CN110188551B - Policy encryption transmission method and system - Google Patents

Abstract

The present application relates to the field of security mechanisms/transaction verification/digital signatures. In particular to a method and a system for encrypting and transmitting a policy. The server receives a policy acquisition request sent by the user terminal, wherein the policy acquisition request comprises a first key, decrypts the encrypted first key by adopting a private key corresponding to a public key, encrypts a requested policy partition block by adopting the first key to obtain a text document of the encrypted policy, and then sends the text document of the encrypted policy to the user terminal; the user terminal adds the text document of the encrypted policy to a to-be-printed list of the printing terminal; the printing terminal obtains the first key from the key management server, decrypts the text document of the encrypted policy by adopting the first key, obtains the decrypted policy, and prints the decrypted policy. By combining the symmetrical encryption method and the asymmetrical encryption method, sensitive data leakage and tampering in the process before the policy is transmitted to printing can be avoided, and the safety of the data is ensured.

Description

Policy encryption transmission method and system

Technical Field

The present disclosure relates to the field of computer technologies, and in particular, to a method and system for transmitting an encrypted policy.

Background

Along with the gradual enrichment of daily life of people, the requirements of people on life quality are gradually increased, people pay more attention to insurance, and the classification of insurance is also increased, and the three types of insurance are mainly divided: the insurance is a safe value-keeping type insurance, and mainly comprises insurance of education gold, pension and investment financial management; one type is early-administration type insurance, which refers to serious disease type insurance; yet another class is consumer insurance, including accident, accidental medical treatment, hospitalization, and major illnesses. With the development of the internet and the popularization of online payment, online purchase insurance gradually replaces offline purchase insurance, and people can obtain insurance policies sent by insurance companies without going home.

The insurance policy is short for insurance policy, is written proof of insurance contract between insurer and applicant, and its main content includes insured name, name of insured mark and its place or state, insurance amount, insurance period, insurance fee, rights and obligations of both parties and some additional conditions, and the insurance policy relates to some information of privacy comparison of applicant. After the insurance is purchased, the insurance applicant directly downloads the insurance policy file from the webpage or the application program for printing, and the transmission between the insurance company and the insurance applicant is in clear text transmission at present, so that great hidden danger exists in the data security.

Disclosure of Invention

The embodiment of the application provides a method and a system for transmitting the security policy in an encrypted manner, which can avoid sensitive data leakage and tampering in the process before the security policy is transmitted to printing, and ensure the security of the data.

In a first aspect, a policy encryption transmission method is provided, including:

the method comprises the steps that a server receives a policy acquisition request sent by a user terminal, wherein the policy acquisition request comprises a first key, and the first key is encrypted by adopting a public key of the server;

the server decrypts the encrypted first key by adopting a private key corresponding to the public key to obtain a first key;

the server encrypts the requested policy partition block by adopting the first key to obtain a text document of the encrypted policy;

the server sends the text document of the encrypted policy to the user terminal;

the user terminal adds the text document of the encrypted policy to a to-be-printed list of the printing terminal;

the printing terminal acquires the first key from a key management server;

the printing terminal decrypts the text document of the encrypted policy by adopting the first key to obtain the decrypted policy;

And the printing terminal prints the decrypted policy.

In one implementation, the method further comprises:

the user terminal and the server construct an encryption transmission channel;

the user terminal receives the public key from the server through the encrypted transmission channel.

In another implementation, the first key is a random number, the method further comprising:

the key management server generates the random number.

In yet another implementation, the key management server generates the random number, including:

the key management server selects a random number template from a template set as a target template, wherein the random number template is used for specifying a random number format, and the format comprises one or more of random number length, special symbol number, number and letter number;

the key management server generates the random number according to the target template.

In yet another implementation, the server encrypts the requested policy partition block using the first key to obtain a text document of the encrypted policy, including:

the server divides the policy into a plurality of blocks according to the set block grouping length;

The server encrypts the blocks by adopting the first key respectively to obtain encrypted blocks;

and the server stores the encrypted blocks into a text document.

In yet another implementation, the user terminal adds the text document of the encrypted policy to a to-be-printed manifest of a printing terminal, including:

the user terminal obtains gesture operation of a user on the text document of the encrypted policy, wherein the gesture operation is used for indicating that the text document of the encrypted policy is added to a to-be-printed list of the printing terminal;

the user terminal compares the gesture operation of the user with a set gesture operation;

and if the comparison results are consistent, the user terminal adds the text document of the encrypted policy to a to-be-printed list of the printing terminal.

In yet another implementation, the user terminal adds the text document of the encrypted policy to a to-be-printed manifest of a printing terminal, including:

the user terminal obtains status information of at least one printing terminal, wherein the status information comprises one or more of the following: distance information between a printing terminal and the user terminal and load information of the printing terminal;

The user terminal selects one printing terminal from the at least one printing terminal according to the state information of the at least one printing terminal;

and the user terminal adds the text document of the encrypted policy to the list to be printed of the selected printing terminal.

In yet another implementation, before the user terminal adds the text document of the encrypted policy to the to-be-printed manifest of the printing terminal, the method further includes:

the user terminal obtains the identity of the printing terminal;

the user terminal verifies the identity of the printing terminal;

and when the verification is passed, the user terminal executes the action of adding the text document of the encrypted policy to a list to be printed of the printing terminal.

In yet another implementation, the method further comprises:

the printing terminal receives a key update notification of the key management server, wherein the key update notification comprises an updated key;

the print terminal stores the updated key.

In a second aspect, a policy encryption transmission system is provided, including a server, a user terminal, and a print terminal;

the server is used for receiving a policy acquisition request sent by the user terminal, wherein the policy acquisition request comprises a first key, and the first key is encrypted by adopting a public key of the server;

The server is further used for decrypting the encrypted first key by adopting a private key corresponding to the public key to obtain a first key;

the server is further used for encrypting the requested policy partition block by adopting the first key to obtain a text document of the encrypted policy;

the server is further used for sending the text document of the encrypted policy to the user terminal;

the user terminal is used for adding the text document of the encrypted policy to a to-be-printed list of the printing terminal;

the printing terminal is used for acquiring the first key from a key management server;

the printing terminal is also used for decrypting the text document of the encrypted policy by adopting the first key to obtain the decrypted policy;

the printing terminal is also used for printing the decrypted policy.

In a third aspect, there is provided a computer readable storage medium storing a computer program comprising program instructions which, when executed by a processor, cause the processor to perform the method of the first aspect or any one of the implementations described above.

In a fourth aspect, there is provided a computer program product containing instructions which, when run on a computer, cause the computer to perform the method of the first aspect or any of the implementations described above.

The implementation of the scheme of the application has the following beneficial effects:

the symmetric key is encrypted by utilizing asymmetric encryption, and the policy is encrypted by utilizing the symmetric key, so that the security and privacy of the transmitted information of the policy can be ensured, and the privacy of an applicant can be protected.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings needed in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present application, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

Fig. 1 is a schematic structural diagram of a policy encryption transmission system according to an embodiment of the present application;

fig. 2 is a flow chart of a policy encryption transmission method according to an embodiment of the present application;

fig. 3 is a flowchart of another method for transmitting an encrypted policy according to an embodiment of the present application.

Detailed Description

The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.

It should be understood that the terms "comprises" and "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.

It is also to be understood that the terminology used in the description of the present application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.

It should be further understood that the term "and/or" as used in this specification and the appended claims refers to any and all possible combinations of one or more of the associated listed items, and includes such combinations.

Fig. 1 is a schematic structural diagram of a policy encryption transmission system according to an embodiment of the present application. The system comprises a server 11, a user terminal 12, a printing terminal 13 and may further comprise a key management server 14. The user terminal 12 may be connected to the server 11 and the print terminal 13 by wire or wirelessly. The server 11 and the key management server 14 may be connected by wire or wirelessly. The print terminal 13 and the key management server 14 may be connected by wire or wirelessly.

The application provides a method and a system for transmitting an encrypted policy, wherein a server receives a policy acquisition request sent by a user terminal, the policy acquisition request comprises a first key, the encrypted first key is decrypted by adopting a private key corresponding to a public key, a requested policy partition block is encrypted by adopting the first key, a text document of the encrypted policy is obtained, and then the text document of the encrypted policy is sent to the user terminal; the user terminal adds the text document of the encrypted policy to a to-be-printed list of the printing terminal; the printing terminal obtains the first key from the key management server, decrypts the text document of the encrypted policy by adopting the first key, obtains the decrypted policy, and prints the decrypted policy. By combining the symmetrical encryption method and the asymmetrical encryption method, sensitive data leakage and tampering in the process before the policy is transmitted to printing can be avoided, and the safety of the data is ensured.

Referring to fig. 2, fig. 2 is a flow chart of a policy encryption transmission method according to an embodiment of the present application. As shown in fig. 2, the method includes:

s101, the user terminal sends a policy acquisition request to a server.

Correspondingly, the server receives a policy acquisition request sent by the user terminal.

The policy acquisition request comprises a first key, and the first key is encrypted by adopting a public key of the server.

The user terminal may be a user terminal held by an insurance staff. The user terminal in the application may include a smart Phone (such as an Android mobile Phone, an iOS mobile Phone, a Windows Phone mobile Phone, etc.), a tablet computer (Windows system, OS system or Linux system), a palm computer, a notebook computer, a mobile internet device MID (Mobile Internet Devices, abbreviated as MID) or a wearable device, etc. The above user terminals are merely examples and are not exhaustive and include, but are not limited to, the above terminals. Of course, in practical applications, the user terminal is not limited to the above-mentioned variant, and may further include: intelligent vehicle terminals, computer equipment, etc.

When an insurance staff member is about to print one or a batch of insurance policies in charge of the insurance staff member, an insurance policy acquisition request is sent to a server through a user terminal. The server is responsible for receiving, generating and storing the policy, and receives a policy acquisition request sent by the user terminal. The policy acquisition request may include an identification of the acquired policy, such as an index number of the policy. The policy acquisition request also includes a first key. The first key is used to encrypt the policy. The first key itself is encrypted with the public key.

Optionally, before S101, the server generates a public key and a private key, and sends the public key to the user terminal, so that the user terminal may encrypt the first key with the public key.

S102, the server decrypts the encrypted first key by adopting a private key corresponding to the public key to obtain the first key.

The server adopts the private key stored by the server to decrypt the first key encrypted by the public key to obtain the first key.

S103, the server encrypts the requested warranty partition block by adopting the first key to obtain the text document of the encrypted warranty.

In this embodiment, the policy may be encrypted according to the advanced encryption standard (advanced encryption standrad, AES). The encrypted key is the first key described above. AES requires that the block length of the file be fixed to 128 bits, and the key length may be 128, 192 or 256 bits. Generally, the policy file exceeds 128 bits, so the policy may be divided into a plurality of blocks, the policy is partitioned and encrypted by using the first key, and the encrypted policy blocks are stored in the TXT file.

S104, the server sends the text document of the encrypted policy to the user terminal.

The server may send the text document of the encrypted policy to the user terminal in a wireless or wired manner.

And after receiving the text document of the encrypted policy, the user terminal stores the text document to the local.

S105, the user terminal adds the text document of the encrypted policy to a list to be printed of the printing terminal.

The printing interface of the user terminal can display the page of the printing terminal, the user can add the saved text document of the encrypted policy to a to-be-printed list of the printing terminal, and then the user terminal sends the saved text document of the encrypted policy to the printing terminal.

S106, the printing terminal acquires the first key from the key management server.

The printing terminal obtains the encrypted policy and needs to decrypt the encrypted policy to print.

Thus, the print terminal acquires the first key from the key management server. The key management server uniformly manages the encryption keys of the policy. When the key management server receives the key acquisition request of the printing terminal, the printing terminal is authenticated, and when the authentication is passed, the first key is sent to the printing terminal. After the print terminal obtains the first key, the print terminal may locally store the first key for decryption use next time. Alternatively, before S106, the printing terminal may also search the first key locally, and if the first key is found locally, it may not need to acquire the first key from the key management server.

And S107, the printing terminal decrypts the text document of the encrypted policy by adopting the first key to obtain the decrypted policy.

The printing terminal can decrypt the text document of the encrypted policy by adopting the first key according to the AES standard to obtain a plurality of decrypted text documents, and then restore the decrypted text documents into the policy.

S108, the printing terminal prints the decrypted policy.

According to the policy encryption transmission method provided by the embodiment of the application, by combining the symmetric encryption method and the asymmetric encryption method, sensitive data leakage and tampering in the process before the policy is transmitted to printing can be avoided, and the security of the data is ensured.

Referring to fig. 3, fig. 3 is a flowchart of another policy encryption transmission method according to an embodiment of the present application, where the method includes:

s201, the user terminal and the server construct an encrypted transmission channel.

The user terminal may connect to the internet and install various applications such as instant messaging tools, third party payment tools, shopping software, etc. The user terminal may have a memory and a central processor, and may also be used to send data requests or receive data requests, and may also perform analysis, verification, storage, and the like on the data.

After the web page is opened to acquire the insurance service or purchase the insurance service in the shopping application program, the identity information of the user, such as name, identification card number, address, telephone and the like, needs to be input, wherein the privacy information of the applicant is contained. When the applicant finishes inputting the information, automatically generating and transmitting the insurance policy, and establishing an encryption transmission channel by the user terminal and the server.

S202, the user terminal receives the public key from the server through the encrypted transmission channel.

The first key used for policy encryption, e.g. a random number key generated by the user terminal, is a symmetric key to be used as policy encryption. In the encryption algorithm of AES, both the sender and the receiver need keys for encryption and decryption. But it is not very secure to send the generated random number directly to the server as a key, so in the embodiments of the present application, in combination with the asymmetric encryption algorithm, the server generates a key pair, i.e. a private key and a public key. The public key and the private key correspond to a lock head and a key.

The server sends the public key to the user terminal, which is equivalent to the server sending the lock to the user terminal, the user terminal can encrypt the random number by using the public key, the user terminal locks the random number, and the lock can only be opened by the key, so that after the encrypted content is acquired by other servers or the user terminal, the random number can not be obtained, and therefore, the encrypted policy can not be obtained.

In the embodiment of the present application, the asymmetric encryption algorithm may be a digital signature standard algorithm (digitalsignature algorithm, DSA), an RSA encryption algorithm (RSA algorithm, RSA), an ElGamal encryption algorithm (ElGamal encryption algorithm, elGamal), or the like, which is not limited in this application.

The user terminal sends a public key acquisition request to the server. Specifically, the user terminal may request the public key from the server on the web page, or may request the public key from the application, applet, or the like. The server generates a set of key pairs including a private key and a public key for subsequent asymmetric encryption. After the user terminal receives the public key sent by the server, the public key is stored, so that the user terminal is convenient for subsequent use. In this embodiment, to ensure security of public key transmission, the server sends the generated public key to the user terminal through the encrypted transmission channel.

Specifically, the user terminal initiates a secure socket layer hypertext transfer protocol request (Hyper Text Transfer Protocol over Secure Socket Layer, HTTPS) on the web page, HTTPS being the primary solution hypertext transfer protocol (HyperText Transfer Protocol, HTTP) protocol used to transfer information between the web browser and the web server. The HTTP protocol transmits content in a plaintext manner, does not provide any data encryption, and if an attacker intercepts a transmission message between a web browser and a web server, the information in the transmission message can be directly read, so that the HTTP protocol is not suitable for transmitting some sensitive information, such as a credit card number, a password and the like.

HTTPS targets secure HTTP channels, simply secure versions of HTTP. I.e. joining the secure sockets layer (Secure Sockets Layer, SSL) layer under HTTP, the security foundation of HTTPs is SSL, so the encrypted details require SSL. It is a URI scheme (abstract identifier hierarchy), syntactic like http:hierarchy. For secure HTTP data transfer. HTTPs URL indicates that it uses HTTP, but HTTPs presents a default port other than HTTP and an encryption/authentication layer (between HTTP and transmission control protocol (Transmission Control Protocol, TCP)). The system provides an authentication and encryption communication method. It is now widely used for security-sensitive communications on the world wide web, for example in terms of transaction payments, but also for the transmission of passwords, such as in the embodiments of the present application where the server sends a public key to the user terminal.

If the user terminal needs the service of policy transmission in the scheme, it is necessary that the user terminal establishes TCP connection with the server.

When the user terminal establishes a TCP connection with the server, a request of HTTPS is sent to the server, and HTTPS can be understood as http+ssl/TLS, that is, HTTP joins the SSL layer, and the security base of HTTPS is SSL, so that SSL is required for the encrypted details for secure HTTP data transmission. But the server needs to configure the digital certificate.

The digital certificate may be made by itself or applied to an organization. The difference is that the certificate issued by the user needs to pass the verification of the client so as to be accessed continuously. When configuring the certificate, the server firstly generates a key pair of the server and transmits the public key and part of personal identity information to the authentication center. After verifying the identity, the authentication center will perform some necessary steps to make sure that the request was indeed sent by the user, and then the authentication center will issue the user a digital certificate containing the user's personal information and his public key information, together with the authentication center's signature information. The user can perform various activities related thereto using his/her own digital certificate. The digital certificate is issued by a separate certificate issuing authority. Digital certificates vary from one certificate to another, each certificate may provide a different level of trustworthiness. The digital certificate may be obtained from a certificate issuer.

For example, if the encryption is performed by using the RSA algorithm in the asymmetric encryption algorithm, the key can be generated by using the library provided by the ssh-keygen and opensl genrsa at the server side, wherein 2048 bits of the key in the RSA encryption algorithm can be preset, so that the key pair can be generated.

Optionally, with this key pair, a certificate authority may be issued (Certification Authority, CA) with a certificate, after the CA has ascertained the identity of the applicant, a public key is assigned to him, and the CA binds the public key with the identity information of the applicant and signs it, forming a certificate to the applicant.

Alternatively, a certificate may be made at the server side, which itself generates the application file of the certificate by using the configuration file of the CA, and self-signs the root certificate of the CA, i.e. itself serves as the authentication center to perform authentication. The trust level may be different from the way in which certificates are applied to the certification authorities and made.

Further, after signing the CA root certificate itself, this root certificate may be used to sign other digital certificates, using other services.

Specifically, the public key may be an encryption public key in the encryption key pair generated by the server, or may be the digital certificate request including the encryption public key. When the user terminal sends a policy request at the web page end, namely a request for a digital certificate, the user terminal sends the policy request at an application program or an applet, namely an encrypted public key of a request server. After the user terminal sends the encryption request, waiting for the server to send the encryption public key.

In particular, the user terminal will be able to perform one or more verifications on the certificate, which may be, but are not limited to, unpacking of the certificate, a certificate chain, a serial number, a validity period, a revocation list query, a usage policy, verification of the end user entity certificate.

The unpacking of the verification certificate is to verify whether the public key of the issuer CA can correctly unpack the "digital signature of the issuer" in the client entity certificate. After the exchange transfer, the two certificates are unpacked to see if they can be unpacked. The final content of the certificate structure is the digital signature of the certificate authority CA, i.e. a trusted CA has signed on the certificate with its own private key. If the certificate of a user entity can be unpacked with the public key of the CA, then the signature is verified to be correct. As it proves that this certificate was issued by an authoritative, trusted certification authority. Thus, this entity certificate is authentic.

The verification of the certificate chain is intended to trace back through the certificate chain to the ROOT (ROOT) of the trusted CA. In other words, to verify whether the CA issuing the user entity certificate is an authoritative trusted CA, it is largely divided into definition verification of a certificate chain and certificate chain validation from the user entity certificate to the ROOT CA.

The verification of the serial number refers to checking whether the serial number of the signing entity in the entity certificate is consistent with the serial number of the issuer certificate, and verifying the authenticity of the certificate.

The validity period verification is to check whether the date of using the user certificate is legal or not and whether the user certificate is expired or not.

Certificate revocation list query is to check whether the user's certificate has been revoked and issued in the certificate revocation list.

Verification of the certificate usage policy means that the manner of usage of the certificate is consistent with any stated policy CertificatePolicy or usage restrictions, i.e. Certificate Policies in the user entity certificate should be a list of certificate policies acknowledged by the CA.

Authentication of end user entity certificates is a way in which certificates of an internal administrator of a certification authority issued by a CA are to be distinguished from end user entity certificates for the purpose of secure use of the certificates.

S203, the server receives a policy acquisition request sent by the user terminal through the encryption transmission channel, wherein the policy acquisition request comprises a first key, and the first key is encrypted by adopting a public key of the server.

This step may be implemented with reference to step S101 of the embodiment shown in fig. 2.

And sending the encrypted random number to the server, wherein the encrypted random number can be decrypted only by a private key of the server. After receiving the encrypted random number sent by the user terminal, the server can send confirmation information to the user terminal and store the encrypted random number for subsequent use.

Specifically, the server may decrypt the received encrypted random number with the generated private key, and obtain the random number after decrypting. The server may symmetrically encrypt the file content of the policy, the encrypted method being the AES encryption algorithm. After the encryption of the server is completed, the encrypted policy file can be sent to the user terminal.

Specifically, the generated random number is used for a subsequent symmetric encryption algorithm, and in the embodiment of the present application, an advanced encryption standard may be used, and a symmetric encryption algorithm such as a data encryption standard (Data Encryption Standard, DES) may also be used. The AES encryption algorithm is not easy to actively attack (error transfer), is suitable for long messages, and is SSL and IPSec standard.

The key length of the AES encryption public key is three, namely 128 bits, 192 bits and 256 bits, and the user terminal can preset a default randomly generated key length so as to directly generate a corresponding random number key, and the user terminal stores the generated key, so that the subsequent use is convenient.

Specifically, after verifying the digital certificate and when verifying that the digital certificate is normal, a random number generation process is started to generate a random number as a symmetric encryption key.

The random number generation process in the present application may, but is not limited to, directly generate a random number with a preset number of bits by using a code, and in the embodiment of the present application, the policy is encrypted by using an AES encryption algorithm, that is, the random number is 128 bits, 192 bits or 256 bits, or may be generated by hardware, or may be generated by software, which is not limited in the embodiment of the present application. The random number sequence generated by hardware is generally a true random number, and is generated by acquiring information from a physical phenomenon which is not reproducible, such as changes in ambient temperature and sound, position information of a user moving a mouse, time intervals of keyboard input, output values of a radiation measuring instrument, and the like. A hardware device like this is called a random number generator (Random Number Generator, RNG). The software that generates the random numbers is called a pseudo-random number generator (Pseudo Random Number Generator, PRNG).

For example, the pseudo-random number generator has an "internal state", which refers to a numerical value in a memory managed by the pseudo-random number generator, and generates a pseudo-random number sequence based on an externally input "seed". This value changes each time a random number is generated. And "seeds" are used to initialize internal states. The pseudo-random number generator is public but the seed is required to be secret as if the cryptographic algorithm were public but the key is secret. Specific pseudo-random number generators may include, but are not limited to, the following five: a scrambling method, a linear congruence method, a one-way hash function method, a cryptography method and ANSI X9.17.

When the user terminal verifies the digital certificate, if one or more verification states are abnormal, a warning is popped up to prompt the server certificate to have a problem.

Specifically, in the embodiment of the present application, the encryption program may be performed on the random number described above using the RSA encryption algorithm.

For example, the user terminal sends a message m (here, a random number generated and stored by the user terminal) to the server, the public keys of which are N and e. The client converts the message m to a non-negative integer N less than N, e.g., converts each word to a single code (Unicode code) for the word, and then concatenates the digits to form a number. If the information is very long, it can be divided into several pieces and then each piece is converted to n. He can encrypt n as c using the following formula; c≡ne (mod N). Where (N, e) is the public key and (N, d) is the private key.

Specifically, the encrypted character string is transmitted to the server. According to the above example, c can be calculated, and the user terminal can transmit c to the server after calculating it, and the server stores the character string of the encrypted random number sent by the user terminal after receiving the character string for subsequent use.

Specifically, the RSA encryption algorithm may decrypt with the encryption private key at the server side. Thus, even if other servers or other user terminals receive the encrypted random numbers, the contents thereof cannot be obtained.

According to the above example, after the server gets the message c, it can be decoded with the key d. The following formula can be used to convert c to n: cd≡n (mod N); after n is obtained, the original information m can be restored again. The principle of decoding is: cd≡ne·d (mod N); knowing ed≡1 (mod r), i.eFrom the Euler theorem:

specifically, in the embodiment of the present application, the server encrypts the policy with the random number obtained by the decryption, and may encrypt the policy with a symmetric encryption algorithm such as DES, AES, etc., which is exemplified by the AES symmetric encryption algorithm.

The content of the policy is encrypted n rounds using the AES algorithm, wherein each round of encryption is mainly divided into four steps of byte substitution, row shifting, column mixing, and round key addition.

Alternatively, the byte substitution is that an S-box and an inverse S-box defined according to AES take the upper 4 bits of the byte as row values and the lower 4 bits as column values, and take out the elements of the corresponding row in the S-box or the inverse S-box as output.

Alternatively, the above-described line shift is a left cyclic shift operation. When the key length is 128 bits, the 0 th row of the state matrix is shifted left by 0 byte, the 1 st row is shifted left by 1 byte, the 2 nd row is shifted left by 2 bytes, and the 3 rd row is shifted left by 3 bytes.

Optionally, the above-mentioned column mixing is implemented by matrix multiplication, and the state matrix after the row shift is multiplied by a fixed matrix, so as to obtain a state matrix after confusion.

Optionally, the round key adding step refers to that each byte a [ i, j ] of the input array is exclusive-ored once with the byte k [ i, j ] of the corresponding position of the key, and an output value b [ i, j ] is generated. The encryption keys for each round in this step are not necessarily the same, and the AES source code uses an array W of (10+1) bytes in length 4*4 to store the keys for all rounds. The value of W {0-15} is equivalent to the value of the original key for processing for the initial round. Each subsequent element W [ i ] is calculated from W [ i-4] and W [ i-1] until all elements of array W are assigned. Of the W arrays, W {0-15} is used for the processing of the initial round, W {16-31} is used for the processing of round 1, W {32-47} is used for the processing of round 2.

Where AES encryption specifies that the packet length is only 128 bits, that is, 16 bytes per packet (8 bits per byte). The length of the key may use 128 bits, 192 bits, or 256 bits. The length of the key is different, the recommended encryption round number is also different, the key length is 128 bits, and the encryption round number is 10 rounds.

Specifically, according to the decryption method of the AES encryption algorithm, the encrypted policy file is decrypted, and the decryption mode makes the use sequence of each transformation in the decryption process identical to the sequence of the encryption process, and only the inverse transformation is used to replace the original transformation, which is not described here again.

In one possible example, the SSL protocol uses asymmetric encryption techniques to enable secure transfer of information between the two parties to the session. Confidentiality and integrity of information transfer can be realized, and the two parties of the session can identify the identity of the other party. Unlike the conventional http protocol, we use the https protocol when setting up SSL secure connections with websites, i.e. access in the manner https:// ip: port. When we establish https connection with a website, we need a handshake process between our browser and Web Server to complete authentication and key exchange, thereby establishing secure connection. The specific process is as follows:

the user browser sends its SSL version number, encryption setup parameters, session related data, and some other necessary information to the server.

The server sends its SSL version number, encryption setting parameters, session related data and some other necessary information to the user terminal, and also to the user terminal's certificate of the server. The processing in the user terminal is a browser of the user terminal. If SSL of the configuration server needs to verify the user identity, a request is also sent to request the browser to provide the user certificate.

The user terminal checks the server certificate and if the check fails, prompts that the SSL connection cannot be established. If successful, then proceed. The user terminal browser generates a pre-master secret for the current session, encrypts the pre-master secret with a server public key and sends the encrypted pre-master secret to the server. If the server requires authentication of the client identity, the user terminal signs the other data and sends it to the server together with the user terminal certificate.

If the server requires authentication of the client identity, it is checked whether the CA signing the client certificate is authentic. If not, ending the session. If the check passes, the server decrypts the received pre-master secret with its own private key and uses it to generate the master secret for the current session by some algorithm.

The user terminal and the server both use the master secret to generate a session key (symmetric key) for the current session. This session key is used to transfer any messages after the end of the two-party SSL handshake. The main reason for this is that the computation amount of symmetric encryption is one order of magnitude lower than that of asymmetric encryption, and the computation speed of the two parties in conversation can be remarkably improved.

The user terminal informs the server that the messages sent thereafter are encrypted using this session key. And informs the server that the user terminal has completed the SSL handshake.

The server informs the user terminal that the messages sent thereafter are encrypted using this session key. And notifying the user terminal server that the SSL handshake is completed.

The handshake process ends and the session is established. Both parties use the same session key to encrypt and decrypt the transmitted and received information, respectively.

S204, the server decrypts the encrypted first key by adopting a private key corresponding to the public key to obtain the first key.

This step may be implemented with reference to step S102 of the embodiment shown in fig. 2.

S205, the server divides the policy into a plurality of blocks according to the set block grouping length, encrypts the blocks by adopting the first key respectively to obtain encrypted blocks, and stores the encrypted blocks into a text document.

This step may be implemented with reference to step S103 of the embodiment shown in fig. 2.

S206, the server sends the text document of the encrypted policy to the user terminal.

This step may be implemented with reference to step S104 of the embodiment shown in fig. 2.

S207, the user terminal acquires the identity of the printing terminal.

S208, the user terminal verifies the identity of the printing terminal.

Before the user terminal sends the encrypted policy to the print terminal, the identity of the print terminal needs to be verified. Specifically, the identity of the printing terminal is obtained, and whether the printing terminal is safe or not is verified, or whether the identity of the printing terminal is prestored in the user terminal or not is verified.

S209, when verification is passed, the user terminal obtains gesture operation of a user on the text document of the encrypted policy, wherein the gesture operation is used for indicating that the text document of the encrypted policy is added to a to-be-printed list of the printing terminal, the gesture operation of the user is compared with the set gesture operation, and if the comparison result is consistent, the user terminal adds the text document of the encrypted policy to the to-be-printed list of the printing terminal.

The printing interface of the user terminal can display the page of the printing terminal, the user can add the saved text document of the encrypted policy to a to-be-printed list of the printing terminal, and then the user terminal sends the saved text document of the encrypted policy to the printing terminal.

In this embodiment, the stored text document of the encrypted policy may be added to the to-be-printed list of the printing terminal through gesture operation of the user, which is convenient to operate and good in user experience. The gesture operation may be a drag, a slide, or the like operation.

S210, the printing terminal acquires the first key from a key management server.

This step may be implemented with reference to step S106 of the embodiment shown in fig. 2.

S211, the printing terminal decrypts the text document of the encrypted policy by adopting the first key to obtain the decrypted policy.

This step may be implemented with reference to step S107 of the embodiment shown in fig. 2.

S212, the printing terminal prints the decrypted policy.

This step may be implemented with reference to step S108 of the embodiment shown in fig. 2.

S213, the printing terminal receives a key update notification of the key management server, wherein the key update notification comprises the updated key.

Since the key management server adopts a uniform key for all policy, the key management server updates the key periodically. The updated key may be uniformly notified to each printing terminal by the key management server, or may be acquired by the printing terminal to the key management server.

S214, the printing terminal stores the updated secret key.

According to the policy encryption transmission method provided by the embodiment of the application, by combining the symmetric encryption method and the asymmetric encryption method, sensitive data leakage and tampering in the process before the policy is transmitted to printing can be avoided, and the security of the data is ensured.

With continued reference to fig. 1, an embodiment of the present application further provides a policy encryption transmission system, which is illustrated by way of example:

the server 11 is configured to receive a policy acquisition request sent by the user terminal 12, where the policy acquisition request includes a first key, and the first key is encrypted by using a public key of the server 11;

the server 11 is further configured to decrypt the encrypted first key by using a private key corresponding to the public key, to obtain a first key;

the server 11 is further configured to encrypt the requested policy partition block with the first key, to obtain a text document of the encrypted policy;

the server 11 is further configured to send the text document of the encrypted policy to the user terminal 12;

the user terminal 12 is configured to add the text document of the encrypted policy to a to-be-printed list of the printing terminal 13;

the print terminal 13 is configured to acquire the first key from the key management server 1411;

the printing terminal 13 is further configured to decrypt the text document of the encrypted policy by using the first key, to obtain a decrypted policy;

the print terminal 13 is also used for printing the decrypted policy.

In one implementation, the user terminal 12 is further configured to construct an encrypted transmission channel with the server 11;

The user terminal 12 is further configured to receive the public key from the server 11 via the encrypted transmission channel.

In another implementation, the first key is a random number and the key management server 1411 is configured to generate the random number.

In yet another implementation, the key management server 1411 is specifically configured to select a random number template from a set of templates as a target template, where the random number template is configured to specify a format of a random number, and the format includes one or more of a random number length, a special symbol number, a number of digits, and a number of letters; and generating the random number according to the target template.

In yet another implementation, the server 11 is further configured to divide the policy into a plurality of blocks according to a set block grouping length; the server 11 is further configured to encrypt the plurality of blocks by using the first key, to obtain encrypted plurality of blocks; and the server 11 is further configured to store the encrypted plurality of blocks in a text document.

In yet another implementation, the user terminal 12 is further configured to obtain a gesture operation of a user for the text document of the encrypted policy, where the gesture operation is used to instruct to add the text document of the encrypted policy to the to-be-printed list of the print terminal 13; the user terminal 12 is further configured to compare the gesture operation of the user with a set gesture operation; and the user terminal 12 is further configured to add the text document of the encrypted policy to the to-be-printed list of the print terminal 13 if the comparison result is consistent.

In yet another implementation, the user terminal 12 is further configured to obtain status information of at least one printing terminal 13, where the status information includes one or more of the following: distance information between the printing terminal 13 and the user terminal 12, and load information of the printing terminal 13; the user terminal 12 is further configured to select one print terminal 13 from the at least one print terminal 13 according to the status information of the at least one print terminal 13; and the user terminal 12 is further configured to add the text document of the encrypted policy to the selected list to be printed of the print terminal 13.

In yet another implementation, the user terminal 12 is further configured to obtain an identity of the print terminal 13; the user terminal 12 is further configured to verify the identity of the print terminal 13; and the user terminal 12 is further configured to perform the action of adding the text document of the encrypted policy to the to-be-printed manifest of the printing terminal 13 when the authentication is passed.

In yet another implementation, the print terminal 13 is further configured to receive a key update notification of the key management server 1411, where the key update notification includes an updated key; and the print terminal 13 is further configured to store the updated key.

According to the policy encryption transmission system provided by the embodiment of the application, by combining the symmetric encryption method and the asymmetric encryption method, sensitive data leakage and tampering in the process before the policy is transmitted to printing can be avoided, and the security of the data is ensured.

Embodiments of the present application also provide a computer readable storage medium storing a computer program comprising program instructions which, when executed by a processor, cause the processor to perform the above-described method.

Embodiments of the present application also provide a computer program product comprising instructions which, when run on a computer, cause the computer to perform the above method.

It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.

In the several embodiments provided in this application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the division of the unit is merely a logic function division, and there may be another division manner when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted or not performed. The coupling or direct coupling or communication connection shown or discussed with each other may be through some interface, device or unit indirect coupling or communication connection, which may be in electrical, mechanical or other form.

The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, produces a flow or function in accordance with embodiments of the present application, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in or transmitted across a computer-readable storage medium. The computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by a wired (e.g., coaxial cable, fiber optic, digital subscriber line (digital subscriber line, DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains an integration of one or more available media. The usable medium may be a read-only memory (ROM), or a random-access memory (random access memory, RAM), or a magnetic medium, such as a floppy disk, a hard disk, a magnetic tape, a magnetic disk, or an optical medium, such as a digital versatile disk (digital versatile disc, DVD), or a semiconductor medium, such as a Solid State Disk (SSD), or the like.

Claims (8)

1. A policy encryption transmission method, comprising:

the user terminal and the server construct an encryption transmission channel;

the user terminal receives the public key from the server through the encrypted transmission channel;

the user terminal encrypts a first key by using the public key;

the server receives a policy acquisition request sent by the user terminal through the encryption transmission channel, wherein the policy acquisition request comprises a first key, and the first key is encrypted by adopting a public key of the server;

the server decrypts the encrypted first key by adopting a private key corresponding to the public key to obtain the first key;

the server encrypts the requested policy partition block by adopting the first key to obtain a text document of the encrypted policy; comprising the following steps: the server divides the policy into a plurality of blocks according to the set block grouping length; the server encrypts the blocks by adopting the first key respectively to obtain encrypted blocks; the server stores the encrypted blocks into a text document to obtain the text document of the encrypted policy;

the server sends the text document of the encrypted policy to the user terminal;

The user terminal adds the text document of the encrypted policy to a to-be-printed list of the printing terminal;

the printing terminal acquires the first key from a key management server;

the printing terminal decrypts the text document of the encrypted policy by adopting the first key to obtain the decrypted policy;

and the printing terminal prints the decrypted policy.

2. The method of claim 1, wherein the first key is a random number, the method further comprising:

the key management server generates the random number.

3. The method of claim 2, wherein the key management server generating the random number comprises:

the key management server selects a random number template from a template set as a target template, wherein the random number template is used for specifying a random number format, and the format comprises one or more of random number length, special symbol number, number and letter number;

the key management server generates the random number according to the target template.

4. The method of claim 1, wherein the user terminal adding the text document of the encrypted policy to a to-be-printed manifest of a printing terminal comprises:

The user terminal obtains gesture operation of a user on the text document of the encrypted policy, wherein the gesture operation is used for indicating that the text document of the encrypted policy is added to a to-be-printed list of the printing terminal;

the user terminal compares the gesture operation of the user with a set gesture operation;

and if the comparison results are consistent, the user terminal adds the text document of the encrypted policy to a to-be-printed list of the printing terminal.

5. The method of claim 1, wherein the user terminal adding the text document of the encrypted policy to a to-be-printed manifest of a printing terminal comprises:

the user terminal obtains status information of at least one printing terminal, wherein the status information comprises one or more of the following: distance information between a printing terminal and the user terminal and load information of the printing terminal;

the user terminal selects one printing terminal from the at least one printing terminal according to the state information of the at least one printing terminal;

and the user terminal adds the text document of the encrypted policy to the list to be printed of the selected printing terminal.

6. The method of claim 4, wherein the user terminal adds the text document of the encrypted policy to a to-be-printed manifest of a printing terminal, the method further comprising:

the user terminal obtains the identity of the printing terminal;

the user terminal verifies the identity of the printing terminal;

and when the verification is passed, the user terminal executes the action of adding the text document of the encrypted policy to a list to be printed of the printing terminal.

7. The method according to claim 1, wherein the method further comprises:

the printing terminal receives a key update notification of the key management server, wherein the key update notification comprises an updated key;

the print terminal stores the updated key.

8. The system is characterized by comprising a server, a user terminal and a printing terminal;

the user terminal is used for constructing an encryption transmission channel with the server;

the user terminal is used for receiving the public key from the server through the encrypted transmission channel;

the user terminal is used for encrypting the first key by using the public key;

The server is used for receiving a policy acquisition request sent by the user terminal through the encryption transmission channel, wherein the policy acquisition request comprises a first key, and the first key is encrypted by adopting a public key of the server;

the server is also used for decrypting the encrypted first key by adopting a private key corresponding to the public key to obtain the first key;

the server is further used for encrypting the requested policy partition block by adopting the first key to obtain a text document of the encrypted policy; comprising the following steps: the server divides the policy into a plurality of blocks according to the set block grouping length; the server encrypts the blocks by adopting the first key respectively to obtain encrypted blocks; the server stores the encrypted blocks into a text document to obtain the text document of the encrypted policy;

the server is further used for sending the text document of the encrypted policy to the user terminal;

the user terminal is used for adding the text document of the encrypted policy to a to-be-printed list of the printing terminal;

the printing terminal is used for acquiring the first key from a key management server;

The printing terminal is also used for decrypting the text document of the encrypted policy by adopting the first key to obtain the decrypted policy;

the printing terminal is also used for printing the decrypted policy.