CN111885091B - Secure communication method, device, equipment and storage medium - Google Patents

Secure communication method, device, equipment and storage medium Download PDF

Info

Publication number
CN111885091B
CN111885091B CN202010790642.1A CN202010790642A CN111885091B CN 111885091 B CN111885091 B CN 111885091B CN 202010790642 A CN202010790642 A CN 202010790642A CN 111885091 B CN111885091 B CN 111885091B
Authority
CN
China
Prior art keywords
data
session
module
communication
service execution
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010790642.1A
Other languages
Chinese (zh)
Other versions
CN111885091A (en
Inventor
王帅卿
李忠月
谭静娴
郭铁兵
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jingwei Hirain Tech Co Ltd
Original Assignee
Beijing Jingwei Hirain Tech Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jingwei Hirain Tech Co Ltd filed Critical Beijing Jingwei Hirain Tech Co Ltd
Priority to CN202010790642.1A priority Critical patent/CN111885091B/en
Publication of CN111885091A publication Critical patent/CN111885091A/en
Application granted granted Critical
Publication of CN111885091B publication Critical patent/CN111885091B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3239Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Computer And Data Communications (AREA)

Abstract

The embodiment of the invention discloses a secure communication method, a device, equipment and a storage medium, wherein the method comprises the following steps: receiving configuration parameters sent by a service execution program of a client through a common module in advance and forwarding the configuration parameters to a trusted module, generating a session ID by the trusted module, determining target resources associated with the session ID according to the configuration parameters, returning the session ID to the service execution program by the common module, and establishing communication connection with a server; when a service execution program needs to send data to a server, a common module receives a data sending request sent by the service execution program, wherein the data sending request comprises a session ID and data to be sent; and the trusted module performs security related processing on the data to be transmitted according to the target resource associated with the session ID to obtain target transmission data. And transmitting the target sending data to the server by using the communication connection. The code redundancy of different service execution programs is avoided, and the system operation burden of the client is reduced.

Description

Secure communication method, device, equipment and storage medium
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a secure communication method, apparatus, device, and storage medium.
Background
At present, most services include a service execution program of a client and a service execution program of a server, and service functions are realized through communication between the service execution program of the client and the service execution program of the server. With the popularization of TrustZone, for the sake of security, the service execution program of the client communicates with the service execution program of the server based on the trusted execution environment.
The existing way for the service execution program of the client to communicate with the service execution program of the server based on the trusted execution environment is as follows: the service execution program of the client comprises a common program part running in a common execution environment and a trusted program part running in a trusted execution environment, and in the process of communication between the client and the server, security-related processing can be realized by running the trusted program part, for example, the trusted program part refers to an algorithm library to realize generation, management and storage of a key, encryption and decryption of data, signature adding and signature checking and the like.
The inventor of the present application finds that, when different services communicate with a server based on a trusted execution environment, all the services need to execute a trusted program part, and a client generally configures multiple services, which results in code redundancy of the execution programs of the different services and increases system operation burden of the client.
Disclosure of Invention
The invention aims to provide a secure communication method, a secure communication device, a secure communication equipment and a secure communication storage medium, so as to reduce the system operation burden of a client. The technical scheme is as follows:
a secure communication method, comprising:
receiving a data sending request sent by a service execution program of a client through a common module running in a common execution environment, wherein the data sending request comprises a session ID and data to be sent; the session ID is generated in advance in a communication initialization process including: transmitting the received configuration parameters sent by the service execution program to a trusted module running in a trusted execution environment through the common module, so that the trusted module generates the session ID and determines target resources associated with the session ID according to the configuration parameters; returning the session ID to the service execution program through the common module, and establishing communication connection associated with the session ID with a server;
the data sending request is transmitted to the trusted module through the common module, so that the trusted module can perform first safety related processing on the data to be sent according to the target resource to obtain target sending data and send the target sending data to the common module;
and sending the target sending data to the server side by the common module by utilizing the communication connection.
The above method, optionally, the configuration parameter includes: security level, security scheme, and key generation.
The method, optionally, the security level includes: only the processing of adding labels is carried out; only encryption processing is carried out; only adding a label when initializing connection, and encrypting in the communication process; and the signing and encryption processing during the initialization connection, and the signing and encryption processing during the communication process;
the security scheme is a key length and an algorithm mode used under a selected security level;
the key generation mode comprises the following steps: generating a random key for each communication; each communication uses a random key which is generated in advance based on a service executive program and the address of a service end; and using a preset key for each communication; the preset key is associated with a fixed service execution program and is preset in the equipment before the equipment leaves a factory.
Optionally, in the method, when the key generation manner is that a preset key is used for each communication, or a random key generated in advance corresponding to the service execution program and the address of the server is used for each communication, the data transmission request further includes: the key token of the service execution program and the address of the server.
The above method, optionally, further includes:
receiving response data returned by the server end responding to the target sending data through the common module, and transmitting the response data and the session ID into the trusted module, so that the trusted module performs second safety related processing on the response data according to the target resource to obtain feedback data and sends the feedback data to the common module;
and returning the feedback data to the service execution program through the common module.
The above method, optionally, further includes:
receiving a communication ending request sent by the service execution program through the common module;
and the common module disconnects the communication connection with the server based on the communication ending request, and sends a resource deleting request carrying the session ID to the trusted module, so that the trusted module can delete the target resource associated with the session ID conveniently.
The above-described method, in the alternative,
the service execution program realizes the communication initialization process by calling a preset communication initialization interface;
and the service execution program transmits the data sending request to the common module by calling a preset data sending interface.
A secure communications apparatus, comprising: the system comprises a common module running in a common execution environment and a trusted module running in a trusted execution environment; wherein the content of the first and second substances,
the common module receives a data sending request sent by a service execution program of a client, wherein the data sending request comprises a session ID and data to be sent; the session ID is generated in advance in a communication initialization process including: the common module transmits the received configuration parameters sent by the service execution program to the trusted module so that the trusted module generates the session ID and determines target resources associated with the session ID according to the configuration parameters; returning the session ID to the service execution program through the common module, and establishing communication connection associated with the session ID with a server;
the common module transmits the data sending request to the trusted module, so that the trusted module performs first safety related processing on the data to be sent according to the target resource to obtain target sending data and sends the target sending data to the common module;
and the common module transmits the target sending data to the server by using the communication connection.
An apparatus comprising a memory having stored therein a computer program and a processor executing the computer program to perform the steps of the secure communication method as claimed in any one of the preceding claims.
A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the secure communication method as set forth in any one of the preceding claims.
According to the scheme, the safe communication method, the device, the equipment and the storage medium provided by the invention receive the configuration parameters sent by the service execution program of the client through the common module running in the common execution environment in advance and forward the configuration parameters to the trusted module running in the trusted execution environment, the trusted module generates the session ID and determines the target resource associated with the session ID according to the configuration parameters, and the common module returns the session ID to the service execution program and establishes communication connection with the server; when a service execution program of a client needs to send data to a server, a common module receives a data sending request sent by the service execution program of the client, wherein the data sending request comprises a session ID and data to be sent; the data sending request is transmitted into the trusted module, so that the trusted module performs first security-related processing on data to be sent according to the target resource associated with the session ID, target sending data are obtained and sent to the common module; and transmitting the target transmission data to the server side by using the communication connection through the common module. Therefore, according to the secure communication scheme, the security-related processing under the trusted execution environment is independent from the service execution program, so that the service execution program does not need to carry codes of the security-related processing, code redundancy of the execution programs of different services is avoided, and system operation burden of the client is reduced.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a flowchart of implementing secure communication based on a secure communication management service according to an embodiment of the present invention;
fig. 2 is a flowchart of an implementation of a secure communication method according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a secure communication apparatus according to an embodiment of the present invention;
fig. 4 is a block diagram of a hardware structure of a terminal device according to an embodiment of the present invention.
The terms "first," "second," "third," "fourth," and the like in the description and in the claims, as well as in the drawings described above, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated herein.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without inventive effort based on the embodiments of the present invention, are within the scope of the present invention.
Aiming at the problems that in the prior art, each service is related to codes of data safety related operations, so that code redundancy is caused, and the system operation burden is large, the application provides a safety communication management service for providing a uniform interface for safety communication of the service, the safety communication management service provides multiple safety communication schemes aiming at communication requirements of different services, and provides a key generation and binding mode on the basis, and session management is performed on each communication process, so that unnecessary repetition caused by different service development is reduced. The scheme of the present application is explained below.
Referring to fig. 1, fig. 1 is a flowchart illustrating a method for implementing secure communication based on a secure communication management service according to an embodiment of the present invention.
The secure communication management service provided by the embodiment of the present application includes a normal module 11 (also referred to as an upper layer program) and a trusted module 12 (also referred to as a trusted execution program), where the normal module 11 operates in a normal execution environment, and the trusted module 12 operates in a trusted execution environment.
The client and the secure communication management service are both run in the terminal device.
Based on the secure communication management service provided by the embodiment of the present application, when a service execution program of a client needs to perform data communication with a server, a communication initialization process needs to be executed first, where the initialization process may include:
step S101: the service execution program of the client sends an initialization connection request to the generic module 11, where the initialization connection request carries configuration parameters, and the configuration parameters are used to determine target resources required for performing security-related processing (for convenience of distinguishing, denoted as first security-related processing).
The configuration parameter is a parameter pre-configured in the service execution program.
Step S102: the normal module 11 receives the initial connection request and transmits the configuration parameters to the trusted module 12. The normal module 11 may directly send the initialization connection request to the trusted module 12, and the trusted module 12 parses the configuration parameters from the initialization connection request, or the normal module 11 parses the configuration parameters from the initialization connection request and then sends the parsed configuration parameters to the trusted module 12.
The communication between the normal module 11 and the trusted module 12 can be driven by SMC (secure monitor call, secure mode or monitor mode) provided by the system of the terminal device, and the communication is mainly divided into the following steps:
1. the normal module 11 calls the InitializeContext function to initialize the interface context (steps that must be performed when the normal module 11 and the trusted module 12 communicate are rules of the system platform).
2. The normal module 11 calls an OpenSession function to open a session;
3. the ordinary module 11 calls an InvokeCommand function to transmit commands and data; the normal module 11 calls the invoke command function to transmit the configuration parameters to the trusted module 12.
Subsequently, if the normal module 11 no longer needs to transmit commands or data to the trusted module 12, the session may be closed and the interface context may be ended, i.e. the subsequent steps 4 and 5 are performed; if the normal module 11 needs to transmit a command or data to the trusted module 12, the session may be maintained, i.e. the subsequent steps 4, 5 are not executed for the moment, and the subsequent steps 4, 5 are executed again until the command or data transmission to the trusted module 12 is no longer needed.
4. The common module 11 calls a CloseSession function to close the session;
5. the generic module 11 calls the finalcontext function to end the interface context.
The above-mentioned calling process of each function may refer to some existing implementation manners, and is not described herein again.
Step S103: after receiving the configuration parameters, the trusted module 12 generates a session ID, determines a target resource required for performing the first security-related process according to the configuration parameters, and associates the target resource with the session ID.
The session ID is an ID having global uniqueness. The session ID may be generated based on the configuration parameters or may not be generated based on the configuration parameters, and the generation manner of the session ID is not specifically limited in the present application, as long as the session ID is guaranteed to have global uniqueness, for example, the session ID may be generated randomly.
In an alternative embodiment, the configuration parameters may include, but are not limited to, the following: security level, security scheme, key generation, etc. The target resource is a key which is generated according to a key generation mode specified by the configuration parameters and is matched with the security scheme, and the security level and the security scheme specified by the configuration parameters. The target resource may be stored in an attack-resistant memory provided by the trusted module 12, which attack-resistant memory is accessible only by the trusted module 12. Wherein the content of the first and second substances,
the security level is one of the following levels:
1. only performing signature processing, namely only performing signature processing on the transmitted instruction and/or data during the initial connection or the communication process, namely adding a data signature to the transmitted instruction and/or data;
2. only encryption processing is carried out, namely only encryption processing is carried out on transmitted instructions and/or data no matter during initial connection or during communication;
3. the method comprises the steps of signature adding processing during initial connection and encryption processing in a communication process;
4. and carrying out signature and encryption processing during initial connection and carrying out signature and encryption processing during communication.
The specific selected security level is determined according to the requirements of the service execution program.
The security scheme is the key length and algorithm mode used at the selected security level.
The algorithm mode mainly refers to an encryption algorithm mode and a signature algorithm mode. The encryption algorithm mode mainly refers to an encryption/decryption algorithm, a padding mode, and the like, for example, the encryption algorithm mode may be: the encryption/decryption algorithm is AES-CBC, and the padding mode is NoPadding. The signature algorithm pattern mainly refers to an add/verify signature algorithm, a HASH algorithm, a fill pattern, and the like, for example, the signature algorithm pattern may be: the signature adding/checking algorithm is RSA2048, the HASH algorithm is SHA-256, and the filling mode is PSSPadding.
It should be noted that the encryption/decryption algorithm AES-CBC, the padding mode NoPadding, the signature addition/verification algorithm RSA2048, the HASH algorithm SHA-256, the padding mode psspidding, and the like are only used as exemplary illustrations, and do not constitute a limitation to the embodiment of the present application, and which algorithm mode is specifically selected is determined according to the requirements of the service execution program.
In the embodiment of the application, the key required for signature adding/verifying is preset and is stored in the trusted module 12 and the server; the key required for encryption/decryption needs to be generated according to a key generation manner specified by the configuration parameters, and based on this, the key length in the above security scheme refers to the length of the encryption/decryption key. On the other hand, in the case of the security level 1, since no key is required, the key generation method and the key length in the configuration parameters are both null.
Optionally, the key generation method may be any one of the following:
1. and (3) random: each communication randomly generates a key. The connection establishment from the normal module 11 and the server is a communication process, in the process that the normal module 11 and the server are connected, a key used by each service execution program for sending an instruction and/or data to the server through the normal module 11 is a randomly generated key, after the random key is generated, the instruction and/or data are encrypted by using the random key every time the instruction and/or data are sent, and after the connection is terminated, the random key is invalidated.
2. And (3) storage: each communication uses a random key generated in advance based on the service execution program and the address of the server. In this way, the secure communication management service generates and stores a random key uniquely corresponding to the address of the service execution program and the address of the service end in advance, that is, different random keys are corresponding to different addresses of different service execution programs and the service end. In the process that the common module 11 is connected with the server, each time the service execution program sends an instruction and/or data to the server through the common module 11, the common module 11 uses a random key uniquely corresponding to the address of the service execution program and the address of the server. The service execution programs include service execution programs of clients in different terminal devices and service execution programs of different clients in the same terminal device, and the different service execution programs can be distinguished through Key tokens (keys) of the service execution programs. The addresses of different servers are the Uniform Resource Locators (URLs) of different servers. In this method, a random key is generated and stored based on the addresses of the service execution program and the server at the time of the first communication, and then, at each time of the subsequent communication, the stored key may be directly read without generating the random key based on the addresses of the service execution program and the server.
3. Presetting: each communication uses a key preset in the terminal device before shipment and associated with a fixed service execution program and a server address, i.e., a preset key. In this way, before the terminal device leaves the factory, a key associated with a fixed service execution program and a server address is preset. In the former method, a random key uniquely corresponding to the address of the service execution program and the address of the service end is generated by the secure communication management service and stored. The difference from the method 2 is that in this method, a terminal device manufacturer presets a random key uniquely corresponding to the service execution program and the address of the service end.
Step S104: the trusted module 12 returns the session ID to the generic module 11.
When the key generation method is the above-mentioned 1 st key generation method, or when the first communication is performed based on the above-mentioned 2 nd key generation method, in addition to the session ID, the trusted module 12 may encrypt the key in the target resource by using a preset signing/verifying key, and return the encrypted key to the normal module 11, that is, distribute the key in the target resource to the normal module 11 by using the preset signing/verifying key. Or, the key in the target resource is distributed to the normal module 11 by the preset signature adding/verifying key, and other resources except the key in the target resource are returned to the normal module 11.
Step S105: after receiving the session ID, the generic module 11 sends the session ID to the service execution program of the client, establishes a communication connection (e.g., socket connection, etc.) with the server, and associates the communication connection with the session ID. Generally, information of communication connection needs to be stored in the communication process, and mainly includes a communication handle and the like, so that the communication handle of the communication connection can be associated with the session ID. The common module 11 may first send the session ID to the service execution program of the client, and then establish communication connection with the server, or the common module 11 may first establish communication connection with the server and then send the session ID to the service execution program of the client, or the common module 11 establishes communication connection with the server while sending the session ID to the service execution program of the client.
After the common module 11 establishes communication connection with the server, the service execution program of the client can establish communication connection with the server through the common module 11 based on the received session ID to realize communication with the server.
After receiving the encrypted key returned by the trusted module 12, the normal module 11 also sends the encrypted key to the server, thereby realizing the purpose of distributing the key in the target resource to the server. In this case, the server may preset the configuration parameter, so that the server may determine, based on the configuration parameter, other resources than the key in the target resource. In the method, after the server receives the encrypted key, the encrypted key is decrypted by using a locally preset encryption/signature verification key, the decrypted key and other resources generated by the server form a local target resource of the server, and the target resource can be used for decrypting received data or encrypting data to be sent.
Alternatively, the first and second electrodes may be,
after receiving the encrypted key and other resources in the target resource returned by the trusted module 12, the common module 11 sends the encrypted key and other resources in the target resource to the server, thereby realizing the purpose of delivering the target resource to the server. In this case, the server does not need to preset the configuration parameters. The server decrypts the encrypted key by using the locally preset encryption/signature verification key, and uses the decrypted key and the received other resources as local target resources, obviously, in this way, the local target resources of the server are all sent by the common module 11.
As shown in table 1, the correspondence between the security level, the signature encryption/decryption key generation method, and the encryption/decryption key generation method provided in the embodiment of the present application is:
TABLE 1
Level of security Signature adding/checking key generation mode Encryption/decryption key generation method
1 encryption only Preset
2 additional labels Preset
3-connection signing communication encryption Preset Preset/save/random
4 signature encryption Preset Preset/save/random
It should be noted that the key generated based on the "save" mode supports the "only encryption" security level, that is, the key generated based on the "save" mode can be used as the encryption/decryption key under the "only encryption" security level.
The communication initialization process may be implemented by a service execution program of the client calling a communication initialization interface SecLink _ Init provided by the secure communication management service.
The following describes a specific implementation process of the secure communication between the service execution program of the client and the server according to the present application. As shown in fig. 1, the process of sending data to the server by the service execution program of the client may include:
step S111: the service execution program of the client sends a data transmission request to the common module 11, where the data transmission request includes a session ID and data to be transmitted.
Step S112: the normal module 11 transmits a data transmission request to the trusted module 12.
Step S113: the trusted module 12 analyzes the sending request to obtain a session ID and data to be sent, and then performs a first security-related process on the data to be sent according to a target resource associated with the session ID to obtain target sending data. The first security-related processing is to perform signing and/or encryption processing on data to be transmitted under a security level specified in the target resource by using the key in the target resource and adopting a security scheme in the target resource. The first security-related processing may be performed by the open source software package OpenSSL built into the trusted module 12 or by a system-provided interface.
Step S114: the trusted module 12 transmits the target transmission data to the normal module 11.
Step S115: the normal module 11 transmits the target transmission data to the server by using the communication connection associated with the session ID. After receiving the target sending data, the server side can decrypt and/or check the tag of the target data based on local target resources, so as to obtain plaintext data.
Optionally, when the configuration parameter indicates that the key generation manner is the 2 nd type or the 3 rd type, the data transmission request may further include a key token of the service program and an address of the service end, so as to determine a corresponding key according to the key token of the service program and the address of the service end.
As shown in table 2, an example of a correspondence relationship between a key token of a business program and an address of a server and a key is provided in the embodiment of the present application.
TABLE 2
Figure BDA0002623631940000101
In the column "yes" in the "modifiable or not" section, the key is generated in the 2 nd key generation manner, that is, a random key uniquely corresponding to the address of the service execution program and the address of the service end is generated and stored by the secure communication management service. "no" means that the key is generated in the 3 rd key generation manner, i.e., the terminal device is shipped from the factory.
The process of sending data to the server by the service execution program of the client may be implemented by the service execution program of the client calling a data sending interface SecLink _ Send provided by the secure communication management service.
As an example, the configuration parameters may include the following items:
and (4) safety level: only encryption processing is carried out;
the safety scheme is as follows: the encryption/decryption algorithm is AES-CBC, and the filling mode is NoPadding;
key generation mode: the encryption/decryption key is preset.
The target resource determined according to the configuration parameter is: reading a pre-configured encryption/decryption key; only encryption processing is carried out; the encryption/decryption algorithm is AES-CBC, and the padding mode is NoPadding.
Performing the first security-related process based on the target resource may include: when initializing connection or in communication process, only encrypting transmitted command and/or data, the encrypting process is as follows: and encrypting the transmitted instruction or data by using the pre-configured encryption/decryption key and adopting an AES-CBC encryption/decryption algorithm and a NoPadding padding mode.
As another example, the configuration parameters may include the following items:
and (4) safety level: the method comprises the steps of signature adding processing during initial connection and encryption processing in a communication process;
the safety scheme is as follows: the key length is 128; the encryption/decryption algorithm is AES-CBC, and the filling mode is NoPadding; the signature adding and signature checking algorithm is RSA2048, the HASH algorithm is SHA-256, and the filling mode is PSSPadding;
key generation mode: presetting an encryption/verification key, and randomly generating an encryption/decryption key.
The target resource determined according to the configuration parameter is: the encryption/decryption key is randomly generated, the encryption/decryption key is distributed to a service end by a preset encryption/verification key when connection is initialized, and the encryption/decryption key is used for encrypting transmitted data in the communication process; the encryption/decryption algorithm is AES-CBC, and the filling mode is NoPadding; the signature adding and signature checking algorithm is RSA2048, the HASH algorithm is SHA-256, and the filling mode is PSSPadding.
Performing the first security-related process based on the target resource may include: when initializing connection, the key in the target resource is distributed to the server by using the preset signature adding/checking key, and other data or instructions needing to be transmitted when initializing connection are subjected to signature adding processing by using the preset signature adding/checking key, wherein the specific processing process is as follows: the method comprises the steps that a preset 2048-bit signature adding/verifying key is used, an RSA2048 signature adding and verifying algorithm, an SHA-256HASH algorithm and a PSSPadding filling mode are adopted to carry out signature adding and key distribution on instructions and/or data (including encryption/decryption keys) transmitted in an initialization connection process (the key distribution refers to distribution of the encryption/decryption keys); in the process of utilizing the established connection communication, encryption processing is carried out on the transmitted instruction and/or data, and the encryption processing process is as follows: and encrypting the instructions and/or data transmitted in the communication process by using a randomly generated 128-bit encryption/decryption key and adopting an AES-CBC encryption/decryption algorithm and a NoPadding padding mode.
Further, the normal module 11 generally receives a return message from the server after transmitting the target transmission data to the server. As shown in fig. 1, the process of the service execution program of the client receiving the return information of the server may include:
step S121: the common module 11 receives response data returned by the server for the target sending data through the communication connection associated with the session ID; the response data is obtained by performing first safety-related processing on the feedback data by using local target resources after the server side obtains the feedback data aiming at the target sending data. The process of performing the first safety-related processing on the feedback data may refer to the foregoing process of performing the first safety-related processing on the data to be transmitted, which is not described herein again.
Step S122: the normal module 11 transmits the session ID and the response data to the trusted module 12;
step S123: the trusted module 12 performs security-related processing (for convenience of distinction, referred to as second security-related processing) on the response data according to the target resource associated with the session ID, to obtain feedback data. The second security-related process is to decrypt and/or verify the response data using the target resource.
Step S124: the trusted module 12 transmits the feedback data to the generic module 11.
Step S125: the generic module 11 transmits the feedback data to the service execution program of the client.
And if the service execution program of the client needs to interact with the server, returning to execute the steps S111-S115 and the steps S121-S125.
The process of receiving the return information of the server by the service execution program of the client may be implemented by calling a data receiving interface SecLink _ Receive provided by the secure communication management service by the service execution program of the client.
If the business executive of the client no longer needs to interact with the server, the session can be ended. As illustrated in fig. 1, the process of ending the session may include:
step S131: a service execution program of the client sends a communication ending request carrying a session ID to the common module 11;
step S132: after receiving the communication end request, the common module 11 sends a request for disconnecting the communication connection to the server through the communication connection corresponding to the session ID;
step S133: after receiving the request for disconnecting the communication connection, the server disconnects the communication connection with the normal module 11. Optionally, before the communication connection with the general module 11 is disconnected, a response message indicating that the disconnection is successful may be fed back to the general module 11, and after the response message indicating that the disconnection is successful is sent for a period of time, the communication connection is disconnected.
Step S134: after determining to disconnect the communication connection with the server, the normal module 11 sends a resource deletion request carrying the session ID to the trusted module 12.
Step S135: after receiving the resource deletion request, the trusted module 12 deletes the target resource associated with the session ID.
Step S136: the trusted module 12 sends feedback information representing that the deletion of the resource is completed to the normal module 11.
Step S137: after receiving the feedback information of the deleted resource, the common module 11 sends feedback information representing the end of communication to the service execution program of the client.
The process of ending the session may be implemented by a service execution program of the client calling a communication ending interface SecLink _ Finish provided by the secure communication management service.
Based on the above scheme for implementing secure communication based on the secure communication management service, an implementation flowchart of the secure communication method provided in the embodiment of the present application is shown in fig. 2, and may include:
step S21: a data transmission request sent by a service execution program of a client is received through a common module 11 running in a common execution environment, and the data transmission request comprises a session ID and data to be transmitted.
Wherein the content of the first and second substances,
the session ID is generated in advance in a communication initialization process including: the normal module 11 transmits the received configuration parameters sent by the service execution program to the trusted module 12 operating in the trusted execution environment, so that the trusted module 12 generates the session ID and determines the target resource associated with the session ID according to the configuration parameters, the normal module 11 returns the session ID to the service execution program of the client, and the communication connection associated with the session ID is established with the server.
Step S22: the data sending request is transmitted to the trusted module 12 through the normal module 11, so that the trusted module 12 performs first security-related processing on data to be sent according to the target resource associated with the session ID, obtains target sending data, and sends the target sending data to the normal module.
Step S23: the target transmission data is transmitted to the server side by the normal module 11 using the communication connection associated with the session ID.
The above steps S21-S22 may be implemented by the service execution program of the client calling the data transmission interface SecLink _ Send provided by the secure communication management service.
In the embodiment of the application, the service execution program of the client only needs to carry the configuration parameters, but does not need to carry safety-related processing codes, and when the communication with the server is needed, the safety connection with the server can be established through the safety communication management server only by sending the configuration parameters to the common module 11 of the safety communication management service, so that the code redundancy of different service execution programs is reduced, and the system operation burden of the client is lightened.
The composition of the configuration parameters can refer to the foregoing embodiments, and details are not repeated here.
In an optional embodiment, the secure communication method may further include:
response data returned by the server end response target sending data is received through the common module 11, and the response data and the session ID are transmitted into the trusted module 12, so that the trusted module 12 performs second safety related processing on the response data according to target resources associated with the session ID, obtains feedback data and sends the feedback data to the common module 11.
And returning the feedback data to the service execution program of the client through the common module 11.
In an optional embodiment, the secure communication method may further include:
receiving a communication ending request sent by the service execution program through the common module;
after the communication connection with the server is disconnected based on the communication end request through the normal module 11, a resource deletion request carrying the session ID is sent to the trusted module 12, so that the trusted module 12 deletes the target resource associated with the session ID.
Corresponding to the method embodiment, an embodiment of the present application further provides a secure communication device, and a schematic structural diagram of the secure communication device provided in the embodiment of the present application is shown in fig. 3, and the secure communication device may include:
a normal module 11 running in a normal execution environment and a trusted module 12 running in a trusted execution environment; wherein the content of the first and second substances,
the common module 11 receives a data transmission request sent by a service execution program of a client, where the data transmission request includes a session ID and data to be transmitted; the session ID is generated in advance in a communication initialization process including: the common module 11 transmits the received configuration parameters sent by the service execution program to the trusted module 12, so that the trusted module 12 generates the session ID and determines the target resource associated with the session ID according to the configuration parameters; the ordinary module 12 returns the session ID to the service execution program, and establishes a communication connection associated with the session ID with the server;
the common module 11 transmits the data sending request to the trusted module 12, so that the trusted module 12 performs first security-related processing on the data to be sent according to the target resource to obtain target sending data and sends the target sending data to the common module 11;
the generic module 11 sends the target sending data to the server using the communication connection associated with the session ID.
According to the safe communication device, the service executive program of the client only needs to carry the configuration parameters, and does not need to carry safety-related processing codes, when the safe communication device needs to communicate with the server, the safe connection with the server can be established through the safe communication management server only by sending the configuration parameters to the common module 11 of the safe communication management service, so that the code redundancy of different service executive programs is reduced, and the system operation burden of the client is relieved.
In an optional embodiment, the configuration parameters include: security level, security scheme, and key generation.
In an alternative embodiment, the security level is one of the following levels: only the processing of adding labels is carried out; only encryption processing is carried out; only adding a label when initializing connection, and encrypting in the communication process; signing and encrypting processing is carried out during initialization connection, and signing and encrypting processing are carried out in the communication process;
the security scheme is a key length and an algorithm mode used under a selected security level;
the key generation mode is any one of the following modes: randomly generating a secret key for each communication; each communication uses a random key which is generated in advance based on a service executive program and the address of a service end; the preset key is used for each communication, the preset key is associated with a fixed service execution program and a service end address, and the equipment is preset in the equipment before leaving a factory.
In an optional embodiment, the key generation manner is that when a preset key is used for each communication, or a random key generated in advance corresponding to a service execution program and an address of a server is used for each communication, the data transmission request further includes: the key token of the service execution program and the address of the server.
In an alternative embodiment, the general module 11 may further be configured to:
receiving response data returned by the server in response to the target sending data, and transmitting the response data and the session ID to the trusted module 12, so that the trusted module 12 performs second security-related processing on the response data according to the target resource to obtain feedback data and sends the feedback data to the common module 11;
the generic module 11 returns the feedback data to the service execution program.
In an alternative embodiment, the general module 11 may further be configured to:
receiving a communication ending request sent by the service execution program;
and after the communication connection with the server is disconnected based on the communication ending request, sending a resource deleting request carrying the session ID to the trusted module 12, so that the trusted module 12 can delete the target resource associated with the session ID.
In an optional embodiment, the service execution program implements the communication initialization process by calling a preset communication initialization interface;
the service execution program transmits the data transmission request to the general module 11 by calling a preset data transmission interface.
The secure communication device provided by the embodiment of the application can be applied to terminal equipment, such as a PC terminal, a mobile phone and the like. Optionally, fig. 4 shows a block diagram of a hardware structure of the terminal device, and referring to fig. 4, the hardware structure of the terminal device may include: at least one processor 1, at least one communication interface 2, at least one memory 3 and at least one communication bus 4;
in the embodiment of the application, the number of the processor 1, the communication interface 2, the memory 3 and the communication bus 4 is at least one, and the processor 1, the communication interface 2 and the memory 3 complete mutual communication through the communication bus 4;
the processor 1 may be a central processing unit CPU, or an application Specific Integrated circuit asic, or one or more Integrated circuits configured to implement embodiments of the present invention, etc.;
the memory 3 may include a high-speed RAM memory, and may further include a non-volatile memory (non-volatile memory) or the like, such as at least one disk memory;
wherein the memory stores a program and the processor can call the program stored in the memory, the program for:
receiving a data sending request sent by a service execution program of a client through a common module running in a common execution environment, wherein the data sending request comprises a session ID and data to be sent; the session ID is generated in advance in a communication initialization process including: transmitting the received configuration parameters sent by the service execution program to a trusted module running in a trusted execution environment through the common module, so that the trusted module generates the session ID and determines target resources associated with the session ID according to the configuration parameters; returning the session ID to the service execution program through the common module, and establishing communication connection associated with the session ID with a server;
the data sending request is transmitted to the trusted module through the common module, so that the trusted module performs first safety related processing on the data to be sent according to the target resource associated with the session ID to obtain target sending data and sends the target sending data to the common module;
and sending the target sending data to the server side by the common module by utilizing the communication connection.
Alternatively, the detailed function and the extended function of the program may be as described above.
Optionally, an embodiment of the present application further provides a storage medium, where the storage medium may store a program adapted to be executed by a processor, where the program is configured to:
receiving a data sending request sent by a service execution program of a client through a common module running in a common execution environment, wherein the data sending request comprises a session ID and data to be sent; the session ID is generated in advance in a communication initialization process including: transmitting the received configuration parameters sent by the service execution program to a trusted module running in a trusted execution environment through the common module, so that the trusted module generates the session ID and determines target resources associated with the session ID according to the configuration parameters; returning the session ID to the service execution program through the common module, and establishing communication connection associated with the session ID with a server;
the data sending request is transmitted to the trusted module through the common module, so that the trusted module performs first safety related processing on the data to be sent according to the target resource associated with the session ID to obtain target sending data and sends the target sending data to the common module;
and sending the target sending data to the server side by the common module by utilizing the communication connection.
Alternatively, the detailed function and the extended function of the program may be as described above.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
In the embodiments provided by the present invention, it should be understood that the disclosed system (if any), apparatus and method may be implemented in other ways. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
It should be understood that the embodiments of the present invention can be combined with each other from the drawings, the embodiments and the features to solve the above technical problems.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

1. A secure communication method, comprising:
receiving a data sending request sent by a service execution program of a client through a common module running in a common execution environment, wherein the data sending request comprises a session ID and data to be sent; the session ID is generated in advance in a communication initialization process including: transmitting the received configuration parameters sent by the service execution program to a trusted module running in a trusted execution environment through the common module, so that the trusted module generates the session ID and determines target resources associated with the session ID according to the configuration parameters; returning the session ID to the service execution program through the common module, and establishing communication connection associated with the session ID with a server;
the data sending request is transmitted to the trusted module through the common module, so that the trusted module can perform first safety related processing on the data to be sent according to the target resource to obtain target sending data and send the target sending data to the common module;
and sending the target sending data to the server side by the common module by utilizing the communication connection.
2. The method of claim 1, wherein the configuration parameters comprise: security level, security scheme, and key generation.
3. The method of claim 2, wherein the security level is one of the following: only the processing of adding labels is carried out; only encryption processing is carried out; only adding a label when initializing connection, and encrypting in the communication process; signing and encrypting processing during connection initialization and signing and encrypting processing during communication;
the security scheme is a key length and an algorithm mode used under a selected security level;
the key generation mode is any one of the following modes: randomly generating a secret key for each communication; each communication uses a random key which is generated in advance based on a service executive program and the address of a service end; the preset key is used for each communication, and the preset key is associated with a fixed service execution program and a server address and is preset in the equipment before the equipment leaves a factory.
4. The method according to claim 3, wherein the key generation mode is that a preset key is used for each communication, or a random key generated in advance corresponding to the service execution program and the address of the service end is used for each communication, and the data transmission request further comprises: the key token of the service execution program and the address of the server.
5. The method of claim 1, further comprising:
receiving response data returned by the server end responding to the target sending data through the common module, and transmitting the response data and the session ID into the trusted module, so that the trusted module performs second safety related processing on the response data according to the target resource to obtain feedback data and sends the feedback data to the common module;
and returning the feedback data to the service execution program through the common module.
6. The method of claim 1, further comprising:
receiving a communication ending request sent by the service execution program through the common module;
and the common module disconnects the communication connection with the server based on the communication ending request, and sends a resource deleting request carrying the session ID to the trusted module, so that the trusted module can delete the target resource associated with the session ID conveniently.
7. The method of claim 1,
the service execution program realizes the communication initialization process by calling a preset communication initialization interface;
and the service execution program transmits the data sending request to the common module by calling a preset data sending interface.
8. A secure communications device, comprising: the system comprises a common module running in a common execution environment and a trusted module running in a trusted execution environment; wherein the content of the first and second substances,
the common module receives a data sending request sent by a service execution program of a client, wherein the data sending request comprises a session ID and data to be sent; the session ID is generated in advance in a communication initialization process including: the common module transmits the received configuration parameters sent by the service execution program to the trusted module so that the trusted module generates the session ID and determines target resources associated with the session ID according to the configuration parameters; the common module returns the session ID to the service execution program and establishes communication connection associated with the session ID with a server;
the common module transmits the data sending request to the trusted module, so that the trusted module performs first safety related processing on the data to be sent according to the target resource to obtain target sending data and sends the target sending data to the common module;
and the common module transmits the target transmission data to the server by using the communication connection associated with the session ID.
9. A secure communication apparatus comprising a memory in which a computer program is stored and a processor that executes the computer program to implement the steps of the secure communication method according to any one of claims 1 to 7.
10. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the secure communication method according to any one of claims 1 to 7.
CN202010790642.1A 2020-08-07 2020-08-07 Secure communication method, device, equipment and storage medium Active CN111885091B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010790642.1A CN111885091B (en) 2020-08-07 2020-08-07 Secure communication method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010790642.1A CN111885091B (en) 2020-08-07 2020-08-07 Secure communication method, device, equipment and storage medium

Publications (2)

Publication Number Publication Date
CN111885091A CN111885091A (en) 2020-11-03
CN111885091B true CN111885091B (en) 2022-04-29

Family

ID=73211903

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010790642.1A Active CN111885091B (en) 2020-08-07 2020-08-07 Secure communication method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN111885091B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113965340A (en) * 2021-08-30 2022-01-21 广东南方通信建设有限公司 Cross-platform data migration method, system and readable medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106454528A (en) * 2015-08-07 2017-02-22 阿里巴巴集团控股有限公司 Service processing method based on trusted execution environment and client side
CN106997439A (en) * 2017-04-01 2017-08-01 北京元心科技有限公司 TrustZone-based data encryption and decryption method and device and terminal equipment

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8935746B2 (en) * 2013-04-22 2015-01-13 Oracle International Corporation System with a trusted execution environment component executed on a secure element
CN109218260B (en) * 2017-07-03 2020-11-06 深圳市中兴微电子技术有限公司 Trusted environment-based authentication protection system and method

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106454528A (en) * 2015-08-07 2017-02-22 阿里巴巴集团控股有限公司 Service processing method based on trusted execution environment and client side
CN106997439A (en) * 2017-04-01 2017-08-01 北京元心科技有限公司 TrustZone-based data encryption and decryption method and device and terminal equipment

Also Published As

Publication number Publication date
CN111885091A (en) 2020-11-03

Similar Documents

Publication Publication Date Title
CN100581097C (en) System and method for data transmission between two computers
US8938074B2 (en) Systems and methods for secure communication using a communication encryption bios based upon a message specific identifier
US7978858B2 (en) Terminal device, group management server, network communication system, and method for generating encryption key
CN113497778A (en) Data transmission method and device
CN105337935A (en) Method of establishing long connection of client and server and apparatus thereof
CN104917807A (en) Resource transfer method, apparatus and system
CN104836784A (en) Information processing method, client, and server
JP2008535427A (en) Secure communication between data processing device and security module
CN111970114A (en) File encryption method, system, server and storage medium
CN104767766A (en) Web Service interface verification method, Web Service server and client side
CN102546240B (en) Network communication method, network communicating system and network communication device
CN103856938B (en) A kind of method of encrypting and decrypting, system and equipment
CN113613227B (en) Data transmission method and device of Bluetooth equipment, storage medium and electronic device
CN111885091B (en) Secure communication method, device, equipment and storage medium
CA2561644C (en) A method to leverage a secure device to grant trust and identity to a second device
CN114499990A (en) Vehicle control method, device, equipment and storage medium
US20170324560A1 (en) Method and Server for Providing Transaction Keys
CN111901287B (en) Method and device for providing encryption information for light application and intelligent equipment
CN111553686A (en) Data processing method and device, computer equipment and storage medium
CN110636503A (en) Data encryption method, device, equipment and computer readable storage medium
EP4206906A1 (en) Processing system and method for updating firmware online
CN105100030A (en) Access control method, system and device
CN110034927B (en) Communication method and device
CN114501591A (en) Intelligent equipment network access method and device and computer readable storage medium
CN103179088A (en) Protection method and protection system of common gateway interface business

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: 4 / F, building 1, No.14 Jiuxianqiao Road, Chaoyang District, Beijing 100020

Applicant after: Beijing Jingwei Hengrun Technology Co., Ltd

Address before: 8 / F, block B, No. 11, Anxiang Beili, Chaoyang District, Beijing 100101

Applicant before: Beijing Jingwei HiRain Technologies Co.,Ltd.

GR01 Patent grant
GR01 Patent grant