CN117040905A - Data encryption transmission method, device, equipment and storage medium - Google Patents

Data encryption transmission method, device, equipment and storage medium Download PDF

Info

Publication number
CN117040905A
CN117040905A CN202311148900.6A CN202311148900A CN117040905A CN 117040905 A CN117040905 A CN 117040905A CN 202311148900 A CN202311148900 A CN 202311148900A CN 117040905 A CN117040905 A CN 117040905A
Authority
CN
China
Prior art keywords
plaintext data
digital
target
message
digital signature
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311148900.6A
Other languages
Chinese (zh)
Inventor
申世哲
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Bank of China Ltd
Original Assignee
Bank of China Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Bank of China Ltd filed Critical Bank of China Ltd
Priority to CN202311148900.6A priority Critical patent/CN117040905A/en
Publication of CN117040905A publication Critical patent/CN117040905A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Abstract

The application provides a data encryption transmission method, a device, equipment and a storage medium, which can be used in the field of network security. The method comprises the following steps: determining first plaintext data to be transmitted; encrypting the first plaintext data through a first private key to obtain a first digital signature corresponding to the first plaintext data; determining a first public key corresponding to the first private key; encrypting the first public key through a second private key of the certificate management mechanism to obtain a first digital certificate corresponding to the first plaintext data; and generating a first target message according to the first plaintext data, the first digital signature and the first digital certificate, and sending the first target message to target equipment. The method of the application improves the security of information encryption transmission among different systems.

Description

Data encryption transmission method, device, equipment and storage medium
Technical Field
The present application relates to the field of network security, and in particular, to a data encryption transmission method, apparatus, device, and storage medium.
Background
Information transfer between different systems requires encryption of the information. At present, a common encryption mode is that a sender encrypts information by using a private key of the sender to generate a digital signature, the digital signature and the information are sent to a receiver, the receiver firstly decrypts the digital signature according to a public key of the sender, then compares whether a decrypted result is consistent with the information, and if so, the information is not tampered.
If the lawless persons disguise that the sender issues public key information, the public key information of the sender stored by all receivers is error information; if the lawbreaker steals the private key information of the sender, the sent information can be tampered. The encryption is performed in the mode, so that the security of information encryption transmission among different systems is low.
Disclosure of Invention
The application provides a data encryption transmission method, a device, equipment and a storage medium, which are used for solving the problem of lower security of information encryption transmission between different systems in the prior art.
In a first aspect, the present application provides a data encryption transmission method, including:
determining first plaintext data to be transmitted;
encrypting the first plaintext data through a first private key to obtain a first digital signature corresponding to the first plaintext data;
determining a first public key corresponding to the first private key;
encrypting the first public key through a second private key of a certificate management mechanism to obtain a first digital certificate corresponding to the first plaintext data;
and generating a first target message according to the first plaintext data, the first digital signature and the first digital certificate, and sending the first target message to target equipment.
In one possible implementation manner, the encrypting the first plaintext data by using the first private key to obtain a first digital signature corresponding to the first plaintext data includes:
performing hash operation on the first plaintext data to obtain a first digital digest of the first plaintext data;
and carrying out encryption processing on the first digital digest through the first private key to obtain the first digital signature.
In one possible implementation, based on the first plaintext data, the first digital signature, and the first digital certificate, generating a first target message, including:
determining a first message position of the first plaintext data, a second message position of the digital signature, and a third message position of the digital certificate;
and combining the first plaintext data, the first digital signature and the first digital certificate according to the first message position, the second message position and the third message position to generate the first target message.
In one possible embodiment, the method further comprises:
receiving a second target message sent by the target equipment;
Analyzing the second target message to obtain second plaintext data, a second digital signature and a second digital certificate in the second target message;
and carrying out verification processing on the second plaintext data according to the second digital signature and the second digital certificate to obtain a verification result, wherein the verification result is that verification is passed or verification is failed.
In one possible implementation manner, according to the second digital signature and the second digital certificate, the verification process is performed on the second plaintext data to obtain a verification result, which includes:
performing hash operation on the second plaintext data to obtain a second digital digest corresponding to the second plaintext data;
generating a target digital digest according to the second digital signature and the second digital certificate;
if the second digital digest is the same as the target digital digest, determining that the verification result is that the verification is passed;
and if the second digital digest is different from the target digital digest, determining that the verification result is that the verification fails.
In one possible implementation, generating a target digital digest from the second digital signature and the second digital certificate includes:
Determining a second public key corresponding to the second private key of the certificate authority;
decrypting the second digital certificate through the second public key to obtain a target public key;
and decrypting the second digital signature through the target public key to obtain the target digital digest.
In one possible embodiment, the method further comprises:
and if the verification result is that the verification is not passed, sending a prompt message to the target equipment, wherein the prompt message is used for indicating that the second plaintext data in the second target message is tampered.
In a second aspect, the present application provides a data encryption transmission apparatus, comprising:
the first determining module is used for determining first plaintext data to be transmitted;
the first encryption module is used for encrypting the first plaintext data through a first private key to obtain a first digital signature corresponding to the first plaintext data;
the second determining module is used for determining a first public key corresponding to the first private key;
the second encryption module is used for encrypting the first public key through a second private key of the certificate management mechanism to obtain a first digital certificate corresponding to the first plaintext data;
The generation module is used for generating a first target message according to the first plaintext data, the first digital signature and the first digital certificate;
and the sending module is used for sending the first target message to target equipment.
In one possible implementation, the first encryption module is specifically configured to:
performing hash operation on the first plaintext data to obtain a first digital digest of the first plaintext data;
and carrying out encryption processing on the first digital digest through the first private key to obtain the first digital signature.
In one possible implementation, the generating module is specifically configured to:
determining a first message position of the first plaintext data, a second message position of the digital signature, and a third message position of the digital certificate;
and combining the first plaintext data, the first digital signature and the first digital certificate according to the first message position, the second message position and the third message position to generate the first target message.
In one possible embodiment, the apparatus further comprises:
the receiving module is used for receiving a second target message sent by the target equipment;
The analysis module is used for analyzing the second target message to acquire second plaintext data, a second digital signature and a second digital certificate in the second target message;
and the verification module is used for carrying out verification processing on the second plaintext data according to the second digital signature and the second digital certificate to obtain a verification result, wherein the verification result is verification passing or verification failing.
In one possible implementation, the verification module is specifically configured to:
performing hash operation on the second plaintext data to obtain a second digital digest corresponding to the second plaintext data;
generating a target digital digest according to the second digital signature and the second digital certificate;
if the second digital digest is the same as the target digital digest, determining that the verification result is that the verification is passed;
and if the second digital digest is different from the target digital digest, determining that the verification result is that the verification fails.
In one possible implementation, the verification module is specifically configured to:
determining a second public key corresponding to the second private key of the certificate authority;
decrypting the second digital certificate through the second public key to obtain a target public key;
And decrypting the second digital signature through the target public key to obtain the target digital digest.
In one possible embodiment, the apparatus further comprises:
and the prompt module is used for sending a prompt message to the target equipment if the verification result is that the verification is not passed, wherein the prompt message is used for indicating that the second plaintext data in the second target message is tampered.
In a third aspect, an embodiment of the present application provides an electronic device, including: a memory and a processor;
the memory stores computer-executable instructions;
the processor executes computer-executable instructions stored in the memory to implement the method of any one of the first aspects.
In a fourth aspect, embodiments of the present application provide a computer-readable storage medium having stored therein computer-executable instructions for performing the method of any of the first aspects when the computer-executable instructions are executed by a processor.
In a fifth aspect, an embodiment of the present application provides a computer program product comprising a computer program which, when executed by a processor, implements the method of any of the first aspects.
The embodiment of the application provides a method, a device, equipment and a storage medium for controlling overtaking assistance, wherein in the method, first plaintext data to be sent is determined; encrypting the first plaintext data through a first private key to obtain a first digital signature corresponding to the first plaintext data; determining a first public key corresponding to the first private key; encrypting the first public key through a second private key of the certificate management mechanism to obtain a first digital certificate corresponding to the first plaintext data; and generating a first target message according to the first plaintext data, the first digital signature and the first digital certificate, and sending the first target message to target equipment. Therefore, the receiver does not need to store a large amount of public key information of the receiver in the database, resources are released, and if an illegal person wants to tamper the information, the receiver needs to obtain not only the private key of the sender but also the private key of the certificate management mechanism, so that the security of information encryption transmission among different systems is improved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application.
Fig. 1 is a schematic view of an application scenario provided in an embodiment of the present application;
fig. 2 is a schematic flow chart of a data encryption transmission method according to an embodiment of the present application;
fig. 3 is a flow chart of another data encryption transmission method according to an embodiment of the present application;
fig. 4 is a flow chart of another data encryption transmission method according to an embodiment of the present application;
fig. 5 is a schematic diagram of another application scenario provided in an embodiment of the present application;
fig. 6 is a schematic structural diagram of a data encryption transmission device according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of another data encryption transmission device according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Specific embodiments of the present application have been shown by way of the above drawings and will be described in more detail below. The drawings and the written description are not intended to limit the scope of the inventive concepts in any way, but rather to illustrate the inventive concepts to those skilled in the art by reference to the specific embodiments.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations consistent with the application. Rather, they are merely examples of apparatus and methods consistent with aspects of the application as detailed in the accompanying claims.
It should be noted that the data encryption transmission method and device of the present application can be used in the network security field, and can also be used in any field other than the network security field, and the application field of the data encryption transmission method and device of the present application is not limited.
Fig. 1 is a schematic diagram of an application scenario provided in an embodiment of the present application. The application scene can comprise a first system and a second system, communication interaction can be carried out between the first system and the second system, and the first system and the second system can be used as information transmission senders or receivers.
Assuming that the first system is a sender of information transfer and the second system is a receiver of information transfer, the first system sends plaintext data to the second system.
In the related art, the encryption mode is that a first system is used as a sender to encrypt plaintext data by using first private key information, a digital signature is generated, the digital signature and the plaintext data are sent to a second system, the second system is used as a receiver to decrypt the digital signature according to a first public key corresponding to the first system, then the decryption result is compared with whether the plaintext data are consistent, if so, the plaintext data are not tampered, and the security of the plaintext data is determined.
In the above process, if the lawbreaker disguises to send the public key information, the public key information of the sender stored by all the receivers is error information. For example, C sends the public key information of itself disguised as a public key information of a to B, which holds the public key of a for itself (the public key of substantially C), and when B receives the information of C disguised as a sent information of a, B is the information of a sent information (the information of substantially C sent), since C encrypts the information with its own private key, B can decrypt normally. B is said to be itself in communication with a but is in communication with C. If the lawbreaker steals the private key information of the sender, the sent information can be tampered. The encryption is performed in the mode, so that the security of information encryption transmission among different systems is low.
In order to solve the technical problems, the embodiment of the application provides a data encryption transmission method, a sender encrypts a public key of the sender through a private key of a certificate management mechanism to obtain a digital certificate, and sends the digital certificate, the plaintext data and a digital signature to a receiver, so that the receiver decrypts the digital certificate through the public key of the certificate management mechanism to obtain a public key of the sender, decrypts the digital signature through the public key of the sender to obtain a decryption result, and compares whether the decryption result is consistent with the plaintext data. Therefore, the receiver does not need to store a large amount of public key information of the receiver in the database, resources are released, and if an illegal person wants to tamper the information, the receiver needs to obtain not only the private key of the sender but also the private key of the certificate management mechanism, so that the security of information encryption transmission among different systems is improved.
The following describes the technical scheme of the present application and how the technical scheme of the present application solves the above technical problems in detail with specific embodiments. The following embodiments may be combined with each other, and the same or similar concepts or processes may not be described in detail in some embodiments. Embodiments of the present application will be described below with reference to the accompanying drawings.
Fig. 2 is a flow chart of a data encryption transmission method according to an embodiment of the present application. The execution body of the embodiment of the application can be electronic equipment or a data encryption transmission device arranged in the electronic equipment. The data encryption transmission device can be realized by software or a combination of software and hardware. Referring to fig. 2, the method includes:
s201, determining first plaintext data to be transmitted.
The first plaintext data may be an XML message.
For example, the first plaintext data may be an XML message for the transaction record for the first user at the first bank.
A plurality of plaintext data may be acquired, and first plaintext data to be transmitted may be determined among the plurality of plaintext data.
S202, encrypting the first plaintext data through a first private key to obtain a first digital signature corresponding to the first plaintext data.
The first private key may be a private key in a private key-public key pair determined by the current electronic device through an asymmetric encryption algorithm.
The first digital signature may be created by the current electronic device and verified by any device. The first digital signature may be a digital signature that verifies the authenticity of the first plaintext data.
Asymmetric encryption algorithms are encryption and decryption using different keys, one as the public key and the other as the private key. The public key encrypts information and only the private key decrypts the information. The information encrypted by the private key can be decrypted only by the public key.
Wherein the private key and the public key are in one-to-one correspondence.
For example, a plurality of private and public key pairs may be as shown in table 1:
TABLE 1
And acquiring a plurality of private key and public key pairs in the validity period of the current device, determining a first private key in the plurality of private key and public key pairs, and encrypting the first plaintext data through the first private key by adopting an asymmetric encryption algorithm to obtain a first digital signature corresponding to the first plaintext data.
Alternatively, the first digital signature corresponding to the first plaintext data may be obtained by: performing hash operation on the first plaintext data to obtain a first digital digest of the first plaintext data; and encrypting the first digital digest by the first private key to obtain a first digital signature.
Wherein the hash operation may be an algorithm that accepts an unlimited length input back to a fixed length output. The first digital digest may be a 256bit string.
S203, determining a first public key corresponding to the first private key.
The first public key may be a public key of a private key-public key pair determined by the current electronic device through an asymmetric encryption algorithm.
The first public key may be stored only in the current electronic device and not transmitted to a plurality of other devices for storage.
The first public key corresponding to the first private key may be determined from a plurality of private key and public key pairs based on the first private key.
S204, encrypting the first public key through a second private key of the certificate management mechanism to obtain a first digital certificate corresponding to the first plaintext data.
The certificate authority may be a third party organization delegated issuing digital certificates.
Wherein the private and public keys in the certificate authority may be present in pairs, the private key may be the user's own for decryption and signing. The public key may be open to the outside for encrypting and verifying the signature. The public key and the private key in the certificate authority are paired in the digital certificate, and the private key in the certificate can be unlocked only by the public key.
The first digital certificate may be secured by a certificate authority for validity of the encrypted first public key without being disguised by an lawbreaker. The first digital certificate includes an issue date, an expiration date, etc. of the certificate, and is not limited herein.
The second private key of the certificate authority can be obtained, and the first public key is encrypted through the second private key to obtain a first digital certificate corresponding to the first plaintext data.
S205, generating a first target message according to the first plaintext data, the first digital signature and the first digital certificate, and sending the first target message to target equipment.
The first target message may include a message header and a data portion. The data portion includes first plaintext data, a first digital signature, and a first digital certificate.
For example, the first target message may be as shown in table 1:
TABLE 1
The message header may be 20 bytes, and the data portion may be 40 bytes. The header may represent the validity of the data packet; the status may represent a message status flag; validity may indicate the validity of the data packet; the reserved bits may represent protocol byte alignment; the identification bit can represent an uplink message and a downlink message; the sequence number may represent a packet number of the data packet; the serial number may represent the serial number of the message; the timestamp may represent the Beijing time of the transmitted message. The data portion may include data corresponding to the encrypted sharing request.
The first plaintext data, the first digital signature, and the first digital certificate may be encoded to generate a first target message, and the first target message may be sent to a target device.
Alternatively, the first target message may be generated by: determining a first message position of the first plaintext data, a second message position of the digital signature, and a third message position of the digital certificate; and combining the first plaintext data, the first digital signature and the first digital certificate according to the first message position, the second message position and the third message position to generate a first target message.
According to the data encryption transmission method provided by the embodiment, first plaintext data to be transmitted is determined; encrypting the first plaintext data through a first private key to obtain a first digital signature corresponding to the first plaintext data; determining a first public key corresponding to the first private key; encrypting the first public key through a second private key of the certificate management mechanism to obtain a first digital certificate corresponding to the first plaintext data; and generating a first target message according to the first plaintext data, the first digital signature and the first digital certificate, and sending the first target message to target equipment. Therefore, the receiver does not need to store a large amount of public key information of the receiver in the database, resources are released, and if an illegal person wants to tamper the information, the receiver needs to obtain not only the private key of the sender but also the private key of the certificate management mechanism, so that the security of information encryption transmission among different systems is improved.
Fig. 3 is a flowchart of another data encryption transmission method according to an embodiment of the present application. On the basis of the above embodiment, the method will be described in detail with reference to fig. 3. The method comprises the following steps:
s301, determining first plaintext data to be transmitted.
The execution of S301 may refer to the execution of S201, and will not be described herein.
S302, carrying out hash operation on the first plaintext data to obtain a first digital digest of the first plaintext data.
The first digital digest may be a fixed length value that uniquely corresponds to a message or text, and is generated by computing the message using a single hash function. If the message is changed during transmission, the receiver recalculates the received message by adopting the same hash algorithm, and the newly generated digital digest is compared with the original digital digest, so that the receiver can know whether the message is tampered or not, and the integrity of the message is ensured.
The hash database and the hash function can be obtained, the first plaintext data is input into the hash function, the hash function outputs a hash character string, and the hash character string is used as a first digital abstract of the first plaintext data.
Wherein the hash function may call data in the hash database.
S303, carrying out encryption processing on the first digital abstract through a first private key to obtain a first digital signature.
The first private key can be a key known only to the sender, and the first digital digest is encrypted by the key, so that only the receiver with the public key corresponding to the first private key can decrypt and acquire the information of the first digital digest. In this way, the integrity and authenticity of the first plaintext data may be ensured.
S304, determining a first public key corresponding to the first private key.
The execution of S304 may refer to the execution of S203, and will not be described herein.
S305, encrypting the first public key through a second private key of the certificate management mechanism to obtain a first digital certificate corresponding to the first plaintext data.
The execution of S305 may refer to the execution of S204, and will not be described herein.
S306, determining a first message position of the first plaintext data, a second message position of the digital signature, and a third message position of the digital certificate.
The first message location may be a location of a field where the first plaintext data is located. The second message location may be the location of the field where the digital signature is located after encryption. The third message location may be the location of the field in which the digital certificate is located after encryption.
For example, the first message is at the position of field 1 to field 5, the second message is at the position of field 6, and the third message is at the positions of field 7 and field 8.
S307, according to the first message position, the second message position and the third message position, the first plaintext data, the first digital signature and the first digital certificate are combined to generate a first target message.
The message header content can be determined, and the first target message is generated by combining the message header content, the first plaintext data, the first digital signature and the first digital certificate according to the first message position, the second message position and the third message position.
According to the data encryption transmission method provided by the embodiment, first plaintext data to be transmitted is determined; performing hash operation on the first plaintext data to obtain a first digital digest of the first plaintext data; encrypting the first digital abstract through a first private key to obtain a first digital signature; determining a first public key corresponding to the first private key; encrypting the first public key through a second private key of the certificate management mechanism to obtain a first digital certificate corresponding to the first plaintext data; determining a first message position of the first plaintext data, a second message position of the digital signature, and a third message position of the digital certificate; and combining the first plaintext data, the first digital signature and the first digital certificate according to the first message position, the second message position and the third message position to generate a first target message. Therefore, the receiver does not need to store a large amount of public key information of the receiver in the database, resources are released, and if an illegal person wants to tamper the information, the receiver needs to obtain not only the private key of the sender but also the private key of the certificate management mechanism, so that the security of information encryption transmission among different systems is improved.
Next, with reference to fig. 4, a process of verifying the second target packet after the current device receives the second target packet sent by the target device will be explained.
Fig. 4 is a flowchart of another data encryption transmission method according to an embodiment of the present application. On the basis of the above embodiment, referring to fig. 4, the method further includes:
s401, receiving a second target message sent by target equipment.
The second target message may be generated by the target device.
The structure of the second target message is similar to that of the first target message, and reference may be made to the first target message, which is not described herein.
S402, analyzing the second target message to obtain second plaintext data, a second digital signature and a second digital certificate in the second target message.
And whether the second target message is legal or not can be checked, after the second target message is legal, a message analyzer is obtained, and the second target message is analyzed through the message analyzer to obtain second plaintext data, a second digital signature and a second digital certificate in the second target message.
S403, carrying out hash operation on the second plaintext data to obtain a second digital digest corresponding to the second plaintext data.
The hash database and the hash function can be obtained, the second plaintext data is input into the hash function, the hash function outputs a hash character string, and the hash character string is used as a first digital digest of the second plaintext data.
Wherein the hash function may call data in the hash database.
S404, generating a target digital digest according to the second digital signature and the second digital certificate.
The target digital digest may be a digital digest generated by the transmitting device from the second plaintext data. The target digital digest may verify whether the received second plaintext data has been tampered with.
And respectively carrying out decryption processing on the second digital certificate and the second digital signature to obtain the target digital digest.
Alternatively, the target digital digest may be generated by: determining a second public key corresponding to a second private key of the certificate authority; decrypting the second digital certificate through the second public key to obtain a target public key; and decrypting the second digital signature through the target public key to obtain a target digital abstract.
S405, judging whether the second digital digest and the target digital digest are identical.
It may be determined whether the second digital digest and the target digital digest are identical to determine the authenticity and integrity of the received second plaintext data.
If yes, executing S406;
if not, S407 is performed.
S406, determining that the verification result is verification passing.
S407, determining that the verification result is that the verification fails.
Alternatively, when the verification result is that the verification is failed, an alarm may be issued as follows: and sending a prompt message to the target equipment, wherein the prompt message is used for indicating that the second plaintext data in the second target message is tampered.
According to the data encryption transmission method provided by the embodiment, the second target message sent by the target equipment is received; analyzing the second target message to obtain second plaintext data, a second digital signature and a second digital certificate in the second target message; carrying out hash operation on the second plaintext data to obtain a second digital digest corresponding to the second plaintext data; generating a target digital digest according to the second digital signature and the second digital certificate; if the second digital abstract is the same as the target digital abstract, determining that the verification result is verification passing; if the second digital digest is different from the target digital digest, determining that the verification result is that the verification fails. Therefore, the receiver does not need to store a large amount of public key information of the receiver in the database, resources are released, and if an illegal person wants to tamper the information, the receiver needs to obtain not only the private key of the sender but also the private key of the certificate management mechanism, so that the security of information encryption transmission among different systems is improved.
The process of the above-described data encryption transmission will be described in further detail below by way of a specific example on the basis of any of the above-described embodiments with reference to fig. 5.
Fig. 5 is a schematic diagram of another application scenario provided in an embodiment of the present application. Referring to fig. 5, an application scenario may include a first system and a second system, where communication interaction may be performed between the first system and the second system, and both the first system and the second system may be used as an information transmission sender or an information transmission receiver.
Assuming that the first system is a sender of information transfer and the second system is a receiver of information transfer, the first system sends plaintext data to the second system.
The first system carries out hash operation on the plaintext data to obtain a digital abstract of the plaintext data, and the digital abstract is encrypted by a first private key of the first system to obtain a digital signature. And encrypting the first public key of the first system through the second private key of the certificate management mechanism to obtain a digital certificate corresponding to the plaintext data. Determining a first message position of plaintext data, a second message position of a digital signature, and a third message position of a digital certificate; and combining the plaintext data, the digital signature and the digital certificate according to the first message position, the second message position and the third message position to generate a first target message, and sending the first target message to a second system.
The second system receives the first target message, analyzes the first target message, and acquires plaintext data, a digital signature and a digital certificate in the first target message. Carrying out hash operation on the plaintext data to obtain a digital abstract corresponding to the plaintext data; determining a second public key corresponding to a second private key of the certificate authority; decrypting the digital certificate through the second public key to obtain a first public key; decrypting the digital signature through the first public key to obtain a target digital abstract; comparing whether the digital abstract and the target digital abstract are the same; if the digital abstract is the same as the target digital abstract, determining that the verification result is verification passing; if the digital digest is different from the target digital digest, determining that the verification result is that the verification fails.
According to the data encryption transmission method, the digital digest of the plaintext data is obtained by carrying out hash operation on the plaintext data, and the digital digest is encrypted by the first private key of the first system to obtain the digital signature. And encrypting the first public key of the first system through the second private key of the certificate management mechanism to obtain a digital certificate corresponding to the plaintext data. Determining a first message position of plaintext data, a second message position of a digital signature, and a third message position of a digital certificate; and according to the first message position, the second message position and the third message position, carrying out combined processing on the plaintext data, the digital signature and the digital certificate to generate a first target message, sending the first target message to a second system, receiving the first target message by the second system, and carrying out analysis processing on the first target message to obtain the plaintext data, the digital signature and the digital certificate in the first target message. Carrying out hash operation on the plaintext data to obtain a digital abstract corresponding to the plaintext data; determining a second public key corresponding to a second private key of the certificate authority; decrypting the digital certificate through the second public key to obtain a first public key; decrypting the digital signature through the first public key to obtain a target digital abstract; comparing whether the digital abstract and the target digital abstract are the same; if the digital abstract is the same as the target digital abstract, determining that the verification result is verification passing. Therefore, the second system does not need to store a large amount of public key information in the database, resources are released, if an illegal person wants to tamper with the information, not only the private key of the sender, but also the private key of a certificate management mechanism is needed to be obtained, and the security of information encryption transmission among different systems is improved.
Fig. 6 is a schematic structural diagram of a data encryption transmission device according to an embodiment of the present application. Referring to fig. 6, the data encryption transmission apparatus 600 includes the apparatus 600 including a first determination module 601, a first encryption module 602, a second determination module 603, a second encryption module 604, a generation module 605, and a transmission module 606, wherein,
a first determining module 601, configured to determine first plaintext data to be transmitted;
the first encryption module 602 is configured to encrypt the first plaintext data with a first private key, so as to obtain a first digital signature corresponding to the first plaintext data;
a second determining module 603, configured to determine a first public key corresponding to the first private key;
a second encryption module 604, configured to encrypt the first public key with a second private key of a certificate authority to obtain a first digital certificate corresponding to the first plaintext data;
a generating module 605, configured to generate a first target packet according to the first plaintext data, the first digital signature, and the first digital certificate;
a sending module 606, configured to send the first target packet to a target device.
The task processing device provided by the embodiment of the application can execute the technical scheme shown in the embodiment of the method, and the implementation principle and the beneficial effects are similar, and are not repeated here.
In one possible implementation, the first encryption module 602 is specifically configured to:
performing hash operation on the first plaintext data to obtain a first digital digest of the first plaintext data;
and carrying out encryption processing on the first digital digest through the first private key to obtain the first digital signature.
In one possible implementation, the generating module 605 is specifically configured to:
determining a first message position of the first plaintext data, a second message position of the digital signature, and a third message position of the digital certificate;
and combining the first plaintext data, the first digital signature and the first digital certificate according to the first message position, the second message position and the third message position to generate the first target message.
Fig. 7 is a schematic structural diagram of another data encryption transmission device according to an embodiment of the present application. On the basis of the embodiment shown in fig. 6, referring to fig. 7, the data encryption transmission apparatus 600 further includes:
a receiving module 607, configured to receive a second target packet sent by the target device;
the parsing module 608 is configured to parse the second target packet to obtain second plaintext data, a second digital signature, and a second digital certificate in the second target packet;
And the verification module 609 is configured to perform verification processing on the second plaintext data according to the second digital signature and the second digital certificate, so as to obtain a verification result, where the verification result is that verification is passed or verification is failed.
In one possible implementation, the verification module 609 is specifically configured to:
performing hash operation on the second plaintext data to obtain a second digital digest corresponding to the second plaintext data;
generating a target digital digest according to the second digital signature and the second digital certificate;
if the second digital digest is the same as the target digital digest, determining that the verification result is that the verification is passed;
and if the second digital digest is different from the target digital digest, determining that the verification result is that the verification fails.
In one possible implementation, the verification module 609 is specifically configured to:
determining a second public key corresponding to the second private key of the certificate authority;
decrypting the second digital certificate through the second public key to obtain a target public key;
and decrypting the second digital signature through the target public key to obtain the target digital digest.
In one possible embodiment, the apparatus further comprises:
the prompting module 610 is configured to send a prompting message to the target device if the verification result indicates that the verification is not passed, where the prompting message is used to indicate that the second plaintext data in the second target packet is tampered with.
Fig. 8 is a schematic structural diagram of an electronic device according to an embodiment of the present application. Referring to fig. 8, an electronic device 800 may include: a memory 801, a processor 802, and a transceiver 803.
The memory 801 is used for storing program instructions;
the processor 802 is configured to execute the program instructions stored in the memory, so as to cause the electronic device 800 to execute any one of the data encryption transmission methods described above.
The transceiver 803 may include: a transmitter and/or a receiver. The transmitter may also be referred to as a transmitter, a transmit port, a transmit interface, or the like, and the receiver may also be referred to as a receiver, a receive port, a receive interface, or the like. The memory 801, the processor 802, and the transceiver 803 are illustratively interconnected by a bus 804.
The embodiment of the application also provides a computer readable storage medium, wherein the computer readable storage medium stores computer execution instructions, and when the computer execution instructions are executed by a processor, the data encryption transmission method can be realized.
Embodiments of the present application also provide a computer program product executable by a processor, which when executed, implements the above-described data encryption transmission method.
The data encryption transmission device, the electronic device, the computer readable storage medium and the computer program product in the embodiments of the present application can execute the technical scheme shown in the embodiments of the data encryption transmission method, and the implementation principle and the beneficial effects are similar, and are not described herein.
All or part of the steps for implementing the method embodiments described above may be performed by hardware associated with program instructions. The foregoing program may be stored in a readable memory. The program, when executed, performs steps including the method embodiments described above; and the aforementioned memory (storage medium) includes: read-only memory (ROM), random-access memory (random access memory, RAM), flash memory, hard disk, solid state disk, magnetic tape, floppy disk (floppy disk), optical disk (optical disk), and any combination thereof.
Embodiments of the present application are described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processing unit of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processing unit of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Other embodiments of the application will be apparent to those skilled in the art from consideration of the specification and practice of the application disclosed herein. This application is intended to cover any variations, uses, or adaptations of the application following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the application pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the application being indicated by the following claims.
It is to be understood that the application is not limited to the precise arrangements and instrumentalities shown in the drawings, which have been described above, and that various modifications and changes may be effected without departing from the scope thereof. The scope of the application is limited only by the appended claims.

Claims (10)

1. A data encryption transmission method, comprising:
determining first plaintext data to be transmitted;
encrypting the first plaintext data through a first private key to obtain a first digital signature corresponding to the first plaintext data;
determining a first public key corresponding to the first private key;
encrypting the first public key through a second private key of a certificate management mechanism to obtain a first digital certificate corresponding to the first plaintext data;
and generating a first target message according to the first plaintext data, the first digital signature and the first digital certificate, and sending the first target message to target equipment.
2. The method of claim 1, wherein encrypting the first plaintext data with a first private key to obtain a first digital signature corresponding to the first plaintext data, comprises:
performing hash operation on the first plaintext data to obtain a first digital digest of the first plaintext data;
And carrying out encryption processing on the first digital digest through the first private key to obtain the first digital signature.
3. The method according to claim 1 or 2, wherein generating a first target message from the first plaintext data, the first digital signature, and the first digital certificate comprises:
determining a first message position of the first plaintext data, a second message position of the digital signature, and a third message position of the digital certificate;
and combining the first plaintext data, the first digital signature and the first digital certificate according to the first message position, the second message position and the third message position to generate the first target message.
4. A method according to any one of claims 1-3, wherein the method further comprises:
receiving a second target message sent by the target equipment;
analyzing the second target message to obtain second plaintext data, a second digital signature and a second digital certificate in the second target message;
and carrying out verification processing on the second plaintext data according to the second digital signature and the second digital certificate to obtain a verification result, wherein the verification result is that verification is passed or verification is failed.
5. The method of claim 4, wherein verifying the second plaintext data based on the second digital signature and the second digital certificate, to obtain a verification result, comprises:
performing hash operation on the second plaintext data to obtain a second digital digest corresponding to the second plaintext data;
generating a target digital digest according to the second digital signature and the second digital certificate;
if the second digital digest is the same as the target digital digest, determining that the verification result is that the verification is passed;
and if the second digital digest is different from the target digital digest, determining that the verification result is that the verification fails.
6. The method of claim 5, wherein generating a target digital digest from the second digital signature and the second digital certificate comprises:
determining a second public key corresponding to the second private key of the certificate authority;
decrypting the second digital certificate through the second public key to obtain a target public key;
and decrypting the second digital signature through the target public key to obtain the target digital digest.
7. The method according to any one of claims 4-6, further comprising:
and if the verification result is that the verification is not passed, sending a prompt message to the target equipment, wherein the prompt message is used for indicating that the second plaintext data in the second target message is tampered.
8. A data encryption transmission apparatus, comprising:
the first determining module is used for determining first plaintext data to be transmitted;
the first encryption module is used for encrypting the first plaintext data through a first private key to obtain a first digital signature corresponding to the first plaintext data;
the second determining module is used for determining a first public key corresponding to the first private key;
the second encryption module is used for encrypting the first public key through a second private key of the certificate management mechanism to obtain a first digital certificate corresponding to the first plaintext data;
the generation module is used for generating a first target message according to the first plaintext data, the first digital signature and the first digital certificate;
and the sending module is used for sending the first target message to target equipment.
9. An electronic device, comprising: a processor, and a memory communicatively coupled to the processor;
The memory stores computer-executable instructions;
the processor executes computer-executable instructions stored in the memory to implement the method of any one of claims 1 to 7.
10. A computer readable storage medium having stored therein computer executable instructions which when executed by a processor are adapted to carry out the method of any one of claims 1 to 7.
CN202311148900.6A 2023-09-07 2023-09-07 Data encryption transmission method, device, equipment and storage medium Pending CN117040905A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311148900.6A CN117040905A (en) 2023-09-07 2023-09-07 Data encryption transmission method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311148900.6A CN117040905A (en) 2023-09-07 2023-09-07 Data encryption transmission method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN117040905A true CN117040905A (en) 2023-11-10

Family

ID=88644999

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311148900.6A Pending CN117040905A (en) 2023-09-07 2023-09-07 Data encryption transmission method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN117040905A (en)

Similar Documents

Publication Publication Date Title
US11323276B2 (en) Mutual authentication of confidential communication
EP3642997B1 (en) Secure communications providing forward secrecy
US10652015B2 (en) Confidential communication management
JP5432999B2 (en) Encryption key distribution system
CA2197915C (en) Cryptographic key recovery system
CN109743171B (en) Key series method for solving multi-party digital signature, timestamp and encryption
EP3476078B1 (en) Systems and methods for authenticating communications using a single message exchange and symmetric key
CN114692218A (en) Electronic signature method, equipment and system for individual user
CN114697040A (en) Electronic signature method and system based on symmetric key
CN114697038A (en) Quantum attack resistant electronic signature method and system
CN115174277B (en) Data communication and file exchange method based on block chain
CN101296077A (en) Identity authentication system based on bus type topological structure
CN108242997B (en) Method and apparatus for secure communication
CN117040905A (en) Data encryption transmission method, device, equipment and storage medium
CN108768958B (en) Verification method for data integrity and source based on no leakage of verified information by third party
CN109104393B (en) Identity authentication method, device and system
EP3361670B1 (en) Multi-ttp-based method and device for verifying validity of identity of entity
CN113872769B (en) Device authentication method and device based on PUF, computer device and storage medium
CN116886426A (en) Information encryption transmission method, device and equipment
CN116192368A (en) Data processing method and device and related equipment
CN114240428A (en) Data transmission method and device, data transaction terminal and data supplier

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination