transmission client, encrypts the transition key of generation;
Based on the transition key, key recovery processing is carried out to the secrete key, obtains the data encryption key.
27. the data transmission device as described in claim 25 or 26, which is characterized in that the transition key is being based on, to institute
It states secrete key and carries out key recovery processing, when obtaining the data encryption key, the key recovery unit is used for:
Exclusive or processing is carried out to the secrete key and the transition key, obtains the data encryption key;Alternatively,
The secrete key and the transition key are carried out or handled, the data encryption key is obtained;Alternatively,
The secrete key and the transition key are carried out and operation, restored and key, and to the reduction and key
Hash processing is carried out, the data encryption key is obtained.
28. a kind of data transmission set characterized by comprising memory, processor and the meter being stored on the memory
Calculation machine program, the processor are realized when executing the computer program such as the described in any item data transmission of claim 6-16
The step of method.
29. a kind of computer storage medium, which is characterized in that the computer storage medium is stored with executable program, described
The step of data transmission methods as described in any item such as claim 6-16 are realized when executable code processor executes.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811259224.9A CN109450881B (en) | 2018-10-26 | 2018-10-26 | A kind of data transmission system, method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811259224.9A CN109450881B (en) | 2018-10-26 | 2018-10-26 | A kind of data transmission system, method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109450881A CN109450881A (en) | 2019-03-08 |
CN109450881B true CN109450881B (en) | 2019-10-15 |
Family
ID=65547583
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811259224.9A Active CN109450881B (en) | 2018-10-26 | 2018-10-26 | A kind of data transmission system, method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109450881B (en) |
Families Citing this family (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109962784B (en) * | 2019-03-22 | 2021-04-02 | 西安电子科技大学 | Data encryption, decryption and recovery method based on multiple digital envelope certificates |
CN110795743B (en) * | 2019-09-12 | 2022-03-25 | 连连银通电子支付有限公司 | Data writing, reading and encrypting method and device and data transmission system |
CN111192473A (en) * | 2019-11-14 | 2020-05-22 | 晏子俊 | Private parking space sharing method |
CN111865561B (en) * | 2020-06-28 | 2023-10-13 | 深圳市七星电气与智能化工程科技有限公司 | Data encryption and decryption method and device and electronic equipment |
CN112616139B (en) * | 2020-12-14 | 2023-02-10 | Oppo广东移动通信有限公司 | Data transmission method, electronic equipment and computer readable storage medium |
CN113572604B (en) * | 2021-07-22 | 2023-05-23 | 航天信息股份有限公司 | Method, device and system for sending secret key and electronic equipment |
CN115842679B (en) * | 2022-12-30 | 2023-05-05 | 江西曼荼罗软件有限公司 | Data transmission method and system based on digital envelope technology |
Family Cites Families (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR100611867B1 (en) * | 1998-01-26 | 2006-08-11 | 마츠시타 덴끼 산교 가부시키가이샤 | Method and system for data recording/reproducing, apparatus for recording/reproducing, and media for recording program |
US20010056541A1 (en) * | 2000-05-11 | 2001-12-27 | Natsume Matsuzaki | File management apparatus |
WO2002069087A2 (en) * | 2001-02-22 | 2002-09-06 | Bea Systems, Inc. | System and method for message encryption and signing in a transaction processing system |
US7660421B2 (en) * | 2002-06-28 | 2010-02-09 | Hewlett-Packard Development Company, L.P. | Method and system for secure storage, transmission and control of cryptographic keys |
CN101593332A (en) * | 2008-05-28 | 2009-12-02 | 北京邮电大学 | A kind of electronic contract management system and its implementation |
CN102611552B (en) * | 2011-01-24 | 2016-10-12 | 必拓电子商务有限公司 | There are the read-write terminal of valency information recording medium, system |
CN102609841B (en) * | 2012-01-13 | 2015-02-25 | 东北大学 | Remote mobile payment system based on digital certificate and payment method |
CN102710605A (en) * | 2012-05-08 | 2012-10-03 | 重庆大学 | Information security management and control method under cloud manufacturing environment |
CN103812871B (en) * | 2014-02-24 | 2017-03-22 | 北京明朝万达科技股份有限公司 | Development method and system based on mobile terminal application program security application |
CN104298896B (en) * | 2014-09-30 | 2017-09-26 | 广州星汇文化发展有限公司 | Digital copyright protecting and distribution method and system |
CN104821944A (en) * | 2015-04-28 | 2015-08-05 | 广东小天才科技有限公司 | Hybrid encrypted network data security method and system |
CN106330435A (en) * | 2015-07-02 | 2017-01-11 | 中兴通讯股份有限公司 | Key transformation method and device, and terminal |
CN108270565A (en) * | 2016-12-30 | 2018-07-10 | 广东精点数据科技股份有限公司 | A kind of data mixing encryption method |
CN107480477A (en) * | 2017-07-21 | 2017-12-15 | 四川长虹电器股份有限公司 | Mobile terminal product copy-right protection method based on html5 technologies |
CN108243197B (en) * | 2018-01-31 | 2019-03-08 | 北京深思数盾科技股份有限公司 | A kind of data distribution, retransmission method and device |
-
2018
- 2018-10-26 CN CN201811259224.9A patent/CN109450881B/en active Active
Also Published As
Publication number | Publication date |
---|---|
CN109450881A (en) | 2019-03-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109450881B (en) | A kind of data transmission system, method and device | |
CN103729942B (en) | Transmission security key is transferred to the method and system of key server from terminal server | |
CN103107995B (en) | A kind of cloud computing environment date safety storing system and method | |
WO2019140464A1 (en) | Internet of things devices for use with an encryption service | |
CN107590396B (en) | Data processing method and device, storage medium and electronic equipment | |
CN103458382A (en) | Hardware encryption transmission and storage method and system of mobile phone private short messages | |
CN101867898A (en) | Short message encrypting communication system, method and secret key center | |
CN104365127B (en) | Method for following the trail of mobile device in remote display unit | |
CN110177099B (en) | Data exchange method, transmitting terminal and medium based on asymmetric encryption technology | |
CN109040076A (en) | A kind of data processing method, system, device, equipment and medium | |
CN110708291B (en) | Data authorization access method, device, medium and electronic equipment in distributed network | |
CN103475474B (en) | Method for providing and acquiring shared enciphered data and identity authentication equipment | |
CN109886692A (en) | Data transmission method, device, medium and electronic equipment based on block chain | |
CN112400299B (en) | Data interaction method and related equipment | |
CN102045159A (en) | Decryption processing method and device thereof | |
CN112437044B (en) | Instant messaging method and device | |
CN108199838A (en) | A kind of data guard method and device | |
CN103973713A (en) | Transfer method, extraction method and processing system for electronic mail information | |
CN111181920A (en) | Encryption and decryption method and device | |
CN106973040A (en) | A kind of smart mobile phone secret short message security system and secret short message transmission method | |
CN109491591A (en) | A kind of information diffusion method suitable for cloudy storage system | |
CN113468582A (en) | Anti-quantum computing encryption communication method | |
CN102739719A (en) | User information synchronization method and system thereof | |
CN116049851B (en) | Ciphertext processing system and method based on full homomorphic encryption | |
CN109241759B (en) | Data processing method and device, storage medium and electronic equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |