CN112616139B - Data transmission method, electronic equipment and computer readable storage medium - Google Patents
Data transmission method, electronic equipment and computer readable storage medium Download PDFInfo
- Publication number
- CN112616139B CN112616139B CN202011475037.1A CN202011475037A CN112616139B CN 112616139 B CN112616139 B CN 112616139B CN 202011475037 A CN202011475037 A CN 202011475037A CN 112616139 B CN112616139 B CN 112616139B
- Authority
- CN
- China
- Prior art keywords
- communication
- client
- response code
- communication client
- code
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/80—Services using short range communication, e.g. near-field communication [NFC], radio-frequency identification [RFID] or low energy communication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The application discloses a data transmission method, electronic equipment and a computer readable storage medium, wherein the method is applied to a first device for transmitting data to a second device, the first device is provided with a first communication client and a first application client, the second device is provided with a second communication client and a second application client, and the method comprises the following steps: a first communication client side obtains a communication key for identity authentication with a second communication client side; performing identity authentication on a first application client associated with a first communication client by using a communication key; and if the identity authentication of the first application client is successful, transmitting the data of the first application client to the second communication client based on the communication key so that the second communication client transmits the data to the second application client. By means of the mode, the data transmission safety can be improved.
Description
Technical Field
The present application relates to the field of communication security technologies, and in particular, to a data transmission method, an electronic device, and a computer-readable storage medium.
Background
In recent years, more and more IOT (Internet of Things) devices establish communication connection with electronic devices such as smartphones, smartwatches, and tablet computers through near field communication. The near field communication protocols such as BLE, BR/EDR, wiFi Direct and the like provide the capability of identity authentication and secure transmission from device to device.
Disclosure of Invention
A first aspect of the embodiments of the present application provides a data transmission method, which is applied to a first device to transmit data to a second device, where the first device is installed with a first communication client and a first application client, and the second device is installed with a second communication client and a second application client, and the method includes: a first communication client side obtains a communication key for identity authentication with a second communication client side; performing identity authentication on a first application client associated with a first communication client by using a communication key; and if the identity authentication of the first application client is successful, transmitting the data of the first application client to the second communication client based on the communication key so that the second communication client transmits the data to the second application client.
A second aspect of the embodiments of the present application provides a data transmission method, which is applied to a first device to transmit data to a second device, where the first device is installed with a first communication client and a first application client, and the second device is installed with a second communication client and a second application client, and the method includes: the second communication client side obtains a communication key for identity authentication with the first communication client side; performing identity authentication on a first application client associated with a first communication client by using a communication key; and if the identity authentication of the first application client is successful, receiving the transmission data of the first application client sent by the first communication client based on the communication key, and transmitting the data of the first application client to the second application client.
A third aspect of the embodiments of the present application provides an electronic device, which includes a processor and a memory connected to the processor, where the memory is used to store program data, and the processor is used to execute the program data to implement the foregoing method.
A fourth aspect of the embodiments of the present application provides a computer-readable storage medium, in which program data are stored, and when the program data are executed by a processor, the program data are used to implement the foregoing method.
The beneficial effect of this application is: different from the situation of the prior art, the method and the device have the advantages that the communication key for performing identity authentication with the second communication client is obtained through the first communication client, then the first application client associated with the first communication client is subjected to identity authentication through the communication key, and after the first application client is successfully subjected to the identity authentication, the data of the first application client is transmitted to the second communication client based on the communication key, so that the second communication client transmits the data to the second application client, the data transmission between the first application client on the first device and the second application client on the second device is realized, the data transmission between the application layers must pass through the identity authentication before the data transmission is performed, and the safety of the data transmission is improved.
Drawings
In order to more clearly illustrate the technical solutions in the present application, the drawings required in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings described below are only some embodiments of the present application, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without inventive labor. Wherein:
fig. 1 is a schematic flowchart of an embodiment of a data transmission method provided in the present application;
FIG. 2 is an interaction diagram of a first device and a second device provided herein;
fig. 3 is a schematic flowchart of another embodiment of a data transmission method provided in the present application;
fig. 4 is an interaction diagram of a first communication client and a second communication client provided in the present application;
fig. 5 is a schematic flowchart of an embodiment of step S25 in the data transmission method provided in the present application;
fig. 6 is a schematic flowchart of an embodiment of step S26 in the data transmission method provided in the present application;
fig. 7 is a schematic flowchart of a data transmission method according to another embodiment of the present application;
fig. 8 is a schematic flowchart of an embodiment of step S52 in the data transmission method provided in the present application;
fig. 9 is a flowchart illustrating an embodiment of step S53 in the data transmission method provided in the present application
FIG. 10 is a block diagram of an embodiment of an electronic device provided herein;
FIG. 11 is a block diagram of an embodiment of a computer storage medium provided herein.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without making any creative effort belong to the protection scope of the present application.
The terms "first" and "second" in this application are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In the description of the present application, "plurality" means at least two, e.g., two, three, etc., unless explicitly specifically limited otherwise. Furthermore, the terms "include" and "have," as well as any variations thereof, are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements listed, but may alternatively include other steps or elements not listed, or inherent to such process, method, article, or apparatus.
Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the specification. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is explicitly and implicitly understood by one skilled in the art that the embodiments described herein may be combined with other embodiments.
At present, a plurality of application clients are often installed on an electronic device, and a general solution for performing identity authentication between applications of a cross-device application is not provided in a near field communication protocol. For two paired devices, if identity authentication is not performed on an application layer, any application running on the devices can perform near field communication with an application of an opposite-end device; in a more serious case, once a user installs a malicious application, the malicious application can easily construct data to communicate with the peer device once knowing a communication protocol, and here, confidentiality of data transmission is damaged. Therefore, the application provides a data transmission method, and the safety of data transmission between applications can be improved by performing identity authentication on the applications before data transmission.
