CN116208419A - Gateway-based data processing method, device, computer and medium - Google Patents

Gateway-based data processing method, device, computer and medium Download PDF

Info

Publication number
CN116208419A
CN116208419A CN202310224157.1A CN202310224157A CN116208419A CN 116208419 A CN116208419 A CN 116208419A CN 202310224157 A CN202310224157 A CN 202310224157A CN 116208419 A CN116208419 A CN 116208419A
Authority
CN
China
Prior art keywords
service
gateway
encrypted data
data
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310224157.1A
Other languages
Chinese (zh)
Inventor
陈鑫
王为举
赵传涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Proscenic Technology Co Ltd
Original Assignee
Shenzhen Proscenic Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Proscenic Technology Co Ltd filed Critical Shenzhen Proscenic Technology Co Ltd
Priority to CN202310224157.1A priority Critical patent/CN116208419A/en
Publication of CN116208419A publication Critical patent/CN116208419A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Abstract

The invention discloses a gateway-based data processing method, a gateway-based data processing device, a computer and a medium, wherein the method comprises the following steps: receiving a service request which is sent by a target client and contains first encrypted data and a service identifier, and determining a service processing object from all the service terminals according to the service identifier; acquiring a gateway private key matched with the gateway public key from the service processing object, and decrypting the first encrypted data through the gateway private key; the decrypted first encrypted data is sent to a service processing object, so that the service processing object can process the service according to the decrypted first encrypted data; receiving plaintext feedback data generated after the service processing object performs service processing, and signing the plaintext feedback data through a gateway private key to obtain second encrypted data; and sending the second encrypted data to the target client side so that the target client side can check the second encrypted data through the gateway public key and obtain a check result. The invention improves the efficiency of data encryption and decryption processing.

Description

Gateway-based data processing method, device, computer and medium
Technical Field
The present invention relates to the field of data processing, and in particular, to a gateway-based data processing method, apparatus, computer, and medium.
Background
In the process of exchanging data between the client and the server, no matter the request data of the client or the return data of the server, the risk of being stolen exists in the process of data transmission, so that the data transmitted in the request link is required to be encrypted by a data sender, and meanwhile, the encrypted data is required to be decrypted at a data receiver, thereby completing the whole data transmission process. At present, the encryption and decryption method is that each client side and the server side manage own encryption and decryption sub-service by themselves, and the intranet communication between the server side and the server side also needs to carry out corresponding encryption and decryption operation, so that the consumption of resources of the server side is increased.
Disclosure of Invention
Based on the method, the device, the computer and the medium for processing the data based on the gateway are provided by the invention, so that the problems that the consumption of resources of a server is increased in the conventional encryption and decryption operation and the like are solved.
A gateway-based data processing method, comprising:
receiving a service request which is sent by a target client and contains first encrypted data and a service identifier, and determining a service processing object from all the service terminals according to the service identifier; the first encryption data is obtained by encrypting plaintext request data through a gateway public key corresponding to a service identifier by the target client; the target client is a client which sends the service request in all the clients;
acquiring a gateway private key matched with the gateway public key from the service processing object, and decrypting the first encrypted data through the gateway private key;
transmitting the decrypted first encrypted data to the service processing object so that the service processing object can process the service according to the decrypted first encrypted data;
receiving plaintext feedback data generated after the service processing object performs service processing, and signing the plaintext feedback data through the gateway private key to obtain second encrypted data;
and sending the second encrypted data to the target client side so that the target client side can check the second encrypted data through the gateway public key and obtain a check result.
A gateway-based data processing apparatus, comprising:
the first receiving module is used for receiving a service request which is sent by the target client and contains first encrypted data and a service identifier, and determining a service processing object from all the service terminals according to the service identifier; the first encryption data is obtained by encrypting plaintext request data through a gateway public key corresponding to a service identifier by the target client; the target client is a client which sends the service request in all the clients;
the decryption module is used for acquiring a gateway private key matched with the gateway public key from the service processing object and decrypting the first encrypted data through the gateway private key;
the first sending module is used for sending the decrypted first encrypted data to the service processing object so that the service processing object can process the service according to the decrypted first encrypted data;
the second receiving module is used for receiving plaintext feedback data generated after the service processing object performs service processing, and signing the plaintext feedback data through the gateway private key to obtain second encrypted data;
and the second sending module is used for sending the second encrypted data to the target client so that the target client can check the second encrypted data through the gateway public key and obtain a check result.
A computer device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the steps of the gateway-based data processing method described above when the computer program is executed.
A computer readable storage medium storing a computer program which when executed by a processor implements the gateway-based data processing method described above.
In the gateway-based data processing method, after receiving the first encrypted data sent by the client and encrypted by the gateway public key, decrypting the first encrypted data by the gateway by using the gateway private key; the decrypted first encrypted data is sent to a service processing object (namely one or more service ends) so that the service processing object can process the service according to the decrypted first encrypted data; and after receiving the plaintext feedback data generated after the service processing object performs service processing, signing the plaintext feedback data through a gateway private key, and then sending the obtained second encrypted data to the target client side, so that the target client side can sign the second encrypted data through the gateway public key and obtain a sign verification result. According to the invention, the service request data and the service feedback data between the client and the server are encrypted and decrypted on the gateway which is respectively in communication connection with the plurality of clients and the plurality of servers, so that the server does not need to encrypt and decrypt the service request data and the service feedback data, the consumption of resources of the server is reduced under the condition of ensuring the safety of data transmission, and the efficiency of data encryption and decryption processing is improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the description of the embodiments of the present invention will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic view of an application environment of a gateway-based data processing method according to an embodiment of the present invention;
FIG. 2 is a flow chart of a gateway-based data processing method in an embodiment of the invention;
FIG. 3 is a flowchart of step S120 of a gateway-based data processing method according to an embodiment of the present invention;
FIG. 4 is a schematic view of an application environment of a gateway-based data processing method according to another embodiment of the present invention;
FIG. 5 is a flow chart of a gateway-based data processing method in accordance with yet another embodiment of the present invention;
FIG. 6 is a flow chart of a gateway-based data processing method in accordance with yet another embodiment of the present invention;
FIG. 7 is a flowchart of step S220 of a gateway-based data processing method in accordance with yet another embodiment of the present invention;
FIG. 8 is a schematic diagram of a gateway-based data processing apparatus in accordance with an embodiment of the present invention;
FIG. 9 is a schematic diagram of a computer device in accordance with an embodiment of the invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The gateway-based data processing method provided by the application can be applied to an application environment shown in fig. 1, wherein a client (computer equipment/terminal equipment) communicates with a server (server) through a network and via a gateway. Clients (computer devices/terminal devices) include, but are not limited to, various personal computers, notebook computers, smartphones, tablet computers, and portable wearable devices. The server may be implemented as a stand-alone server or as a server cluster composed of a plurality of servers.
In one embodiment, a gateway-based data processing method is provided, and the gateway is applied to the gateway in fig. 1, and the gateway is communicatively connected to a plurality of clients and a plurality of servers, as shown in fig. 2, and the method includes the following steps:
s110, receiving a service request which is sent by a target client and contains first encrypted data and a service identifier, and determining a service processing object from all the service terminals according to the service identifier; the first encryption data is obtained by encrypting plaintext request data through a gateway public key corresponding to a service identifier by the target client; the target client is the client which sends the service request in all the clients. It can be understood that the service identifier included in the service request includes device identifiers corresponding to one or more service terminals that process the service request; meanwhile, under the condition that a plurality of service ends exist, the service identifier also comprises a service processing sequence among the service ends; the first encrypted data contained in the service request is obtained by encrypting plaintext request data through a gateway public key corresponding to a service identifier by the target client, and is used for ensuring data transmission security. In one embodiment, the gateway public key encrypts the plaintext request data using an RSA (Rivest-Shamir-Adleman) encryption method.
S120, a gateway private key matched with the gateway public key is obtained from the service processing object, and the first encrypted data is decrypted through the gateway private key. It will be appreciated that the service request contains the first encrypted data and the service identity that match each other, i.e. the gateway private key associated with the service identity may be used to decrypt the first encrypted data. Therefore, a service processing object can be determined from all the service terminals according to the service identifier, the gateway private key associated with the service identifier is stored in each service terminal in the service processing object, and the first encrypted data can be decrypted by using the gateway private key. In one embodiment, the gateway private key decrypts the first encrypted data using an RSA encryption method that matches the gateway public key.
In one embodiment, the first encrypted data includes key encrypted data generated by the target client encrypting the plaintext request data with a client key, and an encrypted key generated by encrypting the client key with the gateway public key. Namely, the client encrypts the plaintext request data through a client key to generate key encrypted data; secondly, encrypting the client secret key through the gateway public key to generate an encryption secret key; and combining the key encryption data and the encryption key to generate first encryption data. In an embodiment, the client key encrypts the plaintext request data using an AES (Advanced Encryption Standard ) encryption method.
As shown in fig. 3, in an embodiment, in the step S120, the decrypting the first encrypted data with the gateway private key includes:
s121, decrypting the encryption key in the first encrypted data through the gateway private key to obtain the client key. It will be appreciated that the first encrypted data includes the key encrypted data generated by encryption of the client key and the encryption key generated by encryption of the client key by the gateway public key, and therefore the encryption key needs to be decrypted first to obtain the client key.
S122, decrypting the key encrypted data through the client key to obtain decrypted first encrypted data. It can be appreciated that, after the client key is obtained, the key encrypted data can be decrypted by the client key, so as to obtain the decrypted first encrypted data.
S130, the decrypted first encrypted data is sent to the service processing object, so that the service processing object can process the service according to the decrypted first encrypted data. It can be understood that, after decrypting the first encrypted data, the gateway sends the decrypted first encrypted data to the service processing object, and the service processing object does not need to decrypt the first encrypted data, but can directly use the decrypted first encrypted data to perform service processing.
The gateway-based data processing method provided by the application can also be applied to an application environment as shown in fig. 4, wherein a client (computer device/terminal device) communicates with a server (server) through a network and via a gateway. The gateway and the server communicate with the registry through a network. Clients include, but are not limited to, various personal computers, notebook computers, smart phones, tablet computers, and portable wearable devices. The server may be implemented by an independent server or a server cluster formed by a plurality of servers.
In one embodiment, all the servers are successfully registered and verified by the registry; the service ends are all connected with the registration center, the gateway is connected with the service ends and the service ends through intranet communication. It can be understood that the service end is successfully registered and verified by the registry, so that the service end can be found by the gateway and other service ends successfully registered and verified by the registry, the gateway can route the received service request to the service end successfully registered and verified by the registry, and the service ends successfully registered and verified by the registry can also be directly connected by intranet communication, so that the data transmission efficiency between the service ends is accelerated.
In an embodiment, the step S130, the sending the decrypted first encrypted data to the service processing object, so that the service processing object performs service processing according to the decrypted first encrypted data, includes:
when the service processing object comprises at least two service ends, recording each service end in the service processing object as a target service end, and determining the service processing sequence of all the target service ends according to the service identification. It will be appreciated that if the service identifier included in the service request includes at least two service processing objects and a service processing order between at least two service processing objects. The service processing object also includes at least two service ends correspondingly, and the target service end and the service processing sequence of all the target service ends need to be determined according to the service identifier.
And sending the decrypted first encrypted data to a first target server in the service processing sequence through an intranet to perform service processing, and directly sending the processed data to a next target server in the service processing sequence through the intranet to perform service processing until the last target server finishes service processing. It can be understood that the service ends that are successfully registered and verified by the registration center can be connected through intranet communication, so after the target service ends and the service processing sequences of all the target service ends are determined, the decrypted first encrypted data is sent to the first target service end in the service processing sequence through the intranet to perform service processing, and then the first target service end can directly send the processed data to the next target service end in the service processing sequence through the intranet to perform service processing until the last target service end completes service processing, thereby accelerating the service processing efficiency.
In another embodiment, the step S130, the sending the decrypted first encrypted data to the service processing object, so that the service processing object performs service processing according to the decrypted first encrypted data, includes:
and when the service processing object only comprises one service end, sending the decrypted first encrypted data to the service processing object through an intranet so that the service processing object can perform service processing according to the decrypted first encrypted data. It can be understood that, if the service processing object only includes one service end, the decrypted first encrypted data only needs to be sent to the service processing object through an intranet, so that the service processing object can perform service processing according to the decrypted first encrypted data.
And S140, receiving plaintext feedback data generated after the service processing object performs service processing, and signing the plaintext feedback data through the gateway private key to obtain second encrypted data. It will be appreciated that in this embodiment, the plaintext feedback data is generated by the business process object. Because the service processing object and the gateway are both in the intranet, the generated plaintext feedback data can be directly sent to the gateway without encrypting the generated plaintext feedback data after the service processing object performs service processing. And after receiving the plaintext feedback data, the gateway signs the plaintext feedback data through the gateway private key to obtain second encrypted data.
And S150, the second encrypted data is sent to the target client side, so that the target client side can check the second encrypted data through the gateway public key and obtain a check result. It can be understood that after receiving the plaintext feedback data, the gateway signs the plaintext feedback data through the gateway private key to obtain second encrypted data, and then sends the second encrypted data to the target client, so as to ensure the security of data transmission. And the target client performs signature verification on the second encrypted data through the gateway public key to obtain a signature verification result.
After receiving first encrypted data encrypted by a gateway public key and sent by a client, the gateway decrypts the first encrypted data by using a gateway private key; the decrypted first encrypted data is sent to a service processing object (namely a service end) so that the service processing object can process the service according to the decrypted first encrypted data; and after receiving the plaintext feedback data generated after the service processing object performs service processing, signing the plaintext feedback data through a gateway private key, and then sending the obtained second encrypted data to the target client side, so that the target client side can sign the second encrypted data through the gateway public key and obtain a sign verification result. According to the invention, the service request data and the service feedback data between the client and the server are encrypted and decrypted on the gateway which is respectively in communication connection with the plurality of clients and the plurality of servers, so that the server does not need to encrypt and decrypt the service request data and the service feedback data, the consumption of resources of the server is reduced under the condition of ensuring the safety of data transmission, and the efficiency of data encryption and decryption processing is improved.
As shown in fig. 5, in an embodiment, before the receiving the service request including the first encrypted data and the service identifier sent by the target client in step S110, the method further includes:
s160, receiving a creation instruction containing a device identifier, creating a security key pair associated with the device identifier, sending a gateway private key of the security key pair to the server associated with the device identifier, and sending a gateway public key of the security key pair to all clients. It will be appreciated that the security key pair created by the gateway includes the gateway private key and a gateway public key corresponding to the gateway private key. In an embodiment, the number of security key pairs is equal to the number of servers, thereby ensuring that all of the servers correspond with security key pairs associated with their device identifications (the device identifications being used to characterize the uniqueness of each server). Each pair of the security key pairs is associated with one equipment identifier, and a gateway private key in the security key pairs is created by the gateway and then sent to the server associated with the equipment identifier, and is stored by the server; and the network management public key matched with the gateway private key is sent to all clients for storage and use.
According to the gateway-based data processing method, the gateway creates the security key pair associated with the equipment identifier, the gateway private key of the security key pair is sent to the server associated with the equipment identifier, and the gateway public key of the security key pair is sent to all clients.
As shown in fig. 6, in an embodiment, a gateway-based data processing method is further provided, which is described by taking a client applied in fig. 1 as an example, where the client is communicatively connected to a gateway, and the gateway is communicatively connected to a plurality of servers, and the method includes:
s210, after receiving a service processing instruction containing plaintext request data and a service identifier, determining a gateway public key associated with the service identifier. It can be understood that the gateway public key stored by the client is matched with the gateway private key, and each server stores the gateway private key corresponding to its own service identifier, so that, after receiving a service processing instruction containing a service identifier, the client needs to determine the gateway public key associated with the service identifier first, so that the gateway private key associated with the service identifier can decrypt plaintext request data encrypted by the gateway public key.
S220, encrypting the plaintext request data through the gateway public key to obtain first encrypted data. It will be appreciated that the gateway public key is stored at the client for use by the client in encrypting the plaintext request data to generate first encrypted data.
S230, after sending a service request containing the first encrypted data and the service identifier to the gateway, if second encrypted data sent by the gateway is received, signing the second encrypted data through the gateway public key and obtaining a signing verification result; the second encrypted data is after the gateway determines service processing objects from all the service terminals according to the service identification, and decrypts the first encrypted data through a gateway private key matched with the gateway public key, which is acquired from the service processing objects; and sending the decrypted first encrypted data to the service processing object so that the service processing object can feed back plaintext feedback data after performing service processing according to the decrypted first encrypted data, and signing the plaintext feedback data through the gateway private key. It can be understood that the gateway public key may further decrypt the second encrypted data signed by the gateway private key matched with the gateway public key, and obtain a signature verification result after signing the second encrypted data by the gateway public key, that is, the decrypted second encrypted data.
As shown in fig. 7, in an embodiment, the encrypting the plaintext request data by using the gateway public key in step S220 includes:
s221, encrypting the plaintext request data through a client-side key to generate key encryption data. It will be appreciated that the client key is created by the client itself, and the plaintext request data is encrypted by the client key, resulting in key-encrypted data. In an embodiment, the client key encrypts the plaintext request data using an AES (Advanced Encryption Standard ) encryption method.
S222, encrypting the client key through the gateway public key to generate an encryption key. It can be understood that after encrypting the plaintext request data to generate key-encrypted data, the key-encrypted data and the client key need to be sent to a service processing object together, so that the service processing object uses the client key to decrypt the key-encrypted data, and the client key is unencrypted data.
S223, generating first encrypted data according to the key encrypted data and the encryption key. It can be appreciated that the encryption key may be decrypted to generate the client key, where the client key is used to decrypt the encrypted data of the key, so that the encrypted data of the key and the encryption key need to be combined to generate the first encrypted data for the service processing object to decrypt the first encrypted data.
As shown in fig. 8, in an embodiment, a gateway-based data processing apparatus is further provided, where the gateway-based data processing apparatus corresponds to the gateway-based data processing method in the above embodiment one by one. The gateway-based data processing apparatus includes:
the first receiving module 100 is configured to receive a service request including first encrypted data and a service identifier sent by a target client, and determine a service processing object from all the service ends according to the service identifier; the first encryption data is obtained by encrypting plaintext request data through a gateway public key corresponding to a service identifier by the target client; the target client is a client which sends the service request in all the clients;
the decryption module 200 is configured to obtain a gateway private key matched with the gateway public key from the service processing object, and decrypt the first encrypted data through the gateway private key;
a first sending module 300, configured to send the decrypted first encrypted data to the service processing object, so that the service processing object performs service processing according to the decrypted first encrypted data;
the second receiving module 400 is configured to receive plaintext feedback data generated after the service processing object performs service processing, and sign the plaintext feedback data by using the gateway private key to obtain second encrypted data;
and the second sending module 500 is configured to send the second encrypted data to the target client, so that the target client performs signature verification on the second encrypted data through the gateway public key and obtains a signature verification result.
For specific limitations of the gateway-based data processing apparatus, reference may be made to the above limitations of the gateway-based data processing method, and no further description is given here. The various modules in the gateway-based data processing apparatus described above may be implemented in whole or in part by software, hardware, or a combination thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In an embodiment, there is also provided a computer device, which may be a gateway or a client, and an internal structure diagram thereof may be as shown in fig. 9. The computer device includes a processor, a memory, a network interface, and a database connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The network interface of the computer device is used for communicating with an external terminal through a network connection. Which computer program, when being executed by a processor, carries out the steps of the gateway-based data processing method described above.
In an embodiment, there is also provided a computer readable storage medium storing a computer program which, when executed by a processor, implements the steps of the gateway-based data processing method described above.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in the various embodiments provided herein may include non-volatile and/or volatile memory. The nonvolatile memory can include Read Only Memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM), memory bus direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM), among others.
It will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-described division of the functional units and modules is illustrated, and in practical application, the above-described functional distribution may be performed by different functional units and modules according to needs, i.e. the internal structure of the apparatus is divided into different functional units or modules to perform all or part of the above-described functions.
The above embodiments are only for illustrating the technical solution of the present invention, and not for limiting the same; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention, and are intended to be included in the scope of the present invention.

Claims (10)

1. A gateway-based data processing method, the method being applied to a gateway, the gateway being communicatively connected to a plurality of clients and a plurality of servers, the method comprising:
receiving a service request which is sent by a target client and contains first encrypted data and a service identifier, and determining a service processing object from all the service terminals according to the service identifier; the first encryption data is obtained by encrypting plaintext request data through a gateway public key corresponding to a service identifier by the target client; the target client is a client which sends the service request in all the clients;
acquiring a gateway private key matched with the gateway public key from the service processing object, and decrypting the first encrypted data through the gateway private key;
transmitting the decrypted first encrypted data to the service processing object so that the service processing object can process the service according to the decrypted first encrypted data;
receiving plaintext feedback data generated after the service processing object performs service processing, and signing the plaintext feedback data through the gateway private key to obtain second encrypted data;
and sending the second encrypted data to the target client side so that the target client side can check the second encrypted data through the gateway public key and obtain a check result.
2. The gateway-based data processing method of claim 1, wherein prior to receiving the service request including the first encrypted data and the service identifier sent by the target client, further comprising:
receiving a creation instruction containing a device identifier, creating a security key pair associated with the device identifier, sending a gateway private key of the security key pair to the server associated with the device identifier, and sending a gateway public key of the security key pair to all the clients.
3. The gateway-based data processing method of claim 1, wherein all of the servers are successfully registered and verified by a registry; the service ends are all connected with the registration center, the gateway is connected with the service ends and the service ends through intranet communication;
the sending the decrypted first encrypted data to the service processing object, so that the service processing object performs service processing according to the decrypted first encrypted data, including:
when the service processing object comprises at least two service ends, recording each service end in the service processing object as a target service end, and determining the service processing sequence of all the target service ends according to the service identification;
and sending the decrypted first encrypted data to a first target server in the service processing sequence through an intranet to perform service processing, and directly sending the processed data to a next target server in the service processing sequence through the intranet to perform service processing until the last target server finishes service processing.
4. The gateway-based data processing method of claim 1, wherein all of the servers are successfully registered and verified by a registry; the service ends are all connected with the registration center, the gateway is connected with the service ends and the service ends through intranet communication;
the sending the decrypted first encrypted data to the service processing object, so that the service processing object performs service processing according to the decrypted first encrypted data, including:
and when the service processing object only comprises one service end, sending the decrypted first encrypted data to the service processing object through an intranet so that the service processing object can perform service processing according to the decrypted first encrypted data.
5. The gateway-based data processing method of claim 1, wherein the first encrypted data comprises key encrypted data generated by the target client encrypting the plaintext request data by a client key, and an encrypted key generated by encrypting the client key by the gateway public key;
the decrypting the first encrypted data with the gateway private key includes:
decrypting the encryption key in the first encrypted data through the gateway private key to obtain the client secret key;
and decrypting the key encrypted data through the client key to obtain decrypted first encrypted data.
6. A gateway-based data processing method, wherein the method is applied to a client, the client is in communication connection with a gateway, the gateway is in communication connection with a plurality of servers, and the method comprises:
after receiving a service processing instruction containing plaintext request data and a service identifier, determining a gateway public key associated with the service identifier;
encrypting the plaintext request data through the gateway public key to obtain first encrypted data;
after sending a service request containing the first encrypted data and the service identifier to the gateway, if second encrypted data sent by the gateway is received, signing the second encrypted data through the gateway public key and obtaining a signing verification result; the second encrypted data is after the gateway determines service processing objects from all the service terminals according to the service identification, and decrypts the first encrypted data through a gateway private key matched with the gateway public key, which is acquired from the service processing objects; and sending the decrypted first encrypted data to the service processing object so that the service processing object can feed back plaintext feedback data after performing service processing according to the decrypted first encrypted data, and signing the plaintext feedback data through the gateway private key.
7. The gateway-based data processing method of claim 6, wherein encrypting the plaintext request data via the gateway public key results in first encrypted data, comprising:
encrypting the plaintext request data by a client-side key to generate key encryption data;
encrypting the client key through the gateway public key to generate an encryption key;
first encrypted data is generated according to the key encrypted data and the encryption key.
8. A gateway-based data processing apparatus, comprising.
The first receiving module is used for receiving a service request which is sent by the target client and contains first encrypted data and a service identifier, and determining a service processing object from all the service terminals according to the service identifier; the first encryption data is obtained by encrypting plaintext request data through a gateway public key corresponding to a service identifier by the target client; the target client is a client which sends the service request in all the clients;
the decryption module is used for acquiring a gateway private key matched with the gateway public key from the service processing object and decrypting the first encrypted data through the gateway private key;
the first sending module is used for sending the decrypted first encrypted data to the service processing object so that the service processing object can process the service according to the decrypted first encrypted data;
the second receiving module is used for receiving plaintext feedback data generated after the service processing object performs service processing, and signing the plaintext feedback data through the gateway private key to obtain second encrypted data;
and the second sending module is used for sending the second encrypted data to the target client so that the target client can check the second encrypted data through the gateway public key and obtain a check result.
9. A computer device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, characterized in that the processor implements the steps of the gateway-based data processing method according to any of claims 1 to 7 when the computer program is executed.
10. A computer readable storage medium storing a computer program, characterized in that the computer program when executed by a processor implements the gateway-based data processing method according to any of claims 1 to 7.
CN202310224157.1A 2023-02-28 2023-02-28 Gateway-based data processing method, device, computer and medium Pending CN116208419A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310224157.1A CN116208419A (en) 2023-02-28 2023-02-28 Gateway-based data processing method, device, computer and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310224157.1A CN116208419A (en) 2023-02-28 2023-02-28 Gateway-based data processing method, device, computer and medium

Publications (1)

Publication Number Publication Date
CN116208419A true CN116208419A (en) 2023-06-02

Family

ID=86509374

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310224157.1A Pending CN116208419A (en) 2023-02-28 2023-02-28 Gateway-based data processing method, device, computer and medium

Country Status (1)

Country Link
CN (1) CN116208419A (en)

Similar Documents

Publication Publication Date Title
CN109471844B (en) File sharing method and device, computer equipment and storage medium
CN110380852B (en) Bidirectional authentication method and communication system
US10015159B2 (en) Terminal authentication system, server device, and terminal authentication method
CN111556025A (en) Data transmission method, system and computer equipment based on encryption and decryption operations
CN109981255B (en) Method and system for updating key pool
CN108199847B (en) Digital security processing method, computer device, and storage medium
CN109768979B (en) Data encryption transmission method and device, computer equipment and storage medium
CN111699706B (en) Master-slave system for communication via bluetooth low energy connection
CN104917807A (en) Resource transfer method, apparatus and system
EP3465976B1 (en) Secure messaging
CN114143108B (en) Session encryption method, device, equipment and storage medium
CN113836506A (en) Identity authentication method, device, system, electronic equipment and storage medium
CN111970114A (en) File encryption method, system, server and storage medium
CN105554008A (en) User terminal, authentication server, middle server, system and transmission method
CN112966287B (en) Method, system, device and computer readable medium for acquiring user data
CN112836206A (en) Login method, device, storage medium and computer equipment
JP2022545809A (en) Secure environment for cryptographic key generation
CN110417722B (en) Business data communication method, communication equipment and storage medium
CN110636503A (en) Data encryption method, device, equipment and computer readable storage medium
CN108513272B (en) Short message processing method and device
US11570008B2 (en) Pseudonym credential configuration method and apparatus
CN112235320B (en) Cipher-based video networking multicast communication method and device
CN110086627B (en) Quantum communication service station key negotiation method and system based on asymmetric key pool pair and time stamp
CN116208419A (en) Gateway-based data processing method, device, computer and medium
CN110071908B (en) Terminal binding method and device, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination