CN116866333A - Method and device for transmitting encrypted file, electronic equipment and storage medium - Google Patents
Method and device for transmitting encrypted file, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN116866333A CN116866333A CN202310794086.9A CN202310794086A CN116866333A CN 116866333 A CN116866333 A CN 116866333A CN 202310794086 A CN202310794086 A CN 202310794086A CN 116866333 A CN116866333 A CN 116866333A
- Authority
- CN
- China
- Prior art keywords
- file
- user
- public key
- encryption
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 74
- 230000005540 biological transmission Effects 0.000 claims abstract description 51
- 230000004044 response Effects 0.000 claims description 138
- 238000012795 verification Methods 0.000 claims description 104
- 238000004422 calculation algorithm Methods 0.000 claims description 25
- 230000006870 function Effects 0.000 claims description 24
- 238000004590 computer program Methods 0.000 claims description 23
- 238000004364 calculation method Methods 0.000 claims description 7
- 239000004973 liquid crystal related substance Substances 0.000 claims description 4
- 238000007689 inspection Methods 0.000 claims description 2
- 238000012886 linear function Methods 0.000 claims description 2
- 238000004806 packaging method and process Methods 0.000 claims 1
- 238000010586 diagram Methods 0.000 description 14
- 230000008569 process Effects 0.000 description 14
- 238000004891 communication Methods 0.000 description 9
- 238000012545 processing Methods 0.000 description 8
- 238000012546 transfer Methods 0.000 description 7
- 230000003993 interaction Effects 0.000 description 5
- 238000007726 management method Methods 0.000 description 5
- 238000013473 artificial intelligence Methods 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 3
- 235000014510 cooky Nutrition 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000005538 encapsulation Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000011664 signaling Effects 0.000 description 2
- 230000007547 defect Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000000802 evaporation-induced self-assembly Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0863—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Abstract
The invention relates to the technical field of secure transmission, and discloses an encrypted file transmission method, an encrypted file transmission device, electronic equipment and a storage medium, wherein the method comprises the following specific implementation scheme: the user side requests and verifies the digital certificate of the server side; the user terminal generates a user public key and private key pair, encrypts the user public key by using a server public key and sends the encrypted user public key and the server public key to the server terminal; the server encrypts the file by using the service idle time; the user end encrypts the request by using the user private key, and the server end decrypts the request and searches the corresponding file which is encrypted in advance, so that the user public key encrypts the key and then sends the key to the user; the user decrypts the file and performs integrity check on the original file. The invention can improve the efficiency and the safety of the encrypted file transmission method.
Description
Technical Field
The present invention relates to the field of secure transmission technologies, and in particular, to a method and apparatus for transmitting an encrypted file, an electronic device, and a storage medium.
Background
For security of data transmission, more and more websites adopt https (hypertext transfer protocol) network transmission protocol for file transmission. https adopts symmetric encryption to encrypt a transmitted file, adopts an asymmetric encryption algorithm to authenticate the identity of the encrypted file, and simultaneously considers security and encryption efficiency. However, https network transmission protocols have some drawbacks, in which the transmitted files are required to be encrypted every time they are transmitted, and for files with a relatively large volume or a relatively large access amount, the required encryption processing time is relatively long, resulting in low efficiency of transmitting the files, and severely limiting the application range of the network transmission protocol. With the wide application of https protocol, the defect of using the https protocol to encrypt the file is gradually shown, for example, after a user and a system exchange symmetric encryption keys for the first time, the keys are stored in cookies (local terminal storage data) of a user browser, the symmetric encryption keys are adopted to encrypt and decrypt the file in the process of transmitting the file in the future, so that huge security risks exist when the same key is used for encrypting and decrypting for many times, and the keys are stored in cookies of the browser and are easy to leak; in addition, when https is used to transfer a file, one file transfer needs to be encrypted and decrypted twice, and especially, a server side generally needs to serve multiple users at the same time, and the service efficiency is greatly limited due to long encryption time. In summary, the existing encrypted file transmission method has the problem of low efficiency and security.
Disclosure of Invention
The invention provides an encrypted file transmission method, an encrypted file transmission device, electronic equipment and a storage medium, and mainly aims to solve the problems of low efficiency and low safety of the encrypted file transmission method.
In order to achieve the above object, the present invention provides an encrypted file transmission method, applied to a client, comprising: sending a certificate verification request to a server side; receiving a digital certificate returned by the server according to the certificate verification request, and performing identity verification on the server according to the digital certificate to obtain an identity verification result; when the identity verification result is that the identity is safe, generating a user key pair according to the digital certificate by utilizing an asymmetric encryption algorithm; encrypting the user public key in the user key pair by using the server public key in the digital certificate to obtain an encrypted public key, and sending the encrypted public key to the server side; encrypting the generated file request by using a user private key in the user key pair to obtain an encryption request, and sending the encryption request to a server; receiving a response file returned by the server terminal based on the encryption public key and the encryption request, and decrypting the response file to obtain an original response file; and carrying out signature verification on the original response file to obtain a signature verification result.
In order to achieve the above object, the present invention provides an encrypted file transmission method, applied to a server, comprising: after receiving a certificate verification request sent by a user side, sending a digital certificate to the user side; the digital certificate is used for carrying out identity verification on the user side to obtain an identity verification result; receiving an encrypted public key sent by a user side, and decrypting the encrypted public key to obtain a user public key; when the authentication result is that the identity is safe, the user terminal encrypts the user public key in the user key pair generated by the asymmetric encryption algorithm according to the digital certificate; receiving an encryption request sent by a user terminal, and acquiring a response file to be processed according to the encryption request; the encryption request is obtained by encrypting the generated file request by a user terminal through a user private key in a user key pair; encrypting the response file to be processed according to the public key of the user to obtain a response file, and sending the response file to the user side; the response file is used for decrypting by the user side to obtain an original response file, and the original response file is used for signature verification by the user side to obtain a signature verification result.
The invention also provides an encrypted file transmission device, which is applied to a user terminal and comprises: the identity verification module is used for sending a certificate verification request to the server, receiving a digital certificate returned by the server according to the certificate verification request, and carrying out identity verification on the server according to the digital certificate to obtain an identity verification result; the encryption public key generation module is used for generating a user key pair according to the digital certificate by utilizing an asymmetric encryption algorithm when the identity verification result is that the identity is safe, encrypting the user public key in the user key pair by utilizing a server public key in the digital certificate to obtain an encryption public key, and sending the encryption public key to the server side; the file request encryption module is used for encrypting the generated file request by utilizing a user private key in the user key pair to obtain an encryption request and sending the encryption request to the server; the response file decryption module is used for receiving the response file returned by the server end based on the encryption public key and the encryption request, decrypting the response file and obtaining an original response file; and the signature verification module is used for carrying out signature verification on the original response file to obtain a signature verification result.
The invention also provides an encrypted file transmission device, which is applied to a server side and comprises: the digital certificate sending module is used for sending the digital certificate to the user side after receiving the certificate verification request sent by the user side; the digital certificate is used for carrying out identity verification on the user side to obtain an identity verification result; the encryption public key decryption module is used for receiving the encryption public key sent by the user terminal, and decrypting the encryption public key to obtain the user public key; when the authentication result is that the identity is safe, the user terminal generates a user public key in a user key pair according to the digital certificate by using an asymmetric encryption algorithm and encrypts the user public key; the response file obtaining module to be processed is used for receiving the encryption request sent by the user terminal and obtaining the response file to be processed according to the encryption request; the encryption request is obtained by encrypting the generated file request by a user terminal through a user private key in a user key pair; the response file generation module is used for encrypting the response file to be processed according to the public key of the user to obtain a response file, and sending the response file to the user terminal; the response file is used for decrypting by the user side to obtain an original response file, and the original response file is used for signature verification by the user side to obtain a signature verification result.
The invention also provides an electronic device, comprising: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the processor is configured to execute the first computer program or the second computer program stored on the memory; when executing the first computer program, the processor realizes the steps in the encrypted file transmission method applied to the user side; when the processor executes the second computer program, the steps in the method for transmitting the encrypted file applied to the server are realized.
The invention also provides a computer readable storage medium storing a computer program, characterized in that the first computer program or the second computer program is stored on the computer readable storage medium, and the method is characterized in that when the first computer program is executed by a processor, the steps in the method applied to the encrypted file transmission of the user side are realized; the second computer program, when executed by the processor, implements the steps of the above-described encrypted file transfer method applied to the server side.
The embodiment of the invention provides an encrypted file transmission method, when a user initiates a request, a user private key is used for encrypting the file request, a server side confirms the identity of the user side through a user public key, the identity of the user side cannot be impersonated, and the file transmission safety is improved; the response file to be processed is encrypted according to the public key of the user, so that the encryption process is reduced, and the file transmission efficiency is improved; for multiple interactions between the user side and the server side, encryption keys of different files are different, when key leakage occurs, all files are prevented from being lost, the risk of file leakage can be reduced, and the transmission safety is improved. Therefore, the encrypted file transmission method, the device, the electronic equipment and the storage medium can solve the problems of low efficiency and low safety of the encrypted file transmission method.
Drawings
Fig. 1 is a signaling flow diagram of an encrypted file transmission method according to an embodiment of the present invention;
fig. 2 is a flowchart of an encrypted file transmission method applied to a client according to an embodiment of the present invention;
FIG. 3 is an interaction diagram of a client sending an encrypted public key to a server according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of a client encrypted file request according to an embodiment of the present invention;
fig. 5 is a schematic diagram of a user side decryption file according to an embodiment of the present invention;
fig. 6 is a flowchart of an encrypted file transmission method applied to a server according to an embodiment of the present invention;
FIG. 7 is an interaction diagram of a server sending a digital certificate to a client according to an embodiment of the present invention;
fig. 8 is a schematic diagram of encrypting a file by a server according to an embodiment of the present invention;
FIG. 9 is a functional block diagram of an encrypted file transmitting apparatus applied to a client according to an embodiment of the present invention;
FIG. 10 is a functional block diagram of an encrypted file transmitting apparatus applied to a server according to an embodiment of the present invention;
fig. 11 is a schematic structural diagram of an electronic device for implementing an encrypted file transmission method according to an embodiment of the invention.
The achievement of the objects, functional features and advantages of the present application will be further described with reference to the accompanying drawings, in conjunction with the embodiments.
Detailed Description
It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.
The embodiment of the application provides an encrypted file transmission method. The execution body of the encrypted file transmission method includes, but is not limited to, at least one of a server, a terminal, and the like, which can be configured to execute the method provided by the embodiment of the application. In other words, the encrypted file transfer method may be performed by software or hardware installed in the terminal device or the server device, and the software may be a blockchain platform. The service side includes, but is not limited to: a single server, a server cluster, a cloud server or a cloud server cluster, and the like. The server may be an independent server, or may be a cloud server that provides cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communications, middleware services, domain name services, security services, content delivery networks (Content Delivery Network, CDN), and basic cloud computing services such as big data and artificial intelligence platforms.
Referring to fig. 1, a signaling flow diagram of an encrypted file transmission method according to an embodiment of the invention is shown.
In this embodiment, the user side sends a certificate verification request to the server side; after receiving a certificate verification request sent by a user terminal, the server terminal sends a digital certificate to the user terminal; the user terminal receives the digital certificate returned by the server terminal according to the certificate verification request, and performs identity verification on the server terminal according to the digital certificate to obtain an identity verification result; when the identity verification result is that the identity is safe, generating a user key pair according to the digital certificate by utilizing an asymmetric encryption algorithm; encrypting the user public key in the user key pair by using the server public key in the digital certificate to obtain an encrypted public key, and sending the encrypted public key to the server side; the server receives the encrypted public key sent by the user terminal, and decrypts the encrypted public key to obtain the user public key; the user terminal encrypts the generated file request by using a user private key in the user key pair to obtain an encryption request, and sends the encryption request to the server terminal; the server side receives an encryption request sent by the user side and acquires a response file to be processed according to the encryption request; the server encrypts the response file to be processed according to the public key of the user to obtain a response file, and sends the response file to the user; the user terminal receives the response file returned by the server terminal based on the encryption public key and the encryption request, and decrypts the response file to obtain an original response file; and carrying out signature verification on the original response file to obtain a signature verification result.
Referring to fig. 2, a flowchart of an encrypted file transmission method applied to a client according to an embodiment of the present application is shown. In this embodiment, the encrypted file transmission method includes:
s21, sending a certificate verification request to a server side.
In one embodiment, the certificate verification request is for requesting a certificate from the server side, and then verifying the identity of the server side using the certificate; the certificate can be a CA (Certificate Authority ) certificate, which is a technical basic guarantee of digital signature and is also used for proving the legitimacy of the identity of the entity on the network and the public key thereof.
S22, receiving the digital certificate returned by the server according to the certificate verification request, and carrying out identity verification on the server according to the digital certificate to obtain an identity verification result.
In one embodiment, the purpose of the identity verification is to verify the identity information of the server side, prevent the identity of the server side from being impersonated, and ensure the security of information interaction between the user side and the server side; the digital certificate is a certificate for proving the identity of the server, comprises public key, private key and ciphertext information, is a carrier of the public key, and specifically, the public key in the digital certificate is bound with the entity identity of the server, so that the matching relationship between the entity identity and the public key can be indicated.
In one embodiment, the authentication is performed on the server according to the digital certificate to obtain an authentication result, including: carrying out legal inspection on the digital certificate to obtain a legal judgment result; when the legal judgment result is that the digital certificate is legal, judging the identity security of the server side, and taking the identity security as an identity verification result; and when the legal judgment result is that the digital certificate is illegal, judging that the identity of the server is unsafe, and taking the unsafe identity as an identity verification result. In one embodiment, the legal verification is verifying the certificate validity period, certificate chain, and blacklist check in the digital certificate; the certificate chain is a complete certificate trust chain composed of a root certificate, an intermediate certificate and a user certificate, and the digital certificate is legal only when each certificate on the certificate chain is valid, so that the user side can pass the identity verification of the server side.
S23, when the identity verification result is that the identity is safe, generating a user key pair according to the digital certificate by utilizing an asymmetric encryption algorithm.
In one embodiment, the user key pair comprises a pair of public key and private key, and the key generation can be performed by adopting an RSA (asymmetric encryption) algorithm or an elliptic curve encryption algorithm; the Private key (private_user) is a random number, and the Public key (public_user) is generated by an asymmetric encryption algorithm according to the Private key, (public_user=rsa (private_user)); after the public key of the user is disclosed, the public key of the user is used as an identity credential of the user, and the private key corresponding to the public key cannot be pseudo-manufactured because the private key cannot be reversely pushed out through the public key, so that the safety of a user key pair can be ensured.
In one embodiment, generating a user key pair from a digital certificate using an asymmetric encryption algorithm includes: initializing a random large prime number, and calculating the random large prime number to obtain a product value; performing the product value with the product value to obtain a product value; and encapsulating the function parameters according to the ciphertext information in the digital certificate to obtain the key pair.
In one embodiment, the random large prime number may be two prime numbers P, Q, and then the product N of P, Q is calculated; the calculation of the integrating function can be carried out by adopting an Euler function pair P, Q; the encapsulation can also adopt an asymmetric encryption method to encrypt the function parameters; the ciphertext information in the digital certificate is obtained by using a public key and a private key contained in the digital certificate to carry out encapsulation encryption after a server initiates a session key, a user side can use an asymmetric encryption algorithm to decapsulate the ciphertext information to obtain the session key which is the same as the server side, and a key pair is obtained by encapsulating function parameters according to the session key; the function parameters are denoted as N, e, d, where e and Φ (N) are mutually prime, N and e are encapsulated as user public keys, N and d are encapsulated as user private keys.
In one embodiment, the product value is calculated as a linear function using the following equation:
N=P*Q
Φ(N)=(P-1)(Q-1)
1<e<Φ(N)
e*d=1(modΦ(N))
Wherein, P and Q are respectively expressed as random large prime numbers; n is expressed as a product value; d is expressed as an intermediate calculation parameter in the function parameters; e is denoted as a random parameter among the function parameters.
S24, encrypting the user public key in the user key pair by using the server public key in the digital certificate to obtain an encrypted public key, and sending the encrypted public key to the server.
In one embodiment, the purpose of encrypting the user public key in the user key pair is to protect the security of the user public key, the encryption processing is performed according to the public key of the server side to obtain an encrypted public key, then the encrypted public key is sent to the server side, and the server side decrypts the encrypted public key to obtain the user public key, and the specific process is shown in fig. 3.
Specifically, in one embodiment, the public key of the server is stored in the digital certificate, the encryption process may use the RSA algorithm, and the encryption process may be expressed as: public_encrypt=rsa_encrypt (public_server, public_user); the public_server is expressed as a Public key of the server side; public_uSer is denoted as uSer Public key; public_encryption is denoted as encrypted public key.
S25, encrypting the generated file request by using a user private key in the user key pair to obtain an encryption request, and sending the encryption request to the server side.
In one embodiment, the file request is the basis of the server side to perform file inquiry in the system, and the user private key in the user key pair is used for encrypting the file request, and meanwhile, the user private key is only stored in the user side and cannot be forged, so that the user request can be prevented from being tampered by an illegal invader in the transmission process.
In one embodiment, the encryption may employ an RSA algorithm as shown in FIG. 4, and the encryption process may be expressed as: request_encrypt=rsa_encrypt (request, private_user); wherein request_encryption is denoted as encryption request; the request is denoted as a file request; the private_user is denoted as a user Private key.
S26, the receiving server end decrypts the response file based on the encryption public key and the response file returned by the encryption request to obtain the original response file.
In one embodiment, the response file is a file containing encrypted response content, an encrypted file, an encrypted random encryption key, and a file signature (response_encryption, secret_key_encryption).
In one embodiment, decrypting the response file to obtain the original response file includes: decrypting the key corresponding to the response file by using the user private key to obtain a symmetric encryption key; and decrypting the encrypted file in the response file by using the symmetric encryption key to obtain the original response file.
In one embodiment, the original response file contains the response content, the original file, the symmetric encryption key, and the file signature, as shown in fig. 5, denoted as the user side decrypted file.
And S27, performing signature verification on the original response file to obtain a signature verification result.
In one embodiment, performing signature verification on the original response file to obtain a signature verification result, including: carrying out hash signature calculation on an original file in the original response file to obtain a hash signature; and comparing the consistency of the hash signature with the file signature in the original response file to obtain a signature verification result.
In one embodiment, the process of hash signature computation may be expressed as:
digest 1=sha256(file)
wherein, the digest 1 is represented as a hash signature; file is represented as an original file.
In one embodiment, the consistency comparison is to verify the integrity of the original response file; when the signature verification result is that the hash signature is consistent with the file signature, judging that the original response file is not tampered; and when the signature verification result is that the hash signature is inconsistent with the file signature, judging that the original response file is tampered.
Fig. 6 is a schematic flow chart of an encrypted file transmission method applied to a server according to an embodiment of the present application. In this embodiment, the encrypted file transmission method includes:
S61, after receiving a certificate verification request sent by a user side, sending a digital certificate to the user side; the digital certificate is used for carrying out identity verification on the user side to obtain an identity verification result; .
In one embodiment, when receiving the verification request, a local CA (Certificate Authority ) certificate is sent to the user side, as shown in fig. 7, a user denoted as the user side obtains a Public key of the server side, and verifies the identity of the server side, where the user side verifies the CA certificate of the server side, and the server side includes a Public key (public_server) and a Private key (private_user); the local CA certificate generally contains information such as a public key and an issuing authority of the server, and can prove identity information of the server.
S62, receiving an encrypted public key sent by a user terminal, and decrypting the encrypted public key to obtain a user public key; and when the authentication result is that the identity is safe, the user terminal encrypts the user public key in the user key pair generated by the asymmetric encryption algorithm according to the digital certificate.
In one embodiment, the user public key is obtained by decrypting the encrypted public key with a preset server private key, and the decryption process can be expressed as:
Public_user=RSA_decrypt(public_encrypt,Private_server);
Wherein public_user is denoted as user Public key; public_encryption is denoted as encryption public key; private_server is denoted as server Private key.
In one embodiment, since the server private key is stored in the local system of the server side and cannot be stolen by an illegal intruder, the illegal intruder cannot obtain the user public key through decryption, and the security of the user public key in the transmission process is ensured; after the user public key is obtained, the server side stores the user public key as an identity credential of the user side, and the server side and the user side can establish communication according to the user public key.
S63, receiving an encryption request sent by a user terminal, and acquiring a response file to be processed according to the encryption request; the encryption request is obtained by encrypting the generated file request by using a user private key in a user key pair.
In one embodiment, obtaining the pending response file according to the encryption request includes: decrypting the encrypted request according to the public key of the user to obtain a file request; the method comprises the steps of obtaining a file to be processed, and symmetrically encrypting the file to be processed to obtain an encrypted file pair; and searching the file in the encrypted file pair according to the file request to obtain a response file to be processed.
In one embodiment, since the time of the asymmetric encryption algorithm is longer, a symmetric encryption method, for example, an AES encryption algorithm, is adopted, and since the encryption key of each file to be processed is randomly generated, the security of the file can be improved; the encrypted file pair comprises an encrypted file, a random encryption key and a file signature (digest), wherein the file signature is generated by abstracting a file to be processed by adopting a hash algorithm (such as sha 256) to obtain a file abstract, and then the file abstract is subjected to signature calculation according to a private key in the encryption key to obtain the file signature; the file signature is used for signature verification at the user side, so that the file is ensured not to be tampered.
In one embodiment, the encrypted file pairs are stored in a server according to the encrypted file pairs and a storage mode corresponding to file plaintext one by one, wherein the file plaintext is index information of the encrypted file pairs; firstly, carrying out plaintext lookup by utilizing a system query service of a server side according to a file request to obtain a file plaintext, and then obtaining an encrypted file pair corresponding to the file plaintext according to the file plaintext, namely a response file to be processed; the file encryption can be performed when the server is idle, so that the efficiency of file encryption is improved.
In one embodiment, since the process of decrypting the encrypted request is similar to the process of decrypting the encrypted public key, the description thereof will not be repeated here.
S64, encrypting the response file to be processed according to the public key of the user to obtain a response file, and sending the response file to the user terminal; the response file is used for decrypting by the user side to obtain an original response file, and the original response file is used for signature verification by the user side to obtain a signature verification result.
In one embodiment, the content in the response file to be processed is the saved single response content response, and the encrypting of the response file to be processed according to the user public key is the encrypting of the single response content in the response file to be processed and the random encryption key in the response file to be processed; in particular, for single-time response content which is not already stored in the system, encryption processing can also be performed by using a random encryption key to obtain encrypted response content, and the encryption processing process can be expressed as follows:
response_encrypt=AES_encrypt(response,secret_key);
wherein response_encrypt is represented as encrypted response content; response is expressed as single response content; secret_key is denoted as a random encryption key.
Fig. 8 is a schematic diagram of a server encrypting a file, in which in one embodiment, an encrypted response content is appended to a response file to obtain a response file, and the response file sent to a client includes an encrypted response content (response_encryption), an encrypted file (file_encryption), an encrypted random encryption key (secret_key_encryption), and a file signature (digest). The method for encrypting the response file to be processed is adopted, the file which is encrypted in advance is not needed to be encrypted, only the single-time response content and the random encryption key are needed to be encrypted, a large amount of encryption time can be saved due to the fact that the volumes of the single-time response content and the random encryption key are smaller, and meanwhile, the safety of the encrypted random encryption key can be guaranteed in the transmission process of the response file due to the randomness of the random encryption key.
The invention provides an encrypted file transmission method, when a user initiates a request, the user private key is used for encrypting the file request, the server side confirms the identity of the user side through the user public key, the identity of the user side cannot be impersonated, and the file transmission safety is improved; the response file to be processed is encrypted according to the public key of the user, so that the encryption process is reduced, and the file transmission efficiency is improved; for multiple interactions between the user side and the server side, encryption keys of different files are different, when key leakage occurs, all files are prevented from being lost, the risk of file leakage can be reduced, and the transmission safety is improved. Therefore, the encrypted file transmission method provided by the invention can solve the problems of low efficiency and safety of the encrypted file transmission method.
Fig. 9 is a functional block diagram of an encrypted file transmitting apparatus applied to a client according to an embodiment of the present invention.
The encrypted file transmitting apparatus 900 according to the present invention can be installed in an electronic device. Depending on the functions implemented, the encrypted file transfer apparatus 900 may include an authentication module 901, an encrypted public key generation module 902, a file request encryption module 903, a response file decryption module 904, and a signature verification module 905. The module of the invention, which may also be referred to as a unit, refers to a series of computer program segments, which are stored in the memory of the electronic device, capable of being executed by the processor of the electronic device and of performing a fixed function.
In the present embodiment, the functions concerning the respective modules/units are as follows: the identity verification module 901 is configured to send a certificate verification request to a server, receive a digital certificate returned by the server according to the certificate verification request, and perform identity verification on the server according to the digital certificate to obtain an identity verification result; the encryption public key generation module 902 is configured to generate a user key pair according to the digital certificate by using an asymmetric encryption algorithm when the authentication result is that the identity is safe; encrypting the user public key by using the server public key in the digital certificate to obtain an encrypted public key, and sending the encrypted public key to the server side; the file request encryption module 903 is configured to encrypt the generated file request with a user private key in the user key pair, obtain an encrypted request, and send the encrypted request to the server; the response file decryption module 904 is configured to receive a response file returned by the server side based on the encryption public key and the encryption request, and decrypt the response file to obtain an original response file; the signature verification module 905 is configured to perform signature verification on the original response file, so as to obtain a signature verification result.
In detail, each module in the encrypted file transmitting apparatus 900 in the embodiment of the present invention adopts the same technical means as the encrypted file transmitting method in the drawings when in use, and can produce the same technical effects, which are not described herein.
Fig. 10 is a functional block diagram of an encrypted file transmitting apparatus applied to a server according to an embodiment of the present invention.
The encrypted file transmitting apparatus 1000 according to the present invention can be mounted in an electronic device. Depending on the functions implemented, the encrypted file transmitting apparatus 1000 may include a digital certificate transmitting module 1001, an encrypted public key decrypting module 1002, a pending response file acquiring module 1003, and a response file generating module 1004. The module of the invention, which may also be referred to as a unit, refers to a series of computer program segments, which are stored in the memory of the electronic device, capable of being executed by the processor of the electronic device and of performing a fixed function.
In the present embodiment, the functions concerning the respective modules/units are as follows: the digital certificate sending module 1001 is configured to send a digital certificate to a user terminal after receiving a certificate verification request sent by the user terminal; the digital certificate is used for carrying out identity verification on the user side to obtain an identity verification result; the encryption public key decryption module 1002 is configured to receive an encryption public key sent by a user side, and decrypt the encryption public key to obtain a user public key; when the authentication result is that the identity is safe, the user terminal encrypts the user public key in the user key pair generated by the asymmetric encryption algorithm according to the digital certificate; a pending response file obtaining module 1003, configured to receive an encryption request sent by a user side, and obtain a pending response file according to the encryption request; the encryption request is obtained by encrypting the generated file request by a user terminal through a user private key in a user key pair; the response file generating module 1004 is configured to encrypt a response file to be processed according to a public key of a user to obtain a response file, and send the response file to the user terminal; the response file is used for decrypting by the user side to obtain an original response file, and the original response file is used for signature verification by the user side to obtain a signature verification result.
In detail, each module in the encrypted file transmitting apparatus 1000 in the embodiment of the present invention adopts the same technical means as the encrypted file transmitting method in the drawings when in use, and can produce the same technical effects, which are not described herein.
Fig. 11 is a schematic structural diagram of an electronic device for implementing an encrypted file transmission method according to an embodiment of the present invention.
The electronic device 1100 may include a processor 1101, a memory 1102, a communication bus 1103, and a communication interface 1104, and may also include computer programs stored in the memory 1102 and executable on the processor 1101, such as an encrypted file transfer program.
The processor 1101 may be formed by an integrated circuit in some embodiments, for example, a single packaged integrated circuit, or may be formed by a plurality of integrated circuits packaged with the same function or different functions, including one or more central processing units (Central Processing Unit, CPU), a microprocessor, a digital processing chip, a combination of a graphics processor and various control chips, etc. The processor 1101 is a Control Unit (Control Unit) of the electronic device, connects various components of the entire electronic device using various interfaces and lines, and executes various functions of the electronic device and processes data by running or executing programs or modules stored in the memory 1102 (e.g., executing an encrypted file transfer program, etc.), and calling data stored in the memory 1102.
Memory 1102 includes at least one type of readable storage medium including flash memory, a removable hard disk, a multimedia card, a card memory (e.g., SD or DX memory, etc.), magnetic memory, magnetic disk, optical disk, etc. Memory 1102 may be an internal storage unit of an electronic device in some embodiments, such as a removable hard disk of the electronic device. The memory 1102 may also be an external storage device of the electronic device in other embodiments, such as a plug-in mobile hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash Card (Flash Card) or the like, which are provided on the electronic device. Further, the memory 1102 may also include both internal storage units and external storage devices of the electronic device. The memory 1102 may be used not only for storing application software installed in an electronic device and various types of data, such as code based on an encrypted file transfer program, but also for temporarily storing data that has been output or is to be output.
The communication bus 1103 may be a Peripheral Component Interconnect (PCI) bus or an extended industry standard architecture (Extended Industry Standard Architecture, EISA) bus, among others. The bus may be classified as an address bus, a data bus, a control bus, etc. The bus is arranged to enable connected communication between the memory 1102 and the at least one processor 1101 or the like.
Communication interface 1104 is used for communication between the electronic device and other devices described above, including network interfaces and user interfaces. Optionally, the network interface may include a wired interface and/or a wireless interface (e.g., WI-FI interface, bluetooth interface, etc.), typically used to establish a communication connection between the electronic device and other electronic devices. The user interface may be a Display (Display), an input unit such as a Keyboard (Keyboard), or alternatively a standard wired interface, a wireless interface. Alternatively, in some embodiments, the display may be an LED display, a liquid crystal display, a touch-sensitive liquid crystal display, an OLED (Organic Light-Emitting Diode) touch, or the like. The display may also be referred to as a display screen or display unit, as appropriate, for displaying information processed in the electronic device and for displaying a visual user interface.
Fig. 11 illustrates only an electronic device having components, and it will be appreciated by those skilled in the art that the configuration illustrated in fig. 11 is not limiting of the electronic device 1100 and may include fewer or more components than illustrated, or may combine certain components, or a different arrangement of components.
For example, although not shown, the electronic device may further include a power source (such as a battery) for powering the various components, the power source may preferably be logically connected to the at least one processor 1101 by a power management device, such that charge management, discharge management, and power consumption management functions are performed by the power management device. The power supply may also include one or more of any of a direct current or alternating current power supply, recharging device, power failure detection circuit, power converter or inverter, power status indicator, etc. The electronic device may also include various sensors, bluetooth modules, wi-Fi modules, etc., which are not described in detail herein.
It should be understood that the examples are for illustrative purposes only and are not limited to this configuration in the scope of the patent application.
In particular, the specific implementation method of the above instruction by the processor 1101 may refer to the description of the relevant steps in the corresponding embodiment of the drawings, which is not repeated herein.
Further, the integrated modules/units of the electronic device 1100 may be stored in a computer readable storage medium if implemented in the form of software functional units and sold or used as a stand alone product. The computer readable storage medium may be volatile or nonvolatile. For example, the computer readable medium may include: any entity or device capable of carrying computer program code, a recording medium, a U disk, a removable hard disk, a magnetic disk, an optical disk, a computer Memory, a Read-Only Memory (ROM).
The present invention also provides a computer readable storage medium storing a computer program which, when executed by a processor, can implement the encrypted file transfer method of any of the above embodiments. The computer-readable storage medium may be volatile or nonvolatile. For example, the computer readable medium may include: any entity or device capable of carrying computer program code, a recording medium, a U disk, a removable hard disk, a magnetic disk, an optical disk, a computer Memory, a Read-Only Memory (ROM). In the several embodiments provided in the present invention, it should be understood that the disclosed apparatus, device and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of modules is merely a logical function division, and other manners of division may be implemented in practice.
The modules illustrated as separate components may or may not be physically separate, and components shown as modules may or may not be physical units, may be located in one place, or may be distributed over multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional module in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units can be realized in a form of hardware or a form of hardware and a form of software functional modules.
It will be evident to those skilled in the art that the application is not limited to the details of the foregoing illustrative embodiments, and that the present application may be embodied in other specific forms without departing from the spirit or essential characteristics thereof.
The present embodiments are, therefore, to be considered in all respects as illustrative and not restrictive, the scope of the application being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference signs in the claims shall not be construed as limiting the claim concerned.
The embodiment of the application can acquire and process the related data based on the artificial intelligence technology. Among these, artificial intelligence (Artificial Intelligence, AI) is the theory, method, technique and application system that uses a digital computer or a digital computer-controlled machine to simulate, extend and extend human intelligence, sense the environment, acquire knowledge and use knowledge to obtain optimal results.
Furthermore, it is evident that the word "comprising" does not exclude other elements or steps, and that the singular does not exclude a plurality. A plurality of units or means recited in the system claims can also be implemented by means of software or hardware by means of one unit or means. The terms first, second, etc. are used to denote a name, but not any particular order.
Finally, it should be noted that the above-mentioned embodiments are merely for illustrating the technical solution of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that modifications and equivalents may be made to the technical solution of the present invention without departing from the spirit and scope of the technical solution of the present invention.
Claims (11)
1. An encrypted file transmission method, which is characterized by being applied to a user side, comprises the following steps:
sending a certificate verification request to a server side;
receiving a digital certificate returned by the server according to the certificate verification request, and performing identity verification on the server according to the digital certificate to obtain an identity verification result;
when the identity verification result is identity security, generating a user key pair according to the digital certificate by utilizing an asymmetric encryption algorithm;
Encrypting the user public key in the user key pair by using the server public key in the digital certificate to obtain an encrypted public key, and sending the encrypted public key to the server side;
encrypting the generated file request by using a user private key in the user key pair to obtain an encryption request, and sending the encryption request to the server side;
receiving a response file returned by the server based on the encryption public key and the encryption request, and decrypting the response file to obtain an original response file;
and carrying out signature verification on the original response file to obtain a signature verification result.
2. The method for transmitting an encrypted file according to claim 1, wherein the generating a user key pair from the digital certificate using an asymmetric encryption algorithm comprises:
initializing a random large prime number, and calculating the random large prime number to obtain a product value;
performing the product value with a product function to obtain a product value;
and performing a linear function calculation on the product value by using the following steps:
N=P*Q
Φ(N)=(P-1)(-1)
1< <Φ(N)
e*d=1(modΦ(N))
wherein P and Q are respectively represented as the random large prime numbers; n is represented as the product value; d is denoted as an intermediate calculation parameter of the function parameters; e is represented as a random parameter of the function parameters;
And packaging the function parameters according to the ciphertext information in the digital certificate to obtain a key pair.
3. The method for transmitting encrypted files according to claim 1, wherein said signature verification of said original response file, to obtain a signature verification result, comprises:
performing hash signature calculation on the original file in the original response file to obtain a hash signature;
hash signature computation was performed using the following:
digest1=sh256()
wherein digest1 is represented as the hash signature; file is expressed as the original file;
and comparing the consistency of the hash signature with the file signature in the original response file to obtain a signature verification result.
4. The method for transmitting an encrypted file according to claim 1, wherein decrypting the response file to obtain an original response file comprises:
decrypting the key corresponding to the response file by using the user private key to obtain a symmetric encryption key;
and decrypting the encrypted file in the response file by using the symmetric encryption key to obtain an original response file.
5. The method for transmitting encrypted files according to claim 1, wherein said authenticating said server according to said digital certificate, to obtain an authentication result, comprises:
Performing legal inspection on the digital certificate to obtain a legal judgment result;
when the legal judgment result is that the digital certificate is legal, judging the identity security of the server side, and taking the identity security as an identity verification result;
and when the legal judgment result is that the digital certificate is illegal, judging that the identity of the server is unsafe, and taking the unsafe identity as an identity verification result.
6. An encrypted file transmission method, which is applied to a server, the method comprising:
after receiving a certificate verification request sent by a user side, sending a digital certificate to the user side; the digital certificate is used for carrying out identity verification on the user side to obtain an identity verification result;
receiving an encrypted public key sent by the user side, and decrypting the encrypted public key to obtain a user public key; when the authentication result is that the identity is safe, the user terminal encrypts a user public key in a user key pair generated by using an asymmetric encryption algorithm according to the digital certificate;
receiving the encryption request sent by the user side, and acquiring a response file to be processed according to the encryption request; the encryption request is obtained by encrypting the generated file request by the user terminal through a user private key in the user key pair;
Encrypting the response file to be processed according to the user public key to obtain a response file, and sending the response file to the user terminal; the response file is used for decrypting the user side to obtain an original response file, and the original response file is used for signature verification of the user side to obtain a signature verification result.
7. The method for transmitting an encrypted file according to claim 6, wherein said obtaining a response file to be processed according to said encryption request comprises:
decrypting the encryption request according to the user public key to obtain a file request;
obtaining a file to be processed, and symmetrically encrypting the file to be processed to obtain an encrypted file pair;
and searching the file in the encrypted file pair according to the file request to obtain a response file to be processed.
8. An encrypted file transmission apparatus, applied to a user terminal, comprising:
the identity verification module is used for sending a certificate verification request to a server, receiving a digital certificate returned by the server according to the certificate verification request, and carrying out identity verification on the server according to the digital certificate to obtain an identity verification result;
The encryption public key generation module is used for generating a user key pair according to the digital certificate by utilizing an asymmetric encryption algorithm when the identity verification result is identity security, encrypting the user public key in the user key pair by utilizing a server public key in the digital certificate to obtain an encryption public key, and sending the encryption public key to the server side;
the file request encryption module is used for encrypting the generated file request by utilizing a user private key in the user key pair to obtain an encryption request, and sending the encryption request to the server side;
the response file decryption module is used for receiving the response file returned by the server based on the encryption public key and the encryption request, and decrypting the response file to obtain an original response file;
and the signature verification module is used for carrying out signature verification on the original response file to obtain a signature verification result.
9. An encrypted file transmission apparatus, applied to a server side, comprising:
the digital certificate sending module is used for sending a digital certificate to the user terminal after receiving a certificate verification request sent by the user terminal; the digital certificate is used for carrying out identity verification on the user side to obtain an identity verification result;
The encryption public key decryption module is used for receiving the encryption public key sent by the user terminal, and decrypting the encryption public key to obtain a user public key; when the authentication result is that the identity is safe, the user terminal encrypts a user public key in a user key pair generated by using an asymmetric encryption algorithm according to the digital certificate;
the response file to be processed acquisition module is used for receiving the encryption request sent by the user side and acquiring a response file to be processed according to the encryption request; the encryption request is obtained by encrypting the generated file request by the user terminal through a user private key in the user key pair;
the response file generation module is used for encrypting the response file to be processed according to the user public key to obtain a response file, and sending the response file to the user terminal; the response file is used for decrypting the user side to obtain an original response file, and the original response file is used for signature verification of the user side to obtain a signature verification result.
10. An electronic device, the electronic device comprising:
At least one processor; the method comprises the steps of,
a memory communicatively coupled to the at least one processor; wherein, the liquid crystal display device comprises a liquid crystal display device,
the processor is configured to execute a first computer program or a second computer program stored on the memory;
the steps of the method of any one of claims 1 to 5 are carried out when the processor executes the first computer program, and the steps of the method of claim 6 or 7 are carried out when the processor executes the second computer program.
11. A computer readable storage medium having stored thereon a first computer program or a second computer program, characterized in that the first computer program, when being executed by a processor, implements the steps of the method according to any of claims 1 to 5, and the second computer program, when being executed by a processor, implements the steps of the method according to claim 6 or 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310794086.9A CN116866333A (en) | 2023-06-29 | 2023-06-29 | Method and device for transmitting encrypted file, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310794086.9A CN116866333A (en) | 2023-06-29 | 2023-06-29 | Method and device for transmitting encrypted file, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116866333A true CN116866333A (en) | 2023-10-10 |
Family
ID=88235139
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310794086.9A Pending CN116866333A (en) | 2023-06-29 | 2023-06-29 | Method and device for transmitting encrypted file, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116866333A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117640251A (en) * | 2024-01-24 | 2024-03-01 | 中国信息通信研究院 | Encryption and decryption verification method and device based on distributed network, equipment and medium |
-
2023
- 2023-06-29 CN CN202310794086.9A patent/CN116866333A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117640251A (en) * | 2024-01-24 | 2024-03-01 | 中国信息通信研究院 | Encryption and decryption verification method and device based on distributed network, equipment and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110336774B (en) | Mixed encryption and decryption method, equipment and system | |
| US8660266B2 (en) | Method of delivering direct proof private keys to devices using an on-line service | |
| Yang et al. | Provable data possession of resource-constrained mobile devices in cloud computing | |
| JP4616345B2 (en) | A method for directly distributing a certification private key to a device using a distribution CD | |
| US7693286B2 (en) | Method of delivering direct proof private keys in signed groups to devices using a distribution CD | |
| CN112671720B (en) | Token construction method, device and equipment for cloud platform resource access control | |
| KR20080051753A (en) | System and method for providing security | |
| CN109688098B (en) | Method, device and equipment for secure communication of data and computer readable storage medium | |
| CN106790045B (en) | distributed virtual machine agent device based on cloud environment and data integrity guarantee method | |
| EP2608477A1 (en) | Trusted certificate authority to create certificates based on capabilities of processes | |
| CN108390866B (en) | Trusted remote certification method and system based on double-agent bidirectional anonymous authentication | |
| CN111600948B (en) | Cloud platform application and data security processing method, system, storage medium and program based on identification password | |
| CN109951276A (en) | Embedded device remote identity authentication method based on TPM | |
| CN116866333A (en) | Method and device for transmitting encrypted file, electronic equipment and storage medium | |
| CN113918982B (en) | Data processing method and system based on identification information | |
| US8954728B1 (en) | Generation of exfiltration-resilient cryptographic keys | |
| CN111241492A (en) | Product multi-tenant secure credit granting method, system and electronic equipment | |
| CN112150151B (en) | Secure payment method, apparatus, electronic device and storage medium | |
| US11496287B2 (en) | Privacy preserving fully homomorphic encryption with circuit verification | |
| CN111127020B (en) | Transaction data confusion method based on blockchain and related equipment | |
| KR100883442B1 (en) | Method of delivering direct proof private keys to devices using an on-line service | |
| CN114726644B (en) | Data transmission method, device, equipment and storage medium based on key encryption | |
| CN112865968B (en) | Data ciphertext hosting method and system, computer equipment and storage medium | |
| CN110213245B (en) | Application system short-distance energy-saving communication method and system based on asymmetric key pool and proxy signature | |
| CN113132107B (en) | License encryption method and device, license decryption method and device and equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |