CN116633582A

CN116633582A - Secure communication method, apparatus, electronic device and storage medium

Info

Publication number: CN116633582A
Application number: CN202310273540.6A
Authority: CN
Inventors: 王东强; 范永学; 杨宇; 李慧; 李湛蓉
Original assignee: State Grid Information and Telecommunication Co Ltd; Beijing Guodiantong Network Technology Co Ltd
Current assignee: State Grid Information and Telecommunication Co Ltd; Beijing Guodiantong Network Technology Co Ltd
Priority date: 2023-03-20
Filing date: 2023-03-20
Publication date: 2023-08-22

Abstract

The application provides a secure communication method, a secure communication device, electronic equipment and a secure communication storage medium, wherein when a cloud receives a device registration request sent by a terminal, the cloud verifies the terminal, after the terminal passes the verification, the cloud sends a device identifier to the terminal, the terminal performs combined encryption on original data according to the received device identifier to obtain encrypted data, and the encrypted data is sent to the cloud; the cloud end performs sectional decryption on the received encrypted data to obtain original data, and safety communication between the cloud end and the terminal is completed. The cloud performs verification on the terminal when equipment registration is performed, so that the terminal is the first layer of safety protection in the communication process; and then, the combined encryption is carried out on the second layer of safety protection in the communication process at the terminal, and finally, the encrypted data is decrypted by using a segmentation decryption method corresponding to the combined encryption, so that the third layer of safety protection in the communication process is realized, the communication safety in the communication process of the cloud and the terminal is realized, and the safety of data transmission is improved.

Description

Secure communication method, apparatus, electronic device and storage medium

Technical Field

The present application relates to the field of communications technologies, and in particular, to a secure communication method, apparatus, electronic device, and storage medium.

Background

The terminal internet of things sensing equipment transmits collected data by using an MQTT protocol, and can be used on remote sensors and equipment of networks with limited computing capacity, low bandwidth and unreliability. Although the terminal internet of things sensing equipment can transmit and process the MQTT protocol data, the data transmission safety is not high, and the safety of the terminal identity and the safety of the MQTT protocol data cannot be ensured.

Disclosure of Invention

In view of the above, the present application aims to provide a secure communication method, apparatus, electronic device and storage medium for solving the problem of low security of data transmission.

Based on the above object, a first aspect of the present application provides a secure communication method, including:

responding to a device registration request sent by a terminal received by a cloud, and verifying the terminal by the cloud;

responding to the verification of the terminal, and sending a device identifier to the terminal by the cloud;

the terminal performs combined encryption on the original data according to the equipment identifier to obtain encrypted data, and sends the encrypted data to a cloud;

and the cloud receives the encrypted data, and performs segmented decryption on the encrypted data to obtain the original data.

Optionally, the terminal performs combined encryption on the original data according to the device identifier to obtain encrypted data, including:

the terminal marks the original data according to the equipment identifier to obtain marked data;

and the terminal performs combined encryption on the marked data according to a symmetric encryption algorithm and an asymmetric encryption algorithm to obtain encrypted data, and sends the encrypted data to the cloud.

Optionally, the terminal performs combined encryption on the tag data according to a symmetric encryption algorithm and an asymmetric encryption algorithm to obtain encrypted data, including:

the terminal generates a random key according to the symmetric encryption algorithm;

the terminal splices the salt value with the preset length for the random key to obtain a salt value key;

the terminal encrypts the salt key by using the public key of the asymmetric encryption algorithm to obtain a first section of ciphertext;

the terminal encrypts the marked data according to the random key to obtain a second section of ciphertext;

and connecting the first section of ciphertext with the second section of ciphertext according to a preset shared character string to obtain the encrypted data, and sending the shared character string to the cloud.

Optionally, the cloud receives the encrypted data, and performs segment decryption on the encrypted data to obtain the original data, including:

the cloud end disassembles the encrypted data according to the shared character string to obtain the first section of ciphertext and the second section of ciphertext;

the cloud end decrypts the second section of ciphertext according to the first section of ciphertext to obtain the original data and the equipment identifier;

the cloud end decrypts and verifies the original data according to a pre-built terminal white list and the equipment identifier;

discarding the original data if the cloud determines that the original data is not verified;

and if the cloud judges that the original data passes the verification, receiving and storing the original data.

Optionally, the cloud end decrypts the second section of ciphertext according to the first section of ciphertext to obtain the original data and the device identifier, including:

the cloud end decrypts the first section of ciphertext according to the private key of the asymmetric encryption algorithm to obtain the salt key;

the cloud end disassembles the salt value key according to the salt value with the preset length to obtain the random key;

The cloud end decrypts the second section of ciphertext according to the random key to obtain the marking data;

and the cloud performs tag extraction on the tag data to obtain the equipment identifier and the original data.

Optionally, in response to receiving a device registration request sent by a terminal, the cloud verifies the terminal, including:

the cloud acquires historical communication records of a plurality of terminals, and a terminal white list is constructed according to the historical communication records;

determining whether the terminal is in the terminal white list or not in response to the cloud receiving a device registration request sent by the terminal;

and determining that the terminal passes verification in response to the terminal being in the terminal white list.

Optionally, the secure communication method further comprises:

and responding to the fact that the terminal is not in the terminal white list, determining that the terminal is not authenticated, checking the historical communication record of the terminal according to a preset time interval, and re-authenticating the terminal.

A second aspect of the present application provides a secure communication device comprising:

cloud end, configured to: responding to a received equipment registration request sent by a terminal, and verifying the terminal;

Transmitting a device identification to the terminal in response to the terminal passing the verification;

receiving the encrypted data, and performing segmented decryption on the encrypted data to obtain the original data;

a terminal configured to: and carrying out combined encryption on the original data according to the equipment identifier to obtain encrypted data, and sending the encrypted data to a cloud.

A third aspect of the application provides an electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the method as provided in the first aspect of the application when executing the program.

A fourth aspect of the application provides a non-transitory computer readable storage medium storing computer instructions for causing a computer to perform the method provided by the first aspect of the application.

As can be seen from the above, according to the secure communication method, the secure communication device, the electronic device and the storage medium provided by the application, when the cloud receives the device registration request sent by the terminal, the cloud verifies the terminal, after the terminal passes the verification, the cloud sends the device identifier to the terminal, the terminal performs combined encryption on the original data according to the received device identifier to obtain encrypted data, and sends the encrypted data to the cloud; the cloud end performs sectional decryption on the received encrypted data to obtain original data, and safety communication between the cloud end and the terminal is completed. The cloud performs verification on the terminal when equipment registration is performed, so that the terminal is the first layer of safety protection in the communication process; and then, the combined encryption is carried out on the second layer of safety protection in the communication process at the terminal, and finally, the encrypted data is decrypted by using a segmentation decryption method corresponding to the combined encryption, so that the third layer of safety protection in the communication process is realized, the communication safety in the communication process of the cloud and the terminal is realized, and the safety of data transmission is improved.

Drawings

In order to more clearly illustrate the technical solutions of the present application or related art, the drawings that are required to be used in the description of the embodiments or related art will be briefly described below, and it is apparent that the drawings in the following description are only embodiments of the present application, and other drawings may be obtained according to the drawings without inventive effort to those of ordinary skill in the art.

FIG. 1 is a flow chart of a method of secure communication according to an embodiment of the present application;

FIG. 2 is a flow chart of the combined encryption according to the embodiment of the application;

FIG. 3 is a flow chart of the segment decryption according to the embodiment of the present application;

FIG. 4 is a schematic diagram of a secure communication device according to an embodiment of the present application;

fig. 5 is a schematic diagram of an electronic device according to an embodiment of the application.

Detailed Description

The present application will be further described in detail below with reference to specific embodiments and with reference to the accompanying drawings, in order to make the objects, technical solutions and advantages of the present application more apparent.

It should be noted that unless otherwise defined, technical or scientific terms used in the embodiments of the present application should be given the ordinary meaning as understood by one of ordinary skill in the art to which the present application belongs. The terms "first," "second," and the like, as used in embodiments of the present application, do not denote any order, quantity, or importance, but rather are used to distinguish one element from another. The word "comprising" or "comprises", and the like, means that elements or items preceding the word are included in the element or item listed after the word and equivalents thereof, but does not exclude other elements or items. The terms "connected" or "connected," and the like, are not limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. "upper", "lower", "left", "right", etc. are used merely to indicate relative positional relationships, which may also be changed when the absolute position of the object to be described is changed.

In this document, it should be understood that any number of elements in the drawings is for illustration and not limitation, and that any naming is used only for distinction and not for any limitation.

Based on the above description of the background art, there are also the following cases in the related art:

in internet or internet of things applications, secure transport layer protocols (Transport Layer Security Protocol, TLS) are commonly used to establish secure data communication pipes in order to ensure the integrity and security of data between two communication applications. The symmetric keys negotiated by the two parties are not the same every time the communication pipeline is established, so that a malicious user cannot decrypt communication data and cannot grasp a packet on the network to replay the attack. The use of TLS protocol requires that root certificates of authentication centers (Certificate Authority, CA) of third party authorities are preloaded in an operating system on terminals such as internet of things equipment, and the cloud end applies for data certificates to the CA. In addition, the interaction flow of one handshake negotiation is subjected to more than ten times of interactions, the data communication pipeline party can be established, the verification center is basically a foreign institution, and the server is also arranged abroad and needs to interact with the foreign server.

However, the operating system of the terminal such as the internet of things device is very simple, and is not suitable for installing the root certificate, or does not have a system environment for installing the root certificate. And secondly, the computing capacity and networking capacity of terminals such as the Internet of things equipment are relatively poor, the standard TLS process needs to interact with a server for more than ten times, and the terminals also need to interact with foreign servers, so that the interaction performance is relatively poor. In addition, the standard TLS process requires applying for a digital certificate to the CA, and the digital certificate needs to be charged and has a valid period, and needs to be renewed regularly, thus having certain operation cost. Therefore, the terminal internet of things sensing device selects to send the collected data by using the MQTT (Message Queuing Telemetry Transport, message queue telemetry transport protocol), and can be used on remote sensors and terminal devices of networks with limited computing power, low bandwidth and unreliability. Although the terminal internet of things sensing equipment can transmit and process the MQTT protocol data, the problem that the data transmission safety is not high and the safety of the terminal identity and the MQTT protocol data cannot be ensured exists.

According to the secure communication method provided by the embodiment of the application, when the cloud receives the equipment registration request sent by the terminal, the cloud can verify the terminal, after the terminal passes the verification, the cloud sends the equipment identification to the terminal, the terminal carries out combined encryption on the original data according to the received equipment identification to obtain encrypted data, and the encrypted data is sent to the cloud; the cloud end performs sectional decryption on the received encrypted data to obtain original data, and safety communication between the cloud end and the terminal is completed. The cloud performs verification on the terminal when equipment registration is performed, so that the terminal is the first layer of safety protection in the communication process; and then, the combined encryption is carried out on the second layer of safety protection in the communication process at the terminal, and finally, the encrypted data is decrypted by using a segmentation decryption method corresponding to the combined encryption, so that the third layer of safety protection in the communication process is realized, the communication safety in the communication process of the cloud and the terminal is realized, and the safety of data transmission is improved. The specific embodiments are described with reference to the accompanying drawings.

In some embodiments, as shown in fig. 1, a secure communication method includes:

step 101: and responding to the device registration request sent by the terminal received by the cloud, and verifying the terminal by the cloud.

It should be noted that, the cloud end is provided with an internet of things (Internet of Things, IOT) security authentication module and an internet of things data management module, before receiving a device authentication request sent by a terminal, the internet of things security authentication module needs to construct a terminal whitelist of a security terminal device, terminals in the terminal whitelist are security terminals which are not attacked maliciously at the current time and before, and for the construction process of the whitelist, the cloud end can obtain historical communication records of a plurality of terminals, then screen security terminals which are not attacked maliciously and do not send malicious data in the historical communication records, record authentication information of the security terminals, for example, information such as an SN (Serial Number) code, an MAC address (Media Access Control Address, a media access control address, also referred to as a local area network address) of the terminal device, and the like, and the construction speed of whitelist is fast through the historical communication data, the efficiency is high, and the security list can be updated at any time; however, the history communication data is possibly tampered maliciously, so that the white list information in the white list of the terminal can be acquired and maintained in an off-line mail acquisition mode, the white list is constructed through off-line mail acquisition, the safety is higher, the possibility of the acquired information being attacked or tampered maliciously is reduced by an off-line mode, and the safety is higher.

In the implementation, before network access, terminals such as internet of things sensing equipment and the like need to register equipment in an IOT security authentication module of a cloud end, the terminals such as the internet of things sensing equipment and the like initiate equipment registration requests to the IOT security authentication module of the cloud end through equipment SN codes and/or equipment MAC addresses and the like, after the cloud end receives the equipment registration requests sent by the internet of things terminal, if the equipment SN codes or the equipment MAC addresses in the equipment registration request information of a target terminal initiating the equipment registration requests are recorded in a terminal white list, the target terminal is proved to pass through the verification of the cloud end, the cloud end sends an equipment identifier to the terminal so as to mark the target terminal; if the target terminal is not in the terminal white list, the target terminal is determined to be not verified, the historical communication record of the target terminal can be checked according to a preset time interval, the target terminal can be re-verified, and meanwhile, dangerous alarm information can be sent to an administrator of the target terminal to prompt the administrator to carry out safety maintenance on the target terminal so that the target terminal meets the requirements of the white list. The method can be used for preventing an attacker from accessing the server by using any terminal equipment by preliminary screening through the terminal white list, disturbing the normal operation of terminal business and ensuring the safety of communication.

Step 102: and responding to the verification of the terminal, and sending the equipment identifier to the terminal by the cloud end.

In the implementation process, if the terminal passes verification, it is indicated that the terminal is not attacked by malicious and does not actively send malicious requests at the current time and before, so that at this time, the cloud end sends a unique device identifier to the terminal to mark the terminal, the device identifier can be transmitted along with data in the communication process, if the identifier does not exist in the communication data or is tampered, it is indicated that the communication security problem exists, and communication between the terminal sending the communication information can be temporarily cut off, so that the cloud end security is ensured.

Step 103: and the terminal performs combined encryption on the original data according to the equipment identifier to obtain encrypted data, and sends the encrypted data to the cloud.

In the specific implementation, an asymmetric encryption algorithm and a symmetric encryption algorithm are defined by a terminal such as a terminal internet of things sensing device and an IOT data management module of a cloud end, after original data to be sent are marked according to a device identifier, marked data are combined and encrypted through the defined asymmetric encryption algorithm and the symmetric encryption algorithm to obtain encrypted data, the encrypted data are sent to the cloud end, only an asymmetric encrypted public key is stored in the combined encryption process of the terminal, storage of a private key is not involved, and safety is improved. The combined encryption increases the cracking difficulty of the encrypted data, and further increases the confidentiality of the encrypted data.

Step 104: and the cloud receives the encrypted data, and performs segmented decryption on the encrypted data to obtain the original data.

In the implementation, after the cloud receives the encrypted data, the IOT data management module of the cloud performs sectional decryption on the encrypted data according to the agreed asymmetric encryption algorithm and the symmetric encryption algorithm, and only the cloud stores the private key of the asymmetric encryption algorithm used for decryption in the sectional decryption process, so that an attacker cannot acquire the corresponding private key from the terminal and the transmission channel, the decryption difficulty of the encrypted data is increased, the safety of the encrypted data is further improved, and the safety communication between the terminal and the cloud is realized.

In some embodiments, as shown in fig. 2, the terminal performs combined encryption on the original data according to the device identifier to obtain encrypted data, including:

step 201: the terminal marks the original data according to the equipment identifier to obtain marked data.

In specific implementation, after the terminal receives the device identifier and acquires the original data to be sent, the original data is marked by using the device identifier, and for example, machine learning may be used to perform data marking, where a data marking process is used to identify the original data (pictures, text files, videos, etc.) and add one or more meaningful information labels: and (5) device identification. It should be noted that, other forms may be used to combine the device identifier and the original data, which may result in a change in the plaintext display of the original data, but does not affect the encryption and decryption processes, so the manner of combining the device identifier and the original data is not specifically limited herein.

Step 202: the terminal performs combined encryption on the marked data according to the symmetric encryption algorithm and the asymmetric encryption algorithm to obtain encrypted data, and sends the encrypted data to the cloud.

In specific implementation, the asymmetric encryption algorithm is RSA, and the symmetric encryption algorithm is AES. The terminal stores a public key of an RSA encryption algorithm, is used for encrypting a random key randomly generated by an AES encryption algorithm, splices salt values with appointed lengths for the random key, increases the difficulty of decoding the key, and generates a first section of ciphertext. And then encrypting terminal original data (such as terminal unit equipment codes, generated acquisition data, alarm data and the like) by using an AES encryption algorithm, generating a second section of ciphertext, splicing and separating the first section of ciphertext and the second section of ciphertext through a shared character string to obtain final encrypted data, and finally transmitting the encrypted data to a cloud.

It should be noted that the RSA encryption algorithm is a reversible asymmetric encryption algorithm, that is, the key (public key) used when the RSA encryption algorithm encrypts and the key (private key) used when the RSA encryption algorithm decrypts are not identical. The public key is information that can be disclosed, but the private key is required to be kept secret. The RSA encryption algorithm is more complex to operate than other symmetric encryption algorithms such as the AES encryption algorithm. From a security perspective, it is generally recommended that the RSA encryption algorithm key be at least 2048 bits in length. While the AES encryption algorithm is a reversible symmetric encryption algorithm, this type of algorithm uses the same key for encryption and decryption. As reversible and symmetric block encryption, the speed of the AES encryption algorithm is much faster than that of encryption algorithms such as public key encryption.

In some embodiments, step 202: comprising the following steps:

step 2021: the terminal generates a random key according to a symmetric encryption algorithm.

In specific implementation, the terminal runs the AES encryption algorithm to generate a random key, and the random key is: AES random key= "AES0000000000AES".

Step 2022: and the terminal splices the salt value with the preset length for the random key to obtain a salt value key.

In specific implementation, by taking a preset length as 10 as an example, characters of 10 position points in a salt value can be randomly generated, the salt value is ensured to be 10-bit length, and the salt value= "yyyyyyyyyy" in the embodiment of the application is assumed. After the terminal splices 10-bit salt values for the random key, a salt value key is obtained as 'aes 0000000000 aeyyyyyyyyyy', the symmetrically-encrypted random key is randomly generated each time, the randomly-generated salt value is increased, the difficulty of cracking encrypted data is increased, and the safety of communication is ensured. The splicing mode adopted in the example is the most direct splicing mode, and other splicing modes can be adopted to splice the random key and the salt value, so that the method is not particularly limited.

Step 2023: and the terminal encrypts the salt value key by using the public key of the asymmetric encryption algorithm to obtain a first section of ciphertext.

In particular implementations, the public key of the RSA encryption algorithm is stored in the terminal, and for example, if the RSA public key is "pub0000000000..pub", the terminal performs encryption calculation on the salt key by using a public key of an RSA encryption algorithm, and the obtained first section of encrypted message is "RSA (" aes0000000000aeyyyyyyyyy "," pub0000000000..the public).

Step 2024: and the terminal encrypts the marked data according to the random key to obtain a second section of ciphertext.

In particular, by way of example, assuming that the plaintext of the original data is "Hello World", the plaintext representing the data is also "Hello World", because the device identification marks the plaintext of the original data without changing the plaintext. When the AES random key= "AES0000000000AES", the random key of the AES encryption algorithm is used to encrypt the tag data, so as to obtain a second section of ciphertext which is AES ("Hello World", "AES0000000000 AES").

Step 2025: and connecting the first section of ciphertext with the second section of ciphertext according to the preset shared character string to obtain encrypted data, and sending the shared character string to the cloud.

In specific implementation, the encrypted data generally does not exist in a plaintext form, and because the possibility of being cracked is greatly increased, RSA encryption calculation is required to be performed on the first section of ciphertext, AES encryption calculation is required to be performed on the second section of ciphertext, and the plaintext display forms of the first section of ciphertext and the second section of ciphertext are respectively changed. The first ciphertext is illustratively "RSA 11111..11111 RSA" and the second ciphertext is "aas 11111..11111 AES", and the shared string is assumed to be ",", and the first ciphertext and the second ciphertext are connected according to the shared string to obtain the encrypted data "RSA 11111..11111 RSA, aas 11111..11111 AES".

In summary, the simplified encryption process of the combined encryption provided by the embodiment of the present application is: RSA (("AES key" + "salt value"), "RSA public key") + "," +AES ("plaintext", "AES key"), in the whole combined encryption process, an asymmetric encryption and symmetric encryption mode is used, so that confidentiality of original data of the transmission mqtt protocol is guaranteed; only the asymmetric encrypted public key is stored at the terminal, and the storage of the private key is not involved, so that the safety is enhanced; the symmetric encrypted random key is randomly generated every time, and a random salt value is spliced, so that the difficulty of encrypting data cracking is increased; the symmetric encryption algorithm is used for encrypting the marked data, so that the encryption speed is increased, and the communication efficiency is improved. The function of the terminal white list is maintained before combined encryption, the safety and the credibility of the identity of the terminal accessing the network are ensured, the safety communication between the terminal and the cloud is realized,

the corresponding segment decryption process includes: after receiving the encrypted data of the MQTT write protocol, the IOT data management module of the cloud end firstly breaks out two sections of ciphertext through the shared character string, then decrypts the first section of ciphertext through a private key of an RSA encryption algorithm, subtracts a salt value agreed with the terminal from a decryption result, and obtains a random key of the AES encryption algorithm. And then decrypting the second section of ciphertext by using a random key of the AES encryption algorithm, so as to obtain the original data such as equipment codes, acquisition data or alarm data and the like sent by the terminal. At this time, whether the equipment SN code or the equipment MAC address of the terminal exists in the terminal white list of the IOT security authentication module is verified according to the equipment identifier, if so, the original data of the MQTT protocol is analyzed and stored, otherwise, the original data is discarded.

In some embodiments, as shown in fig. 3, the cloud end receives the encrypted data, and performs segment decryption on the encrypted data to obtain the original data, including:

step 301: and the cloud end disassembles the encrypted data according to the shared character string to obtain a first section of ciphertext and a second section of ciphertext.

In specific implementation, taking the encrypted data as "rsa11111..11111 rsa, aas 11111..the encrypted data is taken as an example, the shared character string in the encrypted data is displayed in a plaintext form, and on the premise of knowing the shared character string, the cloud can accurately split the encrypted data, namely, split the encrypted data into 2 sections by taking the shared character string as a splitting point, so as to obtain a first section ciphertext" rsa11111..11111.. 11111rsa "which is not displayed in plaintext and a second section ciphertext" aas 11111..11111 rees "which is not displayed in plaintext.

Step 302: and the cloud end decrypts the second section of ciphertext according to the first section of ciphertext to obtain the original data and the equipment identifier.

In specific implementation, the private key of the RSA encryption algorithm is used for decrypting the first section of ciphertext, and the salt value agreed with the terminal is subtracted from the decryption result to obtain the random key of the AES encryption algorithm. And then decrypting the second section of ciphertext by using a random key of the AES encryption algorithm, so as to obtain the original data such as equipment codes, acquisition data or alarm data and the like sent by the terminal and the carried equipment identifier.

Step 303: and the cloud end decrypts and verifies the original data according to the pre-built terminal white list and the device identifier.

In the implementation, whether the equipment SN code or the equipment MAC address of the terminal exists in the terminal white list of the IOT security authentication module is verified according to the equipment identifier, if the equipment SN code or the equipment MAC address of the terminal for transmitting the encrypted data is recorded in the terminal white list, the terminal passes the cloud verification, the encrypted data can be determined to be transmitted by the security terminal, and the encrypted data is not intercepted and replaced by malicious attack data in the process of transmitting the encrypted data; if the SN code or MAC address of the device of the terminal sending the encrypted data is not recorded in the terminal whitelist, it is indicated that the target terminal is not in the terminal whitelist, and it is indicated that the original data after the encrypted data is disassembled may not be sent by the secure terminal, but the malicious terminal is replaced by the encrypted data sent by the secure terminal, or is intercepted by an attacker and replaced by the malicious attack data in the process of transmitting the encrypted data.

Step 304: and if the cloud judges that the original data fails to pass the verification, discarding the original data.

When the method is implemented, after the original data is confirmed to be not verified, the historical communication record of the target terminal can be checked according to a preset time interval, the target terminal can be re-verified to determine whether the terminal is attacked or not, and meanwhile, dangerous alarm information can be sent to a manager of the terminal to prompt the manager to carry out safety maintenance on the terminal so that an encrypted message sent by the terminal meets the verification of a white list.

Step 305: and if the cloud judges that the original data passes the verification, receiving and storing the original data.

In the implementation, after the target terminal is confirmed to pass verification, the original data can be received and stored, and one-time safety communication between the terminal and the cloud is realized. The verification of the original data through the terminal white list can be seen to effectively prevent an attacker from using any attack means such as accessing a server by the terminal equipment and replacing encrypted data halfway, so that the normal operation of the terminal service is disturbed, and the communication safety is ensured.

In some embodiments, step 302 includes:

step 3021: and the cloud end decrypts the first section of ciphertext according to the private key of the asymmetric encryption algorithm to obtain the salt value key.

In specific implementation, the secret data is split into 2 sections by taking a shared character string as a split point, so that a first section of ciphertext 'rsa11111' which is not displayed in the plaintext is obtained, and a second section of ciphertext 'aas 11111' which is not displayed in the plaintext is obtained, then the first section of ciphertext is decrypted by using a private key of an RSA secret algorithm, and a salt key in a form of 'AES random key' + 'salt value' is obtained. Illustratively, taking RSA private key= "private0000000000..times.. Private", as an example, a salt value key in the form of "AES random key" + "salt value" + "RSA decryption (" RSA 11111..times.. 11111RSA "," private0000000000..times.. Privately ") =" AES0000000000aeyyyyyyyyyy ".

Step 3022: and the cloud end disassembles the salt value key according to the salt value with the preset length to obtain a random key.

In specific implementation, taking the salt key= "AES0000000000 aeyyyyyyyyyyyyy" as an example, if the preset length of the salt value is 10, deleting the last 10 bits of characters in the salt key, namely deleting the last 10 bits of "yyyyyyyyyyyyyy" of "AES0000000000 aeyyyyyyyyyyyyyyyyyyy", so as to obtain the random key of the AES secret algorithm: "AES random key" = "AES0000000000AES". The symmetric encrypted random key is randomly generated every time, and the salt value which is randomly generated is increased, so that the difficulty of cracking the encrypted data is increased, and the safety of communication is ensured.

Step 3023: and the cloud end decrypts the second section of ciphertext according to the random key to obtain the marked data.

In specific implementation, taking "AES random key" = "AES0000000000AES", the second ciphertext= "AES 11111..the second ciphertext is taken as an example, and the plaintext of the tag data can be obtained by decrypting the second ciphertext with the random key," tag data "=" AES decryption "(" AES 11111..the first ciphertext "," AES0000000000AES ") =" Hello World ", at this time, the plaintext display of the tag data and the plaintext of the original data are identical, both are" Hello World ", because the device identifier is carried by the original data in the form of a tag, so that the display form of the plaintext of the original data is not affected.

Step 3024: and the cloud performs tag extraction on the tag data to obtain the equipment identifier and the original data.

In the implementation, after the tag data is obtained, the device identifier in the tag data needs to be extracted, the tag data is converted into the plaintext of the original data after the device identifier is extracted, the decryption process is finished, and the cloud side obtains the plaintext of the original data sent by the terminal.

In some embodiments, step 101 comprises:

step 1011: the cloud acquires historical communication records of a plurality of terminals, and a terminal white list is constructed according to the historical communication records.

In the implementation, before receiving a device authentication request sent by a terminal, the internet of things security authentication module needs to construct a terminal whitelist of security terminal devices, wherein terminals in the terminal whitelist are security terminals which are not attacked by malicious agents at the current time and before, optionally, a cloud can acquire historical communication records of a plurality of terminals, then screen security terminals which are not attacked by malicious agents and are not sent with malicious agents in the historical communication records, record authentication information of the security terminals, such as SN (serial number) codes, MAC (media access control) addresses and the like of the terminal devices, and construct the whitelist through the historical communication data, so that the method has high construction speed, high efficiency, capability of updating at any time and strong timeliness; however, the history communication data is possibly tampered maliciously, so that the white list information in the white list of the terminal can be acquired and maintained in an off-line mail acquisition mode, the white list is constructed through off-line mail acquisition, the safety is higher, the possibility of the acquired information being attacked or tampered maliciously is reduced by an off-line mode, and the safety is higher.

Step 1012: and responding to the device registration request sent by the cloud terminal, and determining whether the terminal is in the terminal white list.

Step 1013: and determining that the terminal passes the verification in response to the terminal being in the terminal white list.

In the implementation, terminals such as internet of things sensing equipment and the like need to register equipment in an IOT security authentication module of a cloud end before internet of things, the terminals such as the internet of things sensing equipment and the like initiate equipment registration requests to the IOT security authentication module of the cloud end through equipment SN codes and/or equipment MAC addresses and the like, after the cloud end receives the equipment registration requests sent by the internet of things terminal, if the equipment SN codes or the equipment MAC addresses in equipment registration request information of a target terminal initiating the equipment registration requests are recorded in a terminal white list, the fact that the target terminal passes verification of the cloud end is indicated, the cloud end sends an equipment identifier to the terminal so as to mark the target terminal.

In some embodiments, the secure communication method provided by the embodiment of the present application further includes:

and responding to the fact that the terminal is not in the terminal white list, determining that the terminal fails to pass verification, checking the historical communication record of the terminal according to a preset time interval, and re-verifying the terminal.

When the method is implemented, if the target terminal is not in the terminal white list, it is determined that the target terminal fails to pass verification, the historical communication record of the target terminal can be checked according to a preset time interval, the target terminal can be re-verified, meanwhile, danger warning information can be sent to an administrator of the target terminal, and the administrator is prompted to carry out safety maintenance on the target terminal so that the target terminal meets the requirements of the white list. The method can be used for preventing an attacker from accessing the server by using any terminal equipment by preliminary screening through the terminal white list, disturbing the normal operation of terminal business and ensuring the safety of communication.

It should be noted that, the method of the embodiment of the present application may be performed by a single device, for example, a computer or a server. The method of the embodiment can also be applied to a distributed scene, and is completed by mutually matching a plurality of devices. In the case of such a distributed scenario, one of the devices may perform only one or more steps of the method of an embodiment of the present application, the devices interacting with each other to accomplish the method.

It should be noted that the foregoing describes some embodiments of the present application. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments described above and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.

Based on the same inventive concept, the application also provides a safety communication device corresponding to the method of any embodiment.

Referring to fig. 4, the secure communication device includes:

cloud end 10, configured to: responding to a received equipment registration request sent by a terminal, and verifying the terminal;

a terminal 20 configured to: and carrying out combined encryption on the original data according to the equipment identifier to obtain encrypted data, and sending the encrypted data to a cloud.

For convenience of description, the above devices are described as being functionally divided into various modules, respectively. Of course, the functions of each module may be implemented in the same piece or pieces of software and/or hardware when implementing the present application.

The device of the foregoing embodiment is configured to implement the corresponding secure communication method in any of the foregoing embodiments, and has the beneficial effects of the corresponding method embodiment, which is not described herein.

Based on the same inventive concept, the application also provides an electronic device corresponding to the method of any embodiment, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor implements the secure communication method of any embodiment when executing the program.

Fig. 5 shows a more specific hardware architecture of an electronic device according to this embodiment, where the device may include: a processor 1010, a memory 1020, an input/output interface 1030, a communication interface 1040, and a bus 1050. Wherein processor 1010, memory 1020, input/output interface 1030, and communication interface 1040 implement communication connections therebetween within the device via a bus 1050.

The processor 1010 may be implemented by a general-purpose CPU (Central Processing Unit ), microprocessor, application specific integrated circuit (Application Specific Integrated Circuit, ASIC), or one or more integrated circuits, etc. for executing relevant programs to implement the technical solutions provided in the embodiments of the present disclosure.

The Memory 1020 may be implemented in the form of ROM (Read Only Memory), RAM (Random Access Memory ), static storage device, dynamic storage device, or the like. Memory 1020 may store an operating system and other application programs, and when the embodiments of the present specification are implemented in software or firmware, the associated program code is stored in memory 1020 and executed by processor 1010.

The input/output interface 1030 is used to connect with an input/output module for inputting and outputting information. The input/output module may be configured as a component in a device (not shown) or may be external to the device to provide corresponding functionality. Wherein the input devices may include a keyboard, mouse, touch screen, microphone, various types of sensors, etc., and the output devices may include a display, speaker, vibrator, indicator lights, etc.

Communication interface 1040 is used to connect communication modules (not shown) to enable communication interactions of the present device with other devices. The communication module may implement communication through a wired manner (such as USB, network cable, etc.), or may implement communication through a wireless manner (such as mobile network, WIFI, bluetooth, etc.).

Bus 1050 includes a path for transferring information between components of the device (e.g., processor 1010, memory 1020, input/output interface 1030, and communication interface 1040).

It should be noted that although the above-described device only shows processor 1010, memory 1020, input/output interface 1030, communication interface 1040, and bus 1050, in an implementation, the device may include other components necessary to achieve proper operation. Furthermore, it will be understood by those skilled in the art that the above-described apparatus may include only the components necessary to implement the embodiments of the present description, and not all the components shown in the drawings.

The electronic device of the foregoing embodiment is configured to implement the corresponding secure communication method in any of the foregoing embodiments, and has the beneficial effects of the corresponding method embodiment, which is not described herein.

Based on the same inventive concept, the present application also provides a non-transitory computer readable storage medium storing computer instructions for causing the computer to perform the secure communication method according to any of the embodiments above, corresponding to the method of any of the embodiments above.

The computer readable media of the present embodiments, including both permanent and non-permanent, removable and non-removable media, may be used to implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device.

The storage medium of the above embodiment stores computer instructions for causing the computer to perform the secure communication method according to any one of the above embodiments, and has the advantages of the corresponding method embodiments, which are not described herein.

Those of ordinary skill in the art will appreciate that: the discussion of any of the embodiments above is merely exemplary and is not intended to suggest that the scope of the application (including the claims) is limited to these examples; the technical features of the above embodiments or in the different embodiments may also be combined within the idea of the application, the steps may be implemented in any order, and there are many other variations of the different aspects of the embodiments of the application as described above, which are not provided in detail for the sake of brevity.

Additionally, well-known power/ground connections to Integrated Circuit (IC) chips and other components may or may not be shown within the provided figures, in order to simplify the illustration and discussion, and so as not to obscure the embodiments of the present application. Furthermore, the devices may be shown in block diagram form in order to avoid obscuring the embodiments of the present application, and also in view of the fact that specifics with respect to implementation of such block diagram devices are highly dependent upon the platform within which the embodiments of the present application are to be implemented (i.e., such specifics should be well within purview of one skilled in the art). Where specific details (e.g., circuits) are set forth in order to describe example embodiments of the application, it should be apparent to one skilled in the art that embodiments of the application can be practiced without, or with variation of, these specific details. Accordingly, the description is to be regarded as illustrative in nature and not as restrictive.

While the application has been described in conjunction with specific embodiments thereof, many alternatives, modifications, and variations of those embodiments will be apparent to those skilled in the art in light of the foregoing description. For example, other memory architectures (e.g., dynamic RAM (DRAM)) may use the embodiments discussed.

The present embodiments are intended to embrace all such alternatives, modifications and variances which fall within the broad scope of the appended claims. Therefore, any omissions, modifications, equivalent substitutions, improvements, and the like, which are within the spirit and principles of the embodiments of the application, are intended to be included within the scope of the application.

Claims

1. A method of secure communication, comprising:

2. The method of claim 1, wherein the terminal performs combined encryption on the original data according to the device identifier to obtain encrypted data, and the method comprises:

3. The method according to claim 2, wherein the terminal performs combined encryption on the tag data according to a symmetric encryption algorithm and an asymmetric encryption algorithm to obtain encrypted data, including:

4. The method of claim 3, wherein the cloud receives the encrypted data and performs segment decryption on the encrypted data to obtain the original data, and the method comprises:

5. The method of claim 4, wherein the cloud end decrypts the second ciphertext according to the first ciphertext to obtain the original data and the device identifier, comprising:

6. The method of claim 1, wherein in response to the cloud receiving a device registration request sent by a terminal, the cloud validating the terminal comprises:

7. The method as recited in claim 6, further comprising:

8. A secure communications device, comprising:

9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the method of any one of claims 1 to 7 when the program is executed.

10. A non-transitory computer readable storage medium storing computer instructions for causing a computer to perform the method of any one of claims 1 to 7.