Referring to fig. 1, fig. 1 is a schematic flowchart of an embodiment of a data transmission method provided by the present application, and fig. 2 is an interaction schematic diagram of a first device and a second device provided by the present application.
In this embodiment, the data transmission method is applied to a first device to transmit data to a second device, where the first device is installed with a first communication client and a first application client, and the second device is installed with a second communication client and a second application client.
Optionally, in the first device, the number of the first communication clients and the first application clients is not limited; the number of second communication clients and second application clients in the second device is not limited.
As shown in fig. 2, in some embodiments, a first device may be equipped with one first communication client and a plurality (1-n) of first application clients, and a second device may be equipped with one second communication client and a plurality (1-n) of second application clients. The first application client is in communication connection with the first communication client, and the first communication client is in communication connection with the second communication client so as to transmit data of the first application client to the second communication client. The second communication client is connected with the second application client, so that data sent by the first communication client can be sent to the second application client, data transmission between the first application client and the second application client is achieved, and the first application client is associated with the first communication client, so that after the first communication client successfully authenticates the identity, the first application client can be indicated to be successful in identity authentication, namely, the first application client is a safe application client, and the safety of data transmission between application layers can be improved.
It should be noted that the communication client is a generic name of the first communication client and the second communication client, and the application client is a generic name of the first application client and the second application client. Wherein the first and second differences are that the location where the communication client or the application client is installed is different.
The communication client is used for communicating with communication clients on other electronic equipment so as to realize secure data transmission on an application level. The communication client is not limited to be integrated with near field communication functions such as WiFi, mesh, bluetooth (BLE, BR/EDR), zigBee, thread, Z-Wave, NFC, UWB, liFi and Hilink. The Bluetooth is taken as an example, the communication client can be specifically a Bluetooth communication client, and the electronic device can establish Bluetooth communication connection and identity authentication of the application client through the Bluetooth communication client, so that data transmission safety can be improved while data transmission is performed through the Bluetooth.
The application client can be used for realizing various functions, for example, a music client can be used for playing music, a mail client can be used for sending and receiving mails, and a user can select the application client to be installed according to actual needs. Taking a mobile phone as an example, generally, a system client and a non-system client are installed on the mobile phone, where the system client is an application client installed by an operator of the mobile phone before the mobile phone leaves a factory, and the non-system client is an application client installed after the mobile phone leaves the factory. It can be appreciated that in some embodiments, because the system client is an application client that has been installed by an operator of the mobile phone before the mobile phone leaves a factory, the system client can be considered as a secure and trustworthy application client, so the electronic device can default the system client as an application client associated with the communication client; or, the system client and the application client can be associated before the mobile phone leaves the factory. Application clients are not limited to include WeChat, QQ, cybercoin, nailing, and Taobao.
Based on the electronic equipment, the data transmission method can comprise the following steps:
step S11: the first communication client acquires a communication key for identity authentication with the second communication client.
The communication key can be used for the first communication client and the second communication client to perform identity authentication. In the data transmission process, the first communication client is an initiator of data transmission, and the second communication client is a receiver of the data transmission.
Alternatively, the communication key may be stored in a server local or remote to the electronic device.
Step S12: and performing identity authentication on the first application client associated with the first communication client by using the communication key.
If the first communication client and the second communication client are successfully authenticated, the first application client associated with the first communication client is also successfully authenticated.
In some embodiments, the first application client may establish an association with the first communication client in advance, for example, may register in a background official website of the first communication client, and the first application client that successfully registered establishes an association with the first communication client.
In an application scenario, when the first application client needs to perform data transmission, the first application client may perform authentication to the first communication client, and if the first application client is an application client associated with the first communication client, the authentication is successful, so that data transmission may be performed through the first communication client.
Optionally, the first communication client may perform identity authentication with the second communication client by using a communication key in combination with the challenge response. The challenge response is that the first communication client sends a "challenge" string to the second communication client, and the second communication client makes a corresponding "response" after receiving the "challenge" string.
Step S13: and if the identity authentication of the first application client is successful, transmitting the data of the first application client to the second communication client based on the communication key so that the second communication client transmits the data to the second application client.
After the first application client is successfully authenticated, the first communication client can transmit the data of the first application client to the second communication client, and then the second communication client transmits the data to the second application client, so that the data transmission between the first application client on the first device and the second application client on the second device can be realized, and the data transmission between the application layers must pass the authentication before the data transmission, thereby improving the security of the data transmission.
According to the scheme, the first communication client side obtains the communication key for identity authentication with the second communication client side, then identity authentication is carried out on the first application client side associated with the first communication client side through the communication key, after the first application client side succeeds in identity authentication, data of the first application client side are transmitted to the second communication client side based on the communication key, so that the second communication client side transmits the data to the second application client side, data transmission between the first application client side on the first device and the second application client side on the second device is achieved, the identity authentication needs to be passed before data transmission between application layers, and safety of data transmission is improved.
Referring to fig. 3 to 4, fig. 3 is a schematic flowchart of another embodiment of a data transmission method provided by the present application, and fig. 4 is an interaction diagram of a first communication client and a second communication client provided by the present application.
In this embodiment, the data transmission method is applied to a first device to transmit data to a second device, where the first device is installed with a first communication client and a first application client, and the second device is installed with a second communication client and a second application client, and for the description of this part, please refer to the corresponding positions in the above embodiments, which is not described herein again.
In contrast, in the present embodiment, the communication key is generated by dynamic negotiation between the first device and the second device. In some embodiments, the process of dynamically negotiating the communication key by the first device and the second device may include steps S21, S22, and S23.
In this embodiment, the data transmission method may include the following steps:
step S21: the first device is paired for near field communication with the second device.
Alternatively, near field communication is not limited to include WiFi Direct, mesh, bluetooth (BLE, BR/EDR), zigBee, thread, Z-Wave, NFC, UWB, liFi, and Hilink.
It can be understood that the pairing modes corresponding to different near field communication modes may be different. For example, wiFi and bluetooth may be paired by inputting a pairing password, and if the first device or the second device is connected to WiFi and bluetooth of the opposite end and a correct pairing password is input, the pairing is successful; in addition, NFC can automatically perform communication pairing by the proximity of two devices.
In an application scenario, taking bluetooth as an example, the smart speaker (second device) starts bluetooth, the mobile phone (first device) initiates bluetooth connection to the smart speaker by searching and selecting a bluetooth broadcast of the smart speaker, if both pairing parties input correct pairing passwords, the mobile phone and the smart speaker are successfully paired, otherwise, the mobile phone and the smart speaker are failed to be paired.
Step S22: and if the near field communication pairing of the first equipment and the second equipment is successful, the first equipment and the second equipment adopt a preset key negotiation algorithm to negotiate so as to obtain a communication key.
In particular, after the first device and the second device are paired successfully in near field communication, the first device and the second device may initiate one communication to negotiate a communication key. In this embodiment, the communication Key is denoted as KSC (Key of Safe Connection).
The preset key agreement algorithm is, for example, a key agreement algorithm such as DH (Diffie-Hellman) algorithm and RSA algorithm.
Step S23: the communication key is stored.
In some embodiments, the communication key may be stored to a secure storage area of the first device to prevent the communication key from being compromised.
Specifically, the first communication client may obtain the identification information of the second device, and then store the identification information of the second device in association with the communication key, so that in the authentication phase, the first communication client can obtain the communication key associated with the first communication client by obtaining the identification information of the second device.
In some embodiments, the second communication client may also obtain the identification information of the first device, and then store the identification information of the first device in association with the communication key, so that in the authentication phase, the second communication client can obtain the communication key associated with the first device by obtaining the identification information of the first device.
Alternatively, the identification information may be a MAC (Media Access Control) address, an IMEI (International Mobile Equipment Identity), and the like of the electronic device, which can uniquely identify the electronic device.
Step S24: the first communication client acquires a communication key for identity authentication with the second communication client.
Specifically, the first communication client may obtain identification information of the second device, and then obtain a communication key for performing identity authentication with the second communication client according to the identification information of the second device.
Step S25: and performing identity authentication on the first application client associated with the first communication client by using the communication key.
Step S26: and if the identity authentication of the first application client is successful, transmitting the data of the first application client to the second communication client based on the communication key so that the second communication client transmits the data to the second application client.
In this embodiment, steps S24 to S26 correspond to steps S11 to S13 in the above embodiment, and for the explanation of the steps S24 to S26, reference is made to the corresponding positions in the above embodiment, which is not described herein again.
In some embodiments, the first communication client or the second communication client may establish a communication connection with a third communication client installed in a third device, where account information logged on the first communication client, the second communication client, and the third communication client is the same; and the first communication client or the second communication client sends the communication key to the third communication client. Here, the communication connection may be a short-range communication connection, or a long-range communication connection, which is not limited herein. Short-range communication connections such as bluetooth, wiFi, and long-range communication connections such as the internet.
When the first communication client or the second communication client establishes communication connection with a third communication client installed in a third device, the first communication client or the second communication client can share the negotiated communication key with the third communication client on different devices through an account, so that the third communication client does not need to perform key negotiation with the first communication client or the second communication client once again, and secondly, the communication key can be prevented from being shared maliciously by logging in the same account information, and the communication key is prevented from being leaked.
According to the scheme, the first device and the second device can negotiate a new communication key every time near field communication pairing is carried out, so that even if the previous communication key is leaked, the leaked communication key cannot be used for a long time, the situation that the same key is used in each communication can be avoided, the encryption safety effect is improved, and the data transmission safety is improved; secondly, the communication key associated with the equipment can be quickly and accurately acquired according to the identification information of the equipment by associating and storing the communication key and the identification information of the equipment; and thirdly, the third communication client can quickly and safely acquire the communication key through the account by logging in the account information which is the same as that of the first communication client or the second communication client.
Referring to fig. 5, fig. 5 is a schematic flowchart illustrating an embodiment of step S25 in the data transmission method according to the present application, and please continue to refer to the identity authentication portion in fig. 4.
In this embodiment, step S25 in the above embodiment may specifically include sub-steps S351 to S358:
step S351: the first communication client randomly generates a first challenge code.
In this embodiment, the first challenge code is denoted as CA. The first challenge code may be one or a combination of several of numbers, characters and character strings.
Step S352: and operating the first challenge code and the communication key by using a preset algorithm to obtain a first response code.
Alternatively, the preset algorithm may be an HMAC algorithm, a GMAC algorithm, a CMAC algorithm, an AES-CBC-MAC algorithm, or the like.
In an application scenario, the first communication client operates on CA and KSC using the HMAC algorithm to obtain the first response code RA, i.e. RA = HMAC (KSC, CA).
Step S353: and sending the first response code, the first challenge code and the identification information of the first equipment to the second communication client, so that the second communication client utilizes a preset algorithm to calculate the first challenge code and a communication key corresponding to the identification information of the first equipment to obtain a second response code.
In this embodiment, the identification information of the first device is denoted as a _ ID, and the identification information of the second device is denoted as B _ ID.
In this embodiment, a communication key corresponding to the identification information of the first device is denoted as KSC'. Optionally, the second communication client may obtain the KSC' stored in association with it according to the a _ ID.
Specifically, the first communication client sends RA, CA and a _ ID to the second communication client, so that the second communication client operates CA and KSC 'by using a preset algorithm to obtain a second response code RA', that is, RA '= HMAC (KSC', CA).
Step S354: and if the first response code is the same as the second response code, receiving a second challenge code, identification information of the second device and a third response code sent by the second communication client, wherein the third response code is obtained by the second communication client computing a communication key, the first challenge code and the second challenge code corresponding to the identification information of the first device by using a preset algorithm.
Wherein the second challenge code may be randomly generated by the second communication client, and is denoted as CB.
It can be understood that the communication key KSC' corresponding to the identification information of the first device acquired by the second communication client is not necessarily the same as the communication key KSC used by the first communication client to calculate the first response code.
If RA and RA 'are the same, it means that KSC' is the same as KSC, and further means that the second communication client that is about to perform data transmission already stores the communication key corresponding to the first device, and the first communication client and the second communication client are mutually secure communication clients. On the contrary, if RA and RA 'are not the same, it indicates that KSC' is not the same as KSC, it indicates that the second communication client about to perform data transmission does not store the communication key corresponding to the first device, and at this time, the first communication client is an insecure communication client, so that the first application client associated with the first communication client fails to perform identity authentication.
Specifically, the second communication client may determine whether the first response code is the same as the second response code, and if the first response code is the same as the second response code, continue to perform the identity authentication, and perform an operation on KSC', CA, and CB by using a preset algorithm to obtain a third response code, which is recorded as RAB.
In an embodiment, the operation of KSC ', CA and CB using the preset algorithm may be an operation of KSC ', CA | CB using an HMAC algorithm, that is, RAB = HMAC (KSC ', CA | CB). Where CA | CB is the sequential concatenation of CA and CB, CA being before and CB being after, e.g., CA is 123, CB is 456, and CA | CB is 123456. In other embodiments, sequential CB | CA splicing, CB preceding, CA succeeding, or CB | CA | CB splicing may be used, without limitation.
Step S355: and calculating the first challenge code, the second challenge code and the communication key corresponding to the identification information of the second device by using a preset algorithm to obtain a fourth response code.
Because the first communication client stores the communication key and the identification information of the second device in an associated manner, the first communication client can acquire the associated communication key KSC according to the identification information of the second device to perform operation.
In an embodiment, the first communication client may utilize an HMAC algorithm to operate on CA, CB, and KSC to obtain the fourth response code RAB ', i.e., RAB' = HMAC (KSC, CA | CB). It should be noted that the first communication client and the second communication client need to adopt the same preset algorithm and the splicing manner of CA | CB, so that the variable is only the communication key.
Step S356: and judging whether the third response code is the same as the fourth response code.
If the third response code is the same as the fourth response code, step S357 is executed, otherwise, step S358 is executed.
Step S357: and determining that the first application client identity authentication is successful.
Step S358: and determining that the first application client identity authentication fails.
In some embodiments, step S375 may further include: calculating a communication key corresponding to the second challenge code and the identification information of the second device by using a preset algorithm to obtain a fifth response code; and sending the fifth response code to the second communication client so that the second communication client judges whether the fifth response code is the same as the sixth response code, and if so, determining that the identity authentication of the first application client is successful, wherein the sixth response code is obtained by calculating a communication key and a second challenge code, which correspond to the identification information of the first device, by the second communication client by using a preset algorithm. By the method, replay attack can be prevented, and even if other equipment obtains the first challenge code, the first response code and the identification information of the first equipment, the first equipment and the second equipment cannot be subjected to data transmission falsely.
Specifically, as shown in fig. 4, after confirming that the third response code is the same as the fourth response code, the first communication client continues to perform an operation on the KSC and the CB by using the HMAC algorithm to obtain a fifth response code RB, that is, RB = HMAC (KSC, CB), and then sends RB to the second communication client, so that the second communication client performs an operation on KSC ' and CB by using the HMAC algorithm to obtain a sixth response code RB ', that is, RB ' = HMAC (KSC ', CB), and the second communication client determines whether RB is the same as RB ', and if so, determines that the first application client identity authentication is successful; otherwise, determining that the first application client identity authentication fails.
According to the scheme, the whole implementation process of identity authentication of the first application client associated with the first communication client is simple by using the communication key, the utilized preset algorithms such as the HMAC algorithm are all algorithms which are universal in the industry, the calculation is simple, and then the fifth response code is sent to the second communication client, so that the second communication client judges whether the fifth response code is the same as the sixth response code, if so, the first application client is determined to be successful in identity authentication, replay attack can be prevented, and the reliability of identity authentication is improved.
Referring to fig. 6, fig. 6 is a flowchart illustrating an embodiment of step S26 in the data transmission method according to the present application, and please continue to refer to the data encryption portion in fig. 4.
Step S26 in the above embodiment, namely, using the communication key to authenticate the first application client associated with the first communication client, may specifically include sub-steps S461 to S463:
step S461: and calculating the communication key, the first challenge code and the second challenge code corresponding to the identification information of the second device by adopting a preset algorithm to obtain an encryption parameter.
In a specific embodiment, the preset algorithm may be an HMAC algorithm, and the first communication client operates the KSC, CA, and CB using the HMAC algorithm, that is, AES-GCM-Params = HMAC (KSC, CA | CB), and then divides AES-GCM-Params into encryption parameters, such as a key K, a vector IV, and a message authentication AAD.
Step S462: and encrypting the data of the first application client by using the encryption parameters.
The first communication client encrypts the data of the first application client by using the secret key K, the vector IV and the message authentication AAD. If the data of the first application client before encryption is recorded as plaintext PT and the data of the first application client after encryption is recorded as ciphertext CT, step S462 may be recorded as CT = AES-GCM-Encrypt (K, IV, AAD, PT).
Alternatively, the AES algorithm may include multiple modes such as GCM, CBC, ECB, CTR, OCB, CFB, and so on.
Step S463: and transmitting the encrypted data of the first application client to the second communication client so that the second communication client decrypts the encrypted data of the first application client and transmits the decrypted data to the second application client.
And the first communication client sends the ciphertext CT to the second communication client so that the second communication client decrypts the ciphertext CT and transmits the decrypted plaintext PT to the second application client.
The second communication client may calculate the decryption parameters, such as the key K, the vector IV, and the message authentication AAD, by using the method of the first communication client. Specifically, the second communication client operates KSC ', CA and CB using the HMAC algorithm, i.e. AES-GCM-Params = HMAC (KSC', CA | CB), and then divides AES-GCM-Params into encryption parameters, such as key K, vector IV, message authentication AAD.
In a specific embodiment, the second communication client operates on KSC, CA and CB using the HMAC algorithm, i.e. AES-GCM-Params = HMAC (KSC, CA | CB), and then segments AES-GCM-Params into decryption parameters, such as key K, vector IV, message authentication AAD. Then, the second communication client decrypts the CT according to the decryption parameter to obtain PT, which is marked as PT = AES-GCM-decryption (K, IV, ADD, CT).
According to the scheme, a first communication client generates encryption parameters through a communication key, a first challenge code and a second challenge code which correspond to identification information of second equipment obtained in an identity authentication process, data of a first application client is further encrypted through the encryption parameters and then transmitted to a second communication client, then the second communication client generates decryption parameters according to the communication key, the first challenge code and the second challenge code which correspond to the identification information of the first equipment so as to decrypt the transmitted data, and then the decrypted data are transmitted to the second application client, wherein the encryption parameters in the embodiment are dynamically changed, the encryption parameters are refreshed once when the first equipment and the second equipment are connected in a pairing mode once, one-time encryption can be achieved, and therefore the safety of data transmission can be improved; and secondly, an AES algorithm is adopted, so that the calculation is simple.
Referring to fig. 7, fig. 7 is a schematic flowchart illustrating a data transmission method according to another embodiment of the present application.
In this embodiment, the data transmission method is applied to a first device to transmit data to a second device, where the first device is installed with a first communication client and a first application client, and the second device is installed with a second communication client and a second application client, and for the description of this part, please refer to the corresponding positions in the above embodiments, which is not described herein again.
In this embodiment, an execution subject of the data transmission method is the second communication client, and the data transmission method may include the following steps:
step S51: the second communication client side obtains a communication key for identity authentication with the first communication client side.
The communication key is used for identity authentication between the first communication client and the second communication client. In the data transmission process, the first communication client is an initiator of data transmission, and the second communication client is a receiver of the data transmission.
Alternatively, the communication key may be stored in a server local or remote to the electronic device.
Step S52: and performing identity authentication on the first application client associated with the first communication client by using the communication key.
If the first communication client and the second communication client are successfully authenticated, the first application client associated with the first communication client is also successfully authenticated.
Step S53: and if the identity authentication of the first application client is successful, receiving the transmission data of the first application client sent by the first communication client based on the communication key, and transmitting the data of the first application client to the second application client.
After the first application client is successfully authenticated, the first communication client can transmit data of the first application client to the second communication client, and then the second communication client transmits the data to the second application client based on the communication key, so that data transmission between the first application client on the first device and the second application client on the second device can be realized, and the data transmission between application layers needs to pass through the authentication before the data transmission, thereby improving the security of the data transmission.
According to the scheme, the second communication client side obtains the communication key for identity authentication with the first communication client side, then identity authentication is carried out on the first application client side associated with the first communication client side through the communication key, after the first application client side succeeds in identity authentication, transmission data of the first application client side, sent by the first communication client side, are received based on the communication key, the data of the first application client side are transmitted to the second application client side, data transmission between the first application client side on the first device and the second application client side on the second device is achieved, identity authentication needs to be passed before data transmission is carried out between application layers, and safety of data transmission is improved.
In some embodiments, the communication key is generated by a dynamic negotiation of the first device and the second device.
In some embodiments, the process of dynamically negotiating the communication key by the first device and the second device may include: the first device and the second device are in communication pairing; if the communication pairing of the first equipment and the second equipment is successful, the first equipment and the second equipment adopt a preset key negotiation algorithm to negotiate so as to obtain a communication key; the communication key is stored.
In some embodiments, storing the communication key comprises: acquiring identification information of first equipment; and storing the identification information of the first device and the communication key in an associated manner.
In some embodiments, the step S51 of acquiring, by the second communication client, the communication key for identity authentication with the first communication client may be: the second communication client side obtains identification information of the first equipment; and acquiring a communication key for identity authentication with the first communication client according to the identification information of the first device.
It is understood that the description of the above steps can refer to the corresponding positions in the above embodiments, and the description is omitted here.
According to the scheme, the first device and the second device can negotiate a new communication key every time near field communication pairing is carried out, so that even if the previous communication key is leaked, the leaked communication key cannot be used for a long time, the situation that the same key is used in each communication can be avoided, the encryption safety effect is improved, and the data transmission safety is improved; secondly, the communication key associated with the equipment can be quickly and accurately acquired according to the identification information of the equipment by associating and storing the communication key and the identification information of the equipment; and thirdly, the third communication client can quickly and safely acquire the communication key through the account by logging in the account information which is the same as that of the first communication client or the second communication client.
Referring to fig. 8, fig. 8 is a schematic flowchart illustrating an embodiment of step S52 in the data transmission method according to the present application, and please continue to refer to the identity authentication portion in fig. 4.
In some embodiments, step S52 may include sub-steps S621-S626:
step S621: the second communication client receives the first challenge code, the first response code and the identification information of the first device sent by the first communication client.
Step S622: and calculating the first challenge code and the communication key corresponding to the identification information of the first equipment by using a preset algorithm to obtain a second response code.
Step S623: and judging whether the first response code is the same as the second response code.
If the first answer code is the same as the second answer code, step S624 is executed, otherwise, it is determined that the first application client fails to authenticate.
Step S624: and randomly generating a second challenge code, and calculating the first challenge code, the second challenge code and a communication key corresponding to the identification information of the first device by using a preset algorithm to obtain a third response code.
Step S625: and sending the third response code, the second challenge code and the identification information of the second communication client to the first communication client so that the first communication client judges whether the third response code is the same as a fourth response code, wherein the fourth response code is obtained by the first communication client computing the first challenge code, the second challenge code and a communication key corresponding to the identification information of the second communication client by using a preset algorithm.
Step S626: and if the third response code is the same as the fourth response code, determining that the identity authentication of the first application client is successful.
In some embodiments, step S626 may further include: if the third response code is the same as the fourth response code, receiving a fifth response code sent by the first communication client, wherein the fifth response code is obtained by the first communication client computing the second challenge code and the communication key corresponding to the identification information of the second device by using a preset algorithm; calculating a communication key corresponding to the identification information of the first device and the second challenge code by using a preset algorithm to obtain a sixth response code; judging whether the fifth answer code is the same as the sixth answer code; and if the fifth answer code is the same as the sixth answer code, determining that the identity authentication of the first application client is successful.
For the explanation of each step in this embodiment, please refer to the corresponding position in the above embodiments, which is not described herein again.
According to the scheme, the whole implementation process of identity authentication of the first application client associated with the first communication client is simple by using the communication key, the utilized preset algorithms such as the HMAC algorithm and the like are all algorithms which are universal in the industry, the calculation is simple, then the fifth response code is sent to the second communication client, so that the second communication client judges whether the fifth response code is the same as the sixth response code, if the fifth response code is the same as the sixth response code, the identity authentication of the first application client is determined to be successful, replay attack can be prevented, and the reliability of identity authentication is improved.
Referring to fig. 9, fig. 9 is a schematic flowchart illustrating an embodiment of a step S53 in the data transmission method according to the present application, and please continue to refer to the data encryption portion in fig. 4.
In some embodiments, step S53 may include sub-steps S731-S726:
step S731: and calculating the communication key, the first challenge code and the second challenge code corresponding to the identification information of the first device by adopting a preset algorithm to obtain a decryption parameter.
Step S732: and decrypting the data of the first application client by using the decryption parameter.
Step S733: and transmitting the decrypted transmission data of the first application client to the second application client.
For the explanation of each step in this embodiment, please refer to the corresponding position in the above embodiments, which is not described herein again.
According to the scheme, encryption parameters are generated through a communication key, a first challenge code and a second challenge code which correspond to identification information of second equipment obtained in an identity authentication process, data of a first application client side are further encrypted through the encryption parameters and then transmitted to a second communication client side, decryption parameters are generated by the second communication client side according to the communication key, the first challenge code and the second challenge code which correspond to the identification information of the first equipment so as to decrypt the transmitted data, and then the decrypted data are sent to the second application client side, wherein the encryption parameters in the embodiment are dynamically changed, the encryption parameters are refreshed once when the first equipment and the second equipment are in pairing connection once, one-time password can be realized, and the safety of data transmission can be improved; and secondly, an AES algorithm is adopted, so that the calculation is simple.
Referring to fig. 10, fig. 10 is a schematic diagram of a frame of an embodiment of an electronic device provided in the present application.
The electronic apparatus 100 includes: a processor 110 and a memory 120 connected to the processor 110, the memory 120 being configured to store program data, the processor 110 being configured to execute the program data to implement the steps of any of the above-mentioned method embodiments.
The electronic device 100 includes, but is not limited to, a television, a desktop computer, a laptop computer, a handheld computer, a wearable device, a head-mounted display, a reader device, a portable music player, a portable game console, a notebook computer, an ultra-mobile personal computer (UMPC), a netbook, and a cicada-phone, a Personal Digital Assistant (PDA), an Augmented Reality (AR), a Virtual Reality (VR) device.
In particular, the processor 110 is configured to control itself and the memory 120 to implement the steps of any of the above-described method embodiments. Processor 110 may also be referred to as a CPU (Central Processing Unit). The processor 110 may be an integrated circuit chip having signal processing capabilities. The Processor 110 may also be a general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic, discrete hardware components. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. In addition, processor 110 may be commonly implemented by multiple integrated circuit chips.
Referring to fig. 11, fig. 11 is a block diagram illustrating an embodiment of a computer storage medium according to the present application.
The computer readable storage medium 200 stores program data 210, and the program data 210 is used for implementing the steps of any of the above method embodiments when executed by a processor.
The computer-readable storage medium 200 may be a medium that can store a computer program, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, or may be a server that stores the computer program, and the server can send the stored computer program to another device for running or can run the stored computer program by itself.
In the several embodiments provided in the present application, it should be understood that the disclosed method and apparatus may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, a division of a module or a unit is merely a logical division, and an actual implementation may have another division, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some interfaces, and may be in an electrical, mechanical or other form.
Units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, a network device, or the like) or a processor (processor) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk, and various media capable of storing program codes.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and all modifications of equivalent structures and equivalent processes, which are made by the contents of the specification and the drawings, or which are directly or indirectly applied to other related technical fields, are intended to be included within the scope of the present application.
Claims (19)
1. A data transmission method is applied to a first device for transmitting data to a second device, wherein a first communication client and a first application client are installed in the first device, and a second communication client and a second application client are installed in the second device, and the method comprises the following steps:
the first communication client side obtains a communication key for identity authentication with the second communication client side;
performing identity authentication on the first application client associated with the first communication client by using the communication key;
and if the identity authentication of the first application client is successful, transmitting the data of the first application client to a second communication client based on the communication key so that the second communication client transmits the data to the second application client.
2. The method of claim 1,
the communication key is generated by dynamic negotiation between the first device and the second device.
3. The method of claim 2,
the method further comprises the following steps:
the first device is paired with the second device for near field communication;
if the near field communication pairing of the first device and the second device is successful, the first device and the second device adopt a preset key negotiation algorithm to negotiate so as to obtain the communication key;
and storing the communication key.
4. The method of claim 3,
the storing the communication key comprises:
acquiring identification information of the second device;
and storing the identification information of the second device and the communication key in an associated manner.
5. The method of claim 2,
the method further comprises the following steps:
the first communication client or the second communication client establishes communication connection with a third communication client installed in third equipment, wherein account information logged on the first communication client, the second communication client and the third communication client is the same;
and the first communication client or the second communication client sends the communication key to the third communication client.
6. The method of claim 1,
the first communication client side obtains a communication key for identity authentication with the second communication client side, and the method comprises the following steps:
the first communication client acquires identification information of the second device;
and acquiring a communication key for performing identity authentication with the second communication client according to the identification information of the second device.
7. The method of claim 1,
the performing, by using the communication key, identity authentication on the first application client associated with the first communication client includes:
the first communication client randomly generates a first challenge code;
calculating the first challenge code and the communication key by using a preset algorithm to obtain a first response code;
sending the first response code, the first challenge code and the identification information of the first device to the second communication client, so that the second communication client utilizes a preset algorithm to calculate the first challenge code and a communication key corresponding to the identification information of the first device to obtain a second response code;
if the first response code is the same as the second response code, receiving a second challenge code, identification information of the second device and a third response code sent by the second communication client, wherein the third response code is obtained by the second communication client through operation of a communication key corresponding to the identification information of the first device, the first challenge code and the second challenge code by using a preset algorithm;
calculating the first challenge code, the second challenge code and a communication key corresponding to the identification information of the second device by using a preset algorithm to obtain a fourth response code;
judging whether the third response code is the same as the fourth response code;
and if the third response code is the same as the fourth response code, determining that the identity authentication of the first application client is successful.
8. The method of claim 7,
if the third response code is the same as the fourth response code, determining that the first application client identity authentication is successful, including:
if the third response code is the same as the fourth response code, calculating a communication key corresponding to the second challenge code and the identification information of the second device by using a preset algorithm to obtain a fifth response code;
and sending the fifth response code to the second communication client, so that the second communication client judges whether the fifth response code is the same as a sixth response code, and if so, determining that the first application client is successfully authenticated, wherein the sixth response code is obtained by calculating a communication key corresponding to the identification information of the first device and the second challenge code by the second communication client by using a preset algorithm.
9. The method according to claim 7 or 8,
the transmitting the data of the first application client to the second communication client according to the communication key comprises:
calculating a communication key corresponding to the identification information of the second device, the first challenge code and the second challenge code by adopting a preset algorithm to obtain an encryption parameter;
encrypting the data of the first application client by using the encryption parameters;
and transmitting the encrypted data of the first application client to the second communication client so that the second communication client decrypts the encrypted data of the first application client and transmits the decrypted data to the second application client.
10. A data transmission method is applied to a first device for transmitting data to a second device, wherein a first communication client and a first application client are installed in the first device, and a second communication client and a second application client are installed in the second device, and the method comprises the following steps:
the second communication client side obtains a communication key for identity authentication with the first communication client side;
performing identity authentication on the first application client associated with the first communication client by using the communication key;
and if the identity authentication of the first application client is successful, receiving the transmission data of the first application client sent by the first communication client based on the communication key, and transmitting the data of the first application client to the second application client.
11. The method of claim 10,
the communication key is generated by dynamic negotiation between the first device and the second device.
12. The method of claim 11,
the method further comprises the following steps:
the first device is in communication pairing with the second device;
if the communication pairing between the first device and the second device is successful, the first device and the second device adopt a preset key negotiation algorithm to negotiate so as to obtain the communication key;
and storing the communication key.
13. The method of claim 12,
the storing the communication key comprises:
acquiring identification information of the first device;
and storing the identification information of the first device and the communication key in an associated manner.
14. The method of claim 10,
the second communication client side obtains a communication key for identity authentication with the first communication client side, and the method comprises the following steps:
the second communication client acquires the identification information of the first equipment;
and acquiring a communication key for identity authentication with the first communication client according to the identification information of the first device.
15. The method of claim 10,
the identity authentication of the first application client associated with the first communication client by using the communication key comprises:
the second communication client receives a first challenge code, a first response code and identification information of the first device, which are sent by the first communication client;
calculating the first challenge code and a communication key corresponding to the identification information of the first device by using a preset algorithm to obtain a second response code;
judging whether the first response code is the same as the second response code;
if the first response code is the same as the second response code, randomly generating a second challenge code, and calculating the first challenge code, the second challenge code and a communication key corresponding to the identification information of the first device by using a preset algorithm to obtain a third response code;
sending the third response code, the second challenge code and the identification information of the second communication client to the first communication client so that the first communication client can judge whether the third response code is the same as a fourth response code, wherein the fourth response code is obtained by the first communication client computing a communication key corresponding to the first challenge code, the second challenge code and the identification information of the second communication client by using a preset algorithm;
and if the third response code is the same as the fourth response code, determining that the first application client identity authentication is successful.
16. The method of claim 15,
if the third answer code is the same as the fourth answer code, determining that the identity authentication of the first application client is successful, including:
if the third response code is the same as the fourth response code, receiving a fifth response code sent by the first communication client, wherein the fifth response code is obtained by the first communication client computing the second challenge code and a communication key corresponding to the identification information of the second device by using a preset algorithm;
calculating a communication key corresponding to the identification information of the first device and the second challenge code by using a preset algorithm to obtain a sixth response code;
judging whether the fifth response code is the same as the sixth response code;
and if the fifth answer code is the same as the sixth answer code, determining that the first application client identity authentication is successful.
17. The method of claim 15 or 16,
the transmitting the data of the first application client to the second communication client according to the communication key comprises:
calculating a communication key corresponding to the identification information of the first device, the first challenge code and the second challenge code by adopting a preset algorithm to obtain a decryption parameter;
decrypting the data of the first application client by using the decryption parameter;
and transmitting the decrypted transmission data of the first application client to the second application client.
18. An electronic device, comprising a processor and a memory coupled to the processor,
the memory is for storing program data, and the processor is for executing the program data to implement the method of any one of claims 1-17.
19. A computer-readable storage medium, characterized in that a program data is stored in the computer-readable storage medium, which program data, when being executed by a processor, is adapted to carry out the method of any one of claims 1-17.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011475037.1A CN112616139B (en) | 2020-12-14 | 2020-12-14 | Data transmission method, electronic equipment and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011475037.1A CN112616139B (en) | 2020-12-14 | 2020-12-14 | Data transmission method, electronic equipment and computer readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112616139A CN112616139A (en) | 2021-04-06 |
| CN112616139B true CN112616139B (en) | 2023-02-10 |
Family
ID=75234123
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011475037.1A Active CN112616139B (en) | 2020-12-14 | 2020-12-14 | Data transmission method, electronic equipment and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112616139B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101783792A (en) * | 2009-01-16 | 2010-07-21 | 深圳市维信联合科技有限公司 | Encrypted communication method and system based on internet |
| EP2453379A1 (en) * | 2010-11-15 | 2012-05-16 | Deutsche Telekom AG | Method, system, user equipment and program for authenticating a user |
| CN102546559A (en) * | 2010-12-29 | 2012-07-04 | 北京新媒传信科技有限公司 | Method, equipment and system for end-to-end transmission of data in challenged network |
| CN109450881A (en) * | 2018-10-26 | 2019-03-08 | 天津海泰方圆科技有限公司 | A kind of data transmission system, method and device |
| CN111464494A (en) * | 2020-02-26 | 2020-07-28 | 北京十安赛恩科技有限公司 | E-mail encryption method, first client and block chain system |
-
2020
- 2020-12-14 CN CN202011475037.1A patent/CN112616139B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101783792A (en) * | 2009-01-16 | 2010-07-21 | 深圳市维信联合科技有限公司 | Encrypted communication method and system based on internet |
| EP2453379A1 (en) * | 2010-11-15 | 2012-05-16 | Deutsche Telekom AG | Method, system, user equipment and program for authenticating a user |
| CN102546559A (en) * | 2010-12-29 | 2012-07-04 | 北京新媒传信科技有限公司 | Method, equipment and system for end-to-end transmission of data in challenged network |
| CN109450881A (en) * | 2018-10-26 | 2019-03-08 | 天津海泰方圆科技有限公司 | A kind of data transmission system, method and device |
| CN111464494A (en) * | 2020-02-26 | 2020-07-28 | 北京十安赛恩科技有限公司 | E-mail encryption method, first client and block chain system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112616139A (en) | 2021-04-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| AU2019379092B2 (en) | Secure over-the-air firmware upgrade | |
| JP3999655B2 (en) | Method and apparatus for access control with leveled security | |
| JP5431479B2 (en) | Protocol for associating devices with stations | |
| KR20040075293A (en) | Apparatus and method simplifying an encrypted network | |
| US10601590B1 (en) | Secure secrets in hardware security module for use by protected function in trusted execution environment | |
| US11057196B2 (en) | Establishing shared key data for wireless pairing | |
| CN109688098B (en) | Method, device and equipment for secure communication of data and computer readable storage medium | |
| JP2019530265A (en) | Method and apparatus for providing and acquiring graphic code information and terminal | |
| EP3308519A1 (en) | System, apparatus and method for transferring ownership of a device from manufacturer to user using an embedded resource | |
| CN106465104B (en) | Key sharing method and device | |
| US11637704B2 (en) | Method and apparatus for determining trust status of TPM, and storage medium | |
| KR20160111244A (en) | Electronic apparatus and communication method thereof | |
| WO2021109668A1 (en) | Security authentication method, apparatus, and electronic device | |
| KR20140058196A (en) | Apparatus and method for protecting mobile message data | |
| TWI633800B (en) | Methods for device pairing and data transmission in handheld communication devices | |
| CN109510711B (en) | Network communication method, server, client and system | |
| CN112616139B (en) | Data transmission method, electronic equipment and computer readable storage medium | |
| CN110868718A (en) | Method and device for dynamically acquiring network name and password of access point | |
| US11943201B2 (en) | Authentication procedure in a virtual private network | |
| EP4262136A1 (en) | Identity authentication method and apparatus, storage medium, program, and program product | |
| EP4089954A1 (en) | Bluetooth peripheral and central apparatuses and verification method | |
| KR101785382B1 (en) | Method for authenticating client, operation method of client, server enabling the method, and communication software enabling the operation method | |
| WO2016003310A1 (en) | Bootstrapping a device to a wireless network | |
| JP5847345B1 (en) | Information processing apparatus, authentication method, and program | |
| WO2018023495A1 (en) | Device pairing and data transmission method for handheld communication device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |