CN112688909B

CN112688909B - Data transmission system, method, device, medium and equipment

Info

Publication number: CN112688909B
Application number: CN202011058023.XA
Authority: CN
Inventors: 李奀林; 安晓江; 蒋红宇
Original assignee: Beijing Haitai Fangyuan High Technology Co Ltd
Current assignee: Beijing Haitai Fangyuan High Technology Co Ltd
Priority date: 2020-09-29
Filing date: 2020-09-29
Publication date: 2021-09-21
Anticipated expiration: 2040-09-29
Also published as: CN112688909A

Abstract

The present invention relates to a data transmission system, method, apparatus, medium, and device. When data transmission is performed, the first endpoint device may generate transmission keys corresponding to both the first endpoint device and the second endpoint device according to the transmission key corresponding to the first endpoint device and the transmission key corresponding to the second endpoint device stored in the center endpoint device, and may further perform encrypted transmission on the data by using the generated transmission keys. The second endpoint device may generate the transmission keys corresponding to both the second endpoint device and the first endpoint device according to the transmission key corresponding to the second endpoint device and the transmission key corresponding to the first endpoint device stored in the center endpoint device, and may further decrypt the received data using the generated transmission keys. Since the central device is no longer required to store the transmission key for encrypting and decrypting the transmitted data, even if the security defense line of the central device is broken, the attacker device cannot acquire the transmission key and cannot decrypt the transmission key to obtain the data transmitted from the first endpoint device to the second endpoint device.

Description

Data transmission system, method, device, medium and equipment

Technical Field

The present invention relates to the field of information security technologies, and in particular, to a data transmission system, method, apparatus, medium, and device.

Background

This section is intended to provide a background or context to the embodiments of the invention that are recited in the claims. The description herein is not admitted to be prior art by inclusion in this section.

In the existing technical solution, data encryption transmission from an a-side device to a B-side device based on a center-side device generally includes that the a-side device negotiates with the center-side device to obtain a negotiation key a, and then the a-side device encrypts data by using the negotiation key a and sends the encrypted data to the center-side device. After the central terminal equipment decrypts the data by using the negotiation key A, the central terminal equipment encrypts the data by using the negotiation key B negotiated with the B terminal equipment and sends the encrypted data to the B terminal equipment. And the B-end equipment decrypts the data by using the negotiation key B to obtain the data transmitted by the A-end equipment.

At present, a negotiation key a and a negotiation key B involved in data transmission from an a-side device to a B-side device are both stored in a center-side device, and if a security defense line of the center-side device is broken, an attacker device can acquire the negotiation key a and the negotiation key B, so as to decrypt and obtain data transmitted from the a-side device to the B-side device. At present, data transmission from the a-side device to the B-side device needs to pass through the center-side device, which further results in poor data security.

Disclosure of Invention

Embodiments of the present invention provide a data transmission system, method, apparatus, medium, and device, which are used to solve the problem of poor security of data encryption transmission based on a center-end device.

In a first aspect, the present invention provides a data transmission system, where the system includes a center device, a first endpoint device, and a second endpoint device, where:

the first endpoint device is configured to determine a generated transmission key for the first endpoint device and the second endpoint device, encrypt data by using the transmission key, and send the encrypted data to the second endpoint device, where the transmission key is generated according to a first transmission key corresponding to the first endpoint device and a second transmission key corresponding to the second endpoint device;

the center-end device is configured to store the first transmission key and provide the first transmission key to the second endpoint device; and saving the second transmission key, providing the second transmission key to the first endpoint device;

the second endpoint device is configured to determine a generated transmission key for the first endpoint device and the second endpoint device, and decrypt, using the transmission key, received data that is sent by the first endpoint device and encrypted by using the transmission key, where the transmission key is generated according to a first transmission key corresponding to the first endpoint device and a second transmission key corresponding to the second endpoint device.

Optionally, the determining, by the first endpoint device, the generated transmission keys for the first endpoint device and the second endpoint device, and sending the encrypted data to the second endpoint device by using the transmission keys includes:

determining whether the generated transmission keys aiming at the first endpoint device and the second endpoint device are stored, if so, encrypting data by using the stored transmission keys and then sending the encrypted data to the second endpoint device, if not, generating and storing the transmission keys, and encrypting data by using the generated transmission keys and then sending the encrypted data to the second endpoint device.

Optionally, the determining, by the second endpoint device, the generated transmission keys for the first endpoint device and the second endpoint device, and decrypting, by using the transmission key, the received data that is sent by the first endpoint device and encrypted by using the transmission key includes:

determining whether the generated transmission keys for the first endpoint device and the second endpoint device are stored, if the transmission keys are determined to be stored, decrypting the received data sent by the first endpoint device and encrypted by the transmission keys by using the stored transmission keys, if the transmission keys are determined not to be stored, generating and storing the transmission keys, and decrypting the received data sent by the first endpoint device and encrypted by using the transmission keys by using the generated transmission keys.

Optionally, the generating, by the first endpoint device, the transmission key includes:

sending a request for acquiring the second transmission key to the center-end equipment, and receiving the second transmission key sent by the center-end equipment;

generating the transmission key according to the first transmission key and the received second transmission key;

the center end device is specifically configured to receive a request for obtaining the second transmission key sent by the first end point device, and send the second transmission key to the first end point device according to the request.

Optionally, the generating, by the second endpoint device, the transmission key includes:

sending a request for acquiring the first transmission key to the center-end equipment, and receiving the first transmission key sent by the center-end equipment;

generating the transmission key according to the second transmission key and the received first transmission key;

the center device is specifically configured to receive a request for obtaining the first transmission key sent by the second endpoint device, and send the first transmission key to the second endpoint device according to the request.

Optionally, the center device is further configured to store a first public key corresponding to the first endpoint device;

the second transmission key stored by the central terminal equipment is a second public key encryption transmission key;

the second endpoint device encrypts the second transmission key by using the stored encryption key to obtain a second encrypted transmission key, encrypts the second encrypted transmission key by using a center public key corresponding to the center end device to obtain a second public key encrypted transmission key, and sends the second public key encrypted transmission key and the second public key to the center end device for storage;

the central end device sending the second transmission key to the first end point device, including:

decrypting the stored second public key encryption transmission key by using a central end private key corresponding to the central end public key to obtain a second encryption transmission key, encrypting the decrypted second encryption transmission key by using the stored first public key to obtain a second public key re-encryption transmission key, and sending the second public key re-encryption transmission key to the first endpoint device;

the first end point device receives the second transmission key sent by the center end device; generating the transmission key according to the first transmission key and the received second transmission key, including:

receiving the second public key re-encrypted transmission key sent by the central terminal equipment;

decrypting the second public key re-encrypted transmission key by using a first private key corresponding to the first public key to obtain a second encrypted transmission key, and decrypting the decrypted second encrypted transmission key again by using the stored encryption key to obtain a second transmission key; and generating the transmission key according to the first transmission key and a second transmission key obtained by decrypting again.

Optionally, the center device is further configured to store a second public key corresponding to the second endpoint device;

the first transmission key stored by the central terminal equipment is a first public key encryption transmission key;

the first end point device encrypts the first transmission key by using a stored encryption key to obtain a first encrypted transmission key, encrypts the first encrypted transmission key by using a center end public key corresponding to the center end device to obtain a first public key encrypted transmission key, and sends the first public key encrypted transmission key and the first public key to the center end device for storage;

the sending, by the center-end device, the first transmission key to the second endpoint device includes:

decrypting the stored first public key encryption transmission key by using a central end private key corresponding to the central end public key to obtain a first encryption transmission key, encrypting the decrypted first encryption transmission key by using the stored second public key to obtain a first public key re-encryption transmission key, and sending the first public key re-encryption transmission key to the second endpoint device;

the second end point device receives the first transmission key sent by the center end device; generating the transmission key according to the second transmission key and the received first transmission key, including:

receiving the first public key and a re-encrypted transmission key sent by the central terminal equipment;

decrypting the first public key and the encrypted transmission key by using a second private key corresponding to the second public key to obtain a first encrypted transmission key, and decrypting the decrypted first encrypted transmission key again by using the stored encryption key to obtain a first transmission key; and generating the transmission key according to the second transmission key and the first transmission key obtained by decrypting again.

In a second aspect, the present invention further provides a data transmission method, where the method includes:

determining a generated transmission key for the first endpoint device and the second endpoint device;

encrypting the data by using the determined transmission key and then sending the encrypted data to the second endpoint equipment;

the transmission key is generated according to a first transmission key corresponding to the first endpoint device and a second transmission key corresponding to the second endpoint device, and the second transmission key corresponding to the second endpoint device is obtained from a center end device.

In a third aspect, the present invention further provides a data transmission method, where the method includes:

saving the first transmission key and the second transmission key;

providing the second transmission key to a first endpoint device, so that the first endpoint device generates the transmission keys for the first endpoint device and the second endpoint device according to the first transmission key and the second transmission key corresponding to the first endpoint device and the second endpoint device, and encrypting data by using the transmission keys and then sending the encrypted data to the second endpoint device; and providing the first transmission key to a second endpoint device, so that the second endpoint device generates a transmission key for the first endpoint device and the second endpoint device according to a second transmission key corresponding to the second endpoint device and the first transmission key, and decrypts the received data which is sent by the first endpoint device and encrypted by using the transmission key.

In a fourth aspect, the present invention further provides a data transmission method, where the method includes:

decrypting the received data which is sent by the first endpoint equipment and encrypted by using the transmission key by using the determined transmission key;

the transmission key is generated according to a first transmission key corresponding to the first endpoint device and a second transmission key corresponding to the second endpoint device, and the first transmission key corresponding to the first endpoint device is obtained from a center end device.

In a fifth aspect, the present invention further provides a data transmission apparatus, including:

a determining module for determining the generated transmission keys for the first and second endpoint devices;

the transmission module is used for encrypting data by using the determined transmission key and then sending the encrypted data to the second endpoint equipment;

In a sixth aspect, the present invention further provides a data transmission apparatus, including:

the storage module is used for storing the first transmission key and the second transmission key;

a providing module, configured to provide the second transmission key to a first endpoint device, so that the first endpoint device generates, according to a first transmission key and the second transmission key corresponding to the first endpoint device, the transmission key for the first endpoint device and the transmission key for the second endpoint device, and encrypts data by using the transmission keys and then sends the encrypted data to the second endpoint device; and providing the first transmission key to a second endpoint device, so that the second endpoint device generates a transmission key for the first endpoint device and the second endpoint device according to a second transmission key corresponding to the second endpoint device and the first transmission key, and decrypts the received data which is sent by the first endpoint device and encrypted by using the transmission key.

In a seventh aspect, the present invention further provides a data transmission apparatus, where the apparatus includes:

the transmission module is used for decrypting the received data which is sent by the first endpoint equipment and encrypted by using the transmission key by using the determined transmission key;

In an eighth aspect, the present invention also provides a non-volatile computer storage medium storing an executable program which is executed by a processor to implement the method as described above.

In a ninth aspect, the present invention further provides a data transmission device, which includes a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory complete mutual communication through the communication bus;

the memory is used for storing a computer program;

the processor, when executing the program stored in the memory, is configured to implement the method steps as described above.

According to the scheme provided by the embodiment of the present invention, when data transmission is performed, the first endpoint device (which may be understood as a data sending end device) may generate transmission keys corresponding to both ends according to a transmission key corresponding to the first endpoint device and a transmission key corresponding to the second endpoint device (which may be understood as a data receiving end device) stored in the center end device, and further may perform encrypted transmission on data by using the generated transmission keys. The second endpoint device may generate the transmission keys corresponding to both the second endpoint device and the first endpoint device according to the transmission key corresponding to the second endpoint device and the transmission key corresponding to the first endpoint device stored in the center endpoint device, and may further decrypt the received data using the generated transmission keys. Since the central device is no longer required to store the transmission key for encrypting and decrypting the transmitted data, even if the security defense line of the central device is broken, the attacker device cannot acquire the transmission key and cannot decrypt the transmission key to obtain the data transmitted from the first endpoint device to the second endpoint device.

Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.

Fig. 1 is a schematic structural diagram of a data transmission system according to an embodiment of the present invention;

fig. 2 is a schematic flow chart of a data transmission method according to an embodiment of the present invention;

fig. 3 is a schematic flowchart of a data transmission method according to an embodiment of the present invention;

fig. 4 is a schematic flowchart of a data transmission method according to an embodiment of the present invention;

fig. 5 is a schematic structural diagram of a data transmission apparatus according to an embodiment of the present invention;

fig. 6 is a schematic structural diagram of a data transmission apparatus according to an embodiment of the present invention;

fig. 7 is a schematic structural diagram of a data transmission apparatus according to an embodiment of the present invention;

fig. 8 is a schematic structural diagram of a data transmission device according to an embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the present invention clearer, the present invention will be described in further detail with reference to the accompanying drawings, and it is apparent that the described embodiments are only a part of the embodiments of the present invention, not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

It should be noted that, the "plurality" or "a plurality" mentioned herein means two or more. "and/or" describes the association relationship of the associated objects, meaning that there may be three relationships, e.g., a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship.

The terms "first," "second," and the like in the description and in the claims, and in the drawings described above, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein.

Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

In order to solve the problem of poor security of data encryption transmission based on the center-end device, an embodiment of the present invention proposes that the center-end device is no longer used to directly store a transmission key for encrypting and decrypting data, but the center-end device is used to store a transmission key corresponding to each endpoint device, and each endpoint device generates a transmission key for both data transmission parties by using the transmission key corresponding to the endpoint device and the transmission key corresponding to the endpoint device of the data transmission opposite end obtained from the center-end device, and encrypts and decrypts data transmission by using the transmission key. Thereby effectively improving the safety of data transmission.

In addition, it should be noted that, according to the scheme provided by the embodiment of the present invention, the encrypted data is sent from one endpoint device to another endpoint device, and may or may not pass through the center-end device. If the encrypted data transmission does not pass through the central end device and is directly sent from one end point device to the other end point device, the safety of the data transmission can be further remarkably improved.

An embodiment of the present invention provides a data transmission system, which may have a structure as shown in fig. 1, and includes a first endpoint device 11, a center end device 12, and a second endpoint device 13, where:

the first endpoint device 11 is configured to determine a generated transmission key for the first endpoint device and the second endpoint device, encrypt data by using the transmission key, and send the encrypted data to the second endpoint device, where the transmission key is generated according to a first transmission key corresponding to the first endpoint device and a second transmission key corresponding to the second endpoint device;

the center device 12 is configured to store the first transmission key, and provide the first transmission key to the second endpoint device; and saving the second transmission key, providing the second transmission key to the first endpoint device;

the second endpoint device 13 is configured to determine generated transmission keys for the first endpoint device and the second endpoint device, and decrypt, using the transmission keys, the received data that is sent by the first endpoint device and encrypted by using the transmission keys, where the transmission keys are generated according to a first transmission key corresponding to the first endpoint device and a second transmission key corresponding to the second endpoint device.

In a possible implementation manner, the determining, by the first endpoint device 11, the generated transmission keys for the first endpoint device and the second endpoint device, and sending the encrypted data to the second endpoint device by using the transmission keys may include:

Similarly, the determining, by the second endpoint device 13, the generated transmission keys for the first endpoint device and the second endpoint device, and decrypting, by using the transmission key, the received data sent by the first endpoint device and encrypted by using the transmission key may include:

That is to say, in this embodiment, after generating the transmission keys for the first endpoint device and the second endpoint device, the first endpoint device (the second endpoint device) may store the transmission keys, and when the transmission keys for the first endpoint device and the second endpoint device are subsequently required to be used again for data encryption or data decryption, the stored transmission keys may be directly used without being generated again, thereby improving the speed and efficiency of data encryption and decryption.

In one possible implementation, the generating, by the first endpoint device 11, the transmission key may include:

and generating the transmission key according to the first transmission key and the received second transmission key.

The center-end device 12 may be specifically configured to receive a request for obtaining the second transmission key sent by the first end-point device, and send the second transmission key to the first end-point device according to the request.

Similarly, the second endpoint device 13 generating the transmission key may include:

and generating the transmission key according to the second transmission key and the received first transmission key.

At this time, the center end device 12 may be specifically configured to receive the request for obtaining the first transmission key sent by the second end device, and send the first transmission key to the second end device according to the request.

That is, in the present embodiment, the center-side device may provide the second transmission key (first transmission key) held by itself to the first end-point device (second end-point device) according to a request of the first end-point device so that the first end-point device (second end-point device) generates the transmission keys for the first end-point device and the second end-point device.

In a possible implementation manner, the center-end device 12 is further configured to store a first public key corresponding to the first endpoint device;

the second transmission key stored by the center device 12 is a second public key encryption transmission key;

the sending, by the center-end device 12, the second transmission key to the first endpoint device may include:

the first endpoint device 11 receives the second transmission key sent by the central endpoint device; generating the transmission key according to the first transmission key and the received second transmission key may include:

Similarly, the center device 12 is further configured to store a second public key corresponding to the second endpoint device;

the first transmission key stored by the center-end device 12 is a first public key encryption transmission key;

the sending, by the center-end device 12, the first transmission key to the second endpoint device may include:

the second endpoint device 13 receives the first transmission key sent by the central end device; generating the transmission key according to the second transmission key and the received first transmission key, including:

It should be noted that the embodiment of the present invention is not limited to storing and transmitting the transmission key corresponding to each endpoint device in the above manner. The transmission key corresponding to each endpoint device is stored and transmitted in the above manner, so that the storage and transmission safety of the transmission key corresponding to each endpoint device can be effectively ensured, and the data transmission safety is further improved.

A specific example is provided below for the above-described embodiment.

Each of the endpoint devices (including the first endpoint device and the second endpoint device) and the center endpoint device has a corresponding key pair (which may be denoted as K), the key pair may include a public key and a private key (which may be denoted as KPU and KPR), and each of the endpoint devices may store an identical encryption key (which may be denoted as KK) in advance.

Each endpoint device may register with the center device, and during registration, each endpoint device may generate a transmission key (which may be denoted as TK) corresponding to itself, and may encrypt the TK by using KK to obtain TK2, and further use a public key (which may be denoted as KPU) corresponding to the center device_S) TK3 is obtained by encrypting TK2, and a corresponding public Key (KPU) and the TK3 obtained by encryption are sent to central end equipment for storage.

For example, a first endpoint device (which may be denoted as endpoint device a) may generate a corresponding transmission key (which may be denoted as TK)_A) And KK pair TK can be used_AEncrypted to obtain TK_A2Further, a public key (which may be denoted as KPU) corresponding to the center device is used_S) Encrypted TK_A2Obtaining TK_A3And the corresponding public key (which can be recorded as KPU) is used_A) And TK obtained by encryption_A3And sending the data to the central terminal equipment for storage.

The second endpoint device (which may be designated as endpoint device B) may generate its own corresponding transmission key (which may be designated as TK)_B) And KK pair TK can be used_BEncrypted to obtain TK_B2Further, a public key (which may be denoted as KPU) corresponding to the center device is used_S) Encrypted TK_B2Obtaining TK_B3And the corresponding public key (which can be recorded as KPU) is used_B) And TK obtained by encryption_B3And sending the data to the central terminal equipment for storage.

When a first endpoint device needs to transmit data (which may be denoted as D) to a second endpoint device, it may first be determined whether a generated transmission key (which may be denoted as TK) for the first endpoint device and the second endpoint device is stored_AB，TK_ABCan be based on TK_AAnd TK_BGenerated in any way and can be recorded as TK_AB＝TK_A+TK_B) If the TK is determined to be stored_ABThen use the preserved TK_ABSending the encrypted data (the encrypted data can be recorded as ED) to the second endpoint device, and if the TK is determined not to be stored_ABThen TK can be generated_ABAnd storing, using the generated TK_ABAnd sending the encrypted data to the second endpoint equipment。

Generation of TK_ABThen, the first endpoint device may send an acquisition second Transmission Key (TK) to the central endpoint device_B) The request of (1). The hub device may utilize the hub private key (which may be noted as KPR) based on the request_S) For preserved TK_B3Decrypting to obtain TK_B2And using the stored first public Key (KPU)_A) To the TK obtained by decryption_B2Encrypted to obtain TK_B3’A TK_B3’To the first endpoint device. The first endpoint device may utilize a first private key (which may be noted as KPR)_A) For TK_B3’Decrypting to obtain TK_B2And using the encryption key (KK) to TK_B2Decrypting again to obtain TK_B. The TK is then available for use by the first endpoint device_AAnd TK_BGeneration of TK_AB。

After the first endpoint device sends the Encrypted Data (ED) to the second endpoint device, the second endpoint device may determine whether the generated Transmission Key (TK) for the first endpoint device and the second endpoint device is stored_AB) If the TK is determined to be stored_ABThen use the preserved TK_ABDecrypting the received data (obtaining D), if the TK is not stored_ABThen TK can be generated_ABAnd storing, using the generated TK_ABAnd decrypts the received data (to obtain D).

Second endpoint device generating TK_ABWith a first endpoint device generating a TK_ABThe process is similar. Wherein the second endpoint device may send the acquired first Transmission Key (TK) to the central endpoint device_A) The request of (1). The hub device may utilize the hub private key (which may be noted as KPR) based on the request_S) For preserved TK_A3Decrypting to obtain TK_A2And using the stored second public Key (KPU)_B) To the TK obtained by decryption_A2Encrypted to obtain TK_A3’A TK_A3’To the second end point device. The second endpoint device may utilize a second private key (which may be noted as KPR)_B) For TK_A3’Decrypting to obtain TK_A2And using an encryption key (KK) pairTK_A2Decrypting again to obtain TK_A. The second endpoint device may then utilize the TK_AAnd TK_BGeneration of TK_AB。

According to the scheme provided by the embodiment of the invention, the central terminal equipment can be prevented from acquiring the transmission key of the directly encrypted data, and the safety of data transmission is improved. And the encrypted data transmission can be realized in various ways, and can be realized through central end equipment or not, so that the flexibility of data transmission is improved, and the safety of data transmission is further improved.

From the data sending end device side, an embodiment of the present invention further provides a data transmission method, where a flow of steps of the method may be as shown in fig. 2, and the method includes:

step 101, determining generated transmission keys for a first endpoint device and a second endpoint device.

The transmission key is generated according to a first transmission key corresponding to the first endpoint device and a second transmission key corresponding to the second endpoint device, and the second transmission key corresponding to the second endpoint device is obtained from the center end device.

In one possible implementation, the step may include: and determining whether the generated transmission keys aiming at the first endpoint device and the second endpoint device are stored, if so, encrypting and sending the data to the second endpoint device by using the stored transmission keys, if not, generating and storing the transmission keys, and encrypting and sending the data to the second endpoint device by using the generated transmission keys.

In one possible implementation, generating the transmission key for the first endpoint device and the second endpoint device may include:

and sending a request for acquiring a second transmission key to the center-end equipment, receiving the second transmission key sent by the center-end equipment, and generating the transmission key according to the first transmission key and the received second transmission key.

Further, in a possible implementation manner, receiving a second transmission key sent by the center-end device, and generating a transmission key according to the first transmission key and the received second transmission key may include:

receiving a second public key sent by the center end equipment and then encrypting a transmission key;

decrypting the second public key re-encrypted transmission key by using a first private key corresponding to the first public key to obtain a second encrypted transmission key, and decrypting the decrypted second encrypted transmission key again by using the stored encryption key to obtain a second transmission key; and generating a transmission key according to the first transmission key and a second transmission key obtained by decrypting again.

And 102, encrypting the data by using the determined transmission key, and then sending the encrypted data to the second endpoint device.

From the center device side, an embodiment of the present invention further provides a data transmission method, where a flow of steps of the method may be as shown in fig. 3, and the method includes:

step 201, saving the first transmission key and the second transmission key.

Step 202 provides the second transport key to the first endpoint device and the first transport key to the second endpoint device.

In one possible implementation, providing the second transmission key to the first endpoint device may include: and receiving a request for acquiring a second transmission key sent by the first end point equipment, and sending the second transmission key to the first end point equipment according to the request.

Further, in a possible implementation manner, the center device may further store a first public key corresponding to the first endpoint device. The stored second transmission key may be the second public key encrypted transmission key. The second end point device encrypts the second transmission key by using the stored encryption key to obtain a second encrypted transmission key, encrypts the second encrypted transmission key by using a center end public key corresponding to the center end device to obtain a second public key encrypted transmission key, and sends the second public key encrypted transmission key and the second public key to the center end device for storage.

At this time, the sending, by the center end device, the second transmission key to the first end point device may include:

and decrypting the stored second public key encryption transmission key by using a central end private key corresponding to the central end public key to obtain a second encryption transmission key, encrypting the decrypted second encryption transmission key by using the stored first public key to obtain a second public key re-encryption transmission key, and sending the second public key re-encryption transmission key to the first endpoint device.

In one possible implementation, providing the first transmission key to the second endpoint device may include:

and receiving a request for acquiring the first transmission key sent by the second end point equipment, and sending the first transmission key to the second end point equipment according to the request.

Further, in a possible implementation manner, the center device may further store a second public key corresponding to the second endpoint device. The stored first transport key may be the first public key encrypted transport key. The first end point device encrypts the first transmission key by using the stored encryption key to obtain a first encrypted transmission key, encrypts the first encrypted transmission key by using a center end public key corresponding to the center end device to obtain a first public key encrypted transmission key, and sends the first public key encrypted transmission key and the first public key to the center end device for storage.

At this time, the sending, by the center end device, the first transmission key to the second end device may include:

and decrypting the stored first public key encryption transmission key by using a central end private key corresponding to the central end public key to obtain a first encryption transmission key, encrypting the decrypted first encryption transmission key by using a stored second public key to obtain a first public key re-encryption transmission key, and sending the first public key re-encryption transmission key to the second endpoint device.

From the data receiving end device side, an embodiment of the present invention further provides a data transmission method, where a flow of steps of the method may be as shown in fig. 4, and includes:

step 301, determining the generated transmission keys for the first endpoint device and the second endpoint device.

The transmission key is generated according to a first transmission key corresponding to the first endpoint device and a second transmission key corresponding to the second endpoint device, and the first transmission key corresponding to the first endpoint device is obtained from the center endpoint device.

In one possible implementation, the step may include: the method includes determining whether generated transmission keys for the first endpoint device and the second endpoint device are stored, decrypting received data transmitted by the first endpoint device and encrypted by the transmission keys using the stored transmission keys if the transmission keys are determined to be stored, generating and storing the transmission keys if the transmission keys are determined not to be stored, and decrypting received data transmitted by the first endpoint device and encrypted by the transmission keys using the generated transmission keys.

and sending a request for acquiring the first transmission key to the center-end equipment, receiving the first transmission key sent by the center-end equipment, and generating the transmission key according to the second transmission key and the received first transmission key.

Further, in a possible implementation manner, receiving a first transmission key sent by the center-end device, and generating a transmission key according to a second transmission key and the received first transmission key may include:

And step 302, decrypting the received data which is sent by the first endpoint device and encrypted by using the transmission key by using the determined transmission key.

Corresponding to the provided method, the following device is further provided.

An embodiment of the present invention provides a data transmission apparatus, which may be integrated in an endpoint device, where the endpoint device may be a data sending end device (i.e., a first endpoint device), and a structure of the apparatus may be as shown in fig. 5, where the apparatus includes:

the determining module 21 is configured to determine the generated transmission keys for the first endpoint device and the second endpoint device;

the transmission module 22 is configured to encrypt data and send the encrypted data to the second endpoint device by using the determined transmission key;

In a possible implementation manner, the determining module 21 may be specifically configured to determine whether the generated transmission keys for the first endpoint device and the second endpoint device are stored, if it is determined that the transmission keys are stored, encrypt the data with the stored transmission keys and send the encrypted data to the second endpoint device, and if it is determined that the transmission keys are not stored, generate and store the transmission keys, and encrypt the data with the generated transmission keys and send the encrypted data to the second endpoint device.

In a possible implementation manner, the determining module 21 generates a transmission key for the first endpoint device and the second endpoint device, and may include:

Further, in a possible implementation manner, the determining module 21 receives a second transmission key sent by the center device, and generates a transmission key according to the first transmission key and the received second transmission key, which may include:

An embodiment of the present invention provides a data transmission apparatus, which may be integrated in a central device, and a structure of the apparatus may be as shown in fig. 6, where the apparatus includes:

the saving module 31 is configured to save the first transmission key and the second transmission key;

the providing module 32 is configured to provide the second transmission key to the first endpoint device, so that the first endpoint device generates the transmission keys for the first endpoint device and the second endpoint device according to the first transmission key and the second transmission key corresponding to the first endpoint device and the second endpoint device, and encrypts data by using the transmission keys and then sends the encrypted data to the second endpoint device; and providing the first transmission key to a second endpoint device, so that the second endpoint device generates a transmission key for the first endpoint device and the second endpoint device according to a second transmission key corresponding to the second endpoint device and the first transmission key, and decrypts the received data which is sent by the first endpoint device and encrypted by using the transmission key.

In a possible implementation manner, the providing module 32 provides the second transmission key to the first endpoint device, and may include: and receiving a request for acquiring a second transmission key sent by the first end point equipment, and sending the second transmission key to the first end point equipment according to the request.

Further, in a possible implementation manner, the saving module 31 may further save a first public key corresponding to the first endpoint device. The stored second transmission key may be the second public key encrypted transmission key. The second end point device encrypts the second transmission key by using the stored encryption key to obtain a second encrypted transmission key, encrypts the second encrypted transmission key by using a center end public key corresponding to the center end device to obtain a second public key encrypted transmission key, and sends the second public key encrypted transmission key and the second public key to the storage module for storage.

At this time, the providing module 32 sends the second transmission key to the first endpoint device, which may include:

In one possible implementation, the providing module 32 provides the first transmission key to the second endpoint device, and may include: and receiving a request for acquiring the first transmission key sent by the second end point equipment, and sending the first transmission key to the second end point equipment according to the request.

Further, in a possible implementation manner, the saving module 31 may further save a second public key corresponding to the second endpoint device. The stored first transport key may be the first public key encrypted transport key. The first end point device encrypts the first transmission key by using the stored encryption key to obtain a first encrypted transmission key, encrypts the first encrypted transmission key by using a center end public key corresponding to the center end device to obtain a first public key encrypted transmission key, and sends the first public key encrypted transmission key and the first public key to the storage module for storage.

At this time, the providing module 32 sends the first transmission key to the second endpoint device, which may include:

An embodiment of the present invention provides a data transmission apparatus, which may be integrated in an endpoint device, where the endpoint device may serve as a data receiving end device (i.e., a second endpoint device), and a structure of the apparatus may be as shown in fig. 7, where the apparatus includes:

the determining module 41 is configured to determine the generated transmission keys for the first endpoint device and the second endpoint device;

the transmission module 42 is configured to decrypt, by using the determined transmission key, the received data sent by the first endpoint device and encrypted by using the transmission key;

In a possible implementation manner, the determining module 41 may be specifically configured to determine whether the generated transmission keys for the first endpoint device and the second endpoint device are stored, decrypt, if it is determined that the transmission key is stored, the received data sent by the first endpoint device and encrypted by using the transmission key, using the stored transmission key, and if it is determined that the transmission key is not stored, generate and store the transmission key, and decrypt, using the generated transmission key, the received data sent by the first endpoint device and encrypted by using the transmission key.

In one possible implementation, the determining module 41 generates the transmission key for the first endpoint device and the second endpoint device, and may include:

Further, in a possible implementation manner, the determining module 41 receives a first transmission key sent by the center device, and generates a transmission key according to a second transmission key and the received first transmission key, which may include:

The functions of the functional units of the apparatuses provided in the above embodiments of the present invention may be implemented by the steps of the corresponding methods, and therefore, detailed working processes and beneficial effects of the functional units in the apparatuses provided in the embodiments of the present invention are not described herein again.

It should be noted that, in this embodiment, one endpoint device may be used as a data receiving end device (i.e., a second endpoint device) or a data sending end device (i.e., a first endpoint device), and therefore, in a possible implementation manner, it may be understood that the apparatuses shown in fig. 5 and fig. 7 may be integrated in the same endpoint device, and details of this embodiment are not described again.

Based on the same inventive concept, embodiments of the present invention provide the following apparatus and medium.

An embodiment of the present invention provides a data transmission device, which may have a structure as shown in fig. 8, and includes a processor 51, a communication interface 52, a memory 53, and a communication bus 54, where the processor 51, the communication interface 52, and the memory 53 complete mutual communication through the communication bus 54;

the memory 53 is used for storing computer programs;

the processor 51 is configured to implement the steps of the above method embodiments of the present invention when executing the program stored in the memory.

Optionally, the processor 51 may specifically include a Central Processing Unit (CPU), an Application Specific Integrated Circuit (ASIC), one or more Integrated circuits for controlling program execution, a hardware Circuit developed by using a Field Programmable Gate Array (FPGA), or a baseband processor.

Optionally, the processor 51 may include at least one processing core.

Alternatively, the Memory 53 may include a Read-Only Memory (ROM), a Random Access Memory (RAM), and a disk Memory. The memory 53 is used for storing data required by the at least one processor 51 during operation. The number of the memory 53 may be one or more.

An embodiment of the present invention further provides a non-volatile computer storage medium, where the computer storage medium stores an executable program, and when the executable program is executed by a processor, the method provided in the foregoing method embodiment of the present invention is implemented.

In particular implementations, computer storage media may include: various storage media capable of storing program codes, such as a Universal Serial Bus Flash Drive (USB), a mobile hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.

In the embodiments of the present invention, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described embodiments of the apparatus are merely illustrative, and for example, the described unit or division of units is only one division of logical functions, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical or other form.

The functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may be an independent physical module.

The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, all or part of the technical solutions of the embodiments of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device, such as a personal computer, a server, or a network device, or a processor (processor) to execute all or part of the steps of the methods according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a Universal Serial Bus Flash Drive (usb Flash Drive), a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk.

As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the invention.

It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.

Claims

1. A data transmission system, comprising a central end device, a first end device, and a second end device, wherein:

the second endpoint device is configured to determine a generated transmission key for the first endpoint device and the second endpoint device, and decrypt, using the transmission key, received data that is sent by the first endpoint device and encrypted by using the transmission key, where the transmission key is generated according to a first transmission key corresponding to the first endpoint device and a second transmission key corresponding to the second endpoint device;

the center end device is also used for storing a first public key corresponding to the first endpoint device;

the center-end device providing the second transmission key to the first endpoint device, including:

the first endpoint device determining the generated transmission keys for the first endpoint device and the second endpoint device, comprising:

2. The system of claim 1, wherein the first endpoint device, determining generated transmission keys for the first endpoint device and the second endpoint device, and using the transmission keys to encrypt data for transmission to the second endpoint device, comprises:

3. The system of claim 1, wherein the second endpoint device, determining the generated transmission keys for the first endpoint device and the second endpoint device, and using the transmission keys to decrypt the received data sent by the first endpoint device encrypted using the transmission keys, comprises:

4. The system of claim 2, wherein the first endpoint device, generating the transmission key, comprises:

5. The system of claim 3, wherein the second endpoint device, generating the transmission key, comprises:

6. The system of claim 5, wherein the central device is further configured to store a second public key corresponding to the second endpoint device;

7. A method of data transmission, the method comprising:

the transmission key is generated according to a first transmission key corresponding to the first endpoint device and a second transmission key corresponding to the second endpoint device, and the second transmission key corresponding to the second endpoint device is obtained from a central end device;

determining a generated transmission key for a first endpoint device and a second endpoint device, comprising:

receiving a second public key sent by the central terminal equipment and then encrypting a transmission key;

decrypting the second public key re-encrypted transmission key by using a first private key corresponding to a first public key corresponding to the first endpoint device to obtain a second encrypted transmission key, and decrypting the decrypted second encrypted transmission key again by using the stored encryption key to obtain a second transmission key; generating the transmission key according to the first transmission key and a second transmission key obtained by decrypting again;

the center end device is also used for storing a first public key corresponding to the first endpoint device; and decrypting the stored second public key encryption transmission key by using a central end private key corresponding to the central end public key to obtain a second encryption transmission key, encrypting the decrypted second encryption transmission key by using the stored first public key to obtain a second public key re-encryption transmission key, and sending the second public key re-encryption transmission key to the first endpoint device.

8. A method of data transmission, the method comprising:

saving the first transmission key and the second transmission key;

providing the second transmission key to a first endpoint device, so that the first endpoint device generates the transmission keys for the first endpoint device and a second endpoint device according to the first transmission key and the second transmission key corresponding to the first endpoint device and the second endpoint device, and encrypting data by using the transmission keys and then sending the encrypted data to the second endpoint device; providing the first transmission key to a second endpoint device, so that the second endpoint device generates a transmission key for the first endpoint device and the second endpoint device according to a second transmission key corresponding to the second endpoint device and the first transmission key, and decrypts received data which is sent by the first endpoint device and encrypted by using the transmission key;

the method further comprises the following steps:

storing a first public key corresponding to the first endpoint device;

the stored second transmission key is a second public key encryption transmission key;

providing the second transmission key to the first endpoint device, comprising:

the first endpoint device generating a transmission key for the first endpoint device and the second endpoint device, comprising:

9. A method of data transmission, the method comprising:

the transmission key is generated according to a first transmission key corresponding to the first endpoint device and a second transmission key corresponding to the second endpoint device, and the first transmission key corresponding to the first endpoint device is obtained from a central end device;

the method further comprises the following steps:

encrypting the second transmission key by using the stored encryption key to obtain a second encrypted transmission key, encrypting the second encrypted transmission key by using a center end public key corresponding to the center end equipment to obtain a second public key encrypted transmission key, and sending the second public key encrypted transmission key and the second public key to the center end equipment for storage;

the center end device is also used for storing a first public key corresponding to the first endpoint device; decrypting the stored second public key encryption transmission key by using a central end private key corresponding to the central end public key to obtain a second encryption transmission key, encrypting the decrypted second encryption transmission key by using the stored first public key to obtain a second public key re-encryption transmission key, and sending the second public key re-encryption transmission key to the first endpoint device;

the first end point device is used for receiving the second public key re-encrypted transmission key sent by the central end device; decrypting the second public key re-encrypted transmission key by using a first private key corresponding to the first public key to obtain a second encrypted transmission key, and decrypting the decrypted second encrypted transmission key again by using the stored encryption key to obtain a second transmission key; and generating the transmission key according to the first transmission key and a second transmission key obtained by decrypting again.

10. A data transmission apparatus, characterized in that the apparatus comprises:

11. A data transmission apparatus, characterized in that the apparatus comprises:

a providing module, configured to provide the second transmission key to a first endpoint device, so that the first endpoint device generates a transmission key for the first endpoint device and a transmission key for a second endpoint device according to a first transmission key and the second transmission key corresponding to the first endpoint device, and encrypts data by using the transmission key and then sends the encrypted data to the second endpoint device; providing the first transmission key to a second endpoint device, so that the second endpoint device generates a transmission key for the first endpoint device and the second endpoint device according to a second transmission key corresponding to the second endpoint device and the first transmission key, and decrypts received data which is sent by the first endpoint device and encrypted by using the transmission key;

the device also comprises a module for storing a first public key corresponding to the first endpoint equipment;

the second transmission key stored by the storage module is a second public key encryption transmission key;

providing the second transmission key to the first endpoint device, comprising:

12. A data transmission apparatus, characterized in that the apparatus comprises:

the device also comprises a module for encrypting the second transmission key by using the stored encryption key to obtain a second encrypted transmission key, encrypting the second encrypted transmission key by using a center end public key corresponding to the center end equipment to obtain a second public key encrypted transmission key, and sending the second public key encrypted transmission key and the second public key to the center end equipment for storage;

13. A non-transitory computer storage medium storing an executable program for execution by a processor to perform the method of any one of claims 7 to 9.

14. A data transmission device is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory are communicated with each other through the communication bus;

the memory is used for storing a computer program;

the processor, when executing the program stored in the memory, implementing the method steps of any of claims 7-9.