CN118018226A - Data transmission method and related product - Google Patents

Data transmission method and related product Download PDF

Info

Publication number
CN118018226A
CN118018226A CN202211406803.8A CN202211406803A CN118018226A CN 118018226 A CN118018226 A CN 118018226A CN 202211406803 A CN202211406803 A CN 202211406803A CN 118018226 A CN118018226 A CN 118018226A
Authority
CN
China
Prior art keywords
account
authentication code
data
key information
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211406803.8A
Other languages
Chinese (zh)
Inventor
潘蓝兰
闻迪桉
陈振明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangdong Oppo Mobile Telecommunications Corp Ltd
Original Assignee
Guangdong Oppo Mobile Telecommunications Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangdong Oppo Mobile Telecommunications Corp Ltd filed Critical Guangdong Oppo Mobile Telecommunications Corp Ltd
Priority to CN202211406803.8A priority Critical patent/CN118018226A/en
Publication of CN118018226A publication Critical patent/CN118018226A/en
Pending legal-status Critical Current

Links

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

The application discloses a data transmission method and related products, the method comprises the following steps: the method comprises the steps that an originating device obtains account key information and service data to be transmitted, wherein the account key information is shared key information of a user account, and the user account is an account shared by the originating device and a receiving device; encrypting the service data and calculating an authentication code according to the account key information to obtain corresponding encrypted data and a first authentication code; and sending a data message to the receiving end equipment, wherein the data message carries the encrypted data and the first authentication code. The application can solve the problems of longer time delay and reduced communication efficiency of communication establishment in the prior art.

Description

Data transmission method and related product
Technical Field
The embodiment of the application relates to the technical field of terminals, in particular to a data transmission method and related products.
Background
With the development of terminal technology, various terminal devices have been deeply applied to people's lives. For convenience of management, at present, users use the same account number to record information on each terminal device, for example, a mobile phone, an ipad and a bracelet use one user account number to record and manage information.
However, in practice, it is found that the terminal devices with the same account are in communication connection established based on the bidirectional account certificate, which needs to rely on an account certificate mechanism, and specifically needs to check whether the certificate provided by the opposite terminal device is issued by a feasible device, and whether the account identifier in the certificate is the same user account as the terminal device itself, so that the time delay of communication establishment is long, and the communication efficiency is reduced.
Disclosure of Invention
In view of the above, the data transmission method and the related product provided by the embodiments of the present application can solve the problems of longer time delay and reduced communication efficiency in the prior art.
In a first aspect, an embodiment of the present application provides a data transmission method, applied to an originating device, where the method includes:
acquiring account key information and service data to be transmitted, wherein the account key information is shared key information of a user account, and the user account is an account shared by the originating equipment and the receiving equipment;
encrypting the service data and calculating an authentication code according to the account key information to obtain corresponding encrypted data and a first authentication code;
and sending a data message to the receiving end equipment, wherein the data message carries the encrypted data and the first authentication code.
In a second aspect, an embodiment of the present application provides another data transmission method, applied to a receiving device, where the method includes:
receiving a data message sent by an originating device, wherein the data message carries encrypted data and a first authentication code, the encrypted data and the first authentication code are obtained by encrypting service data to be transmitted according to shared key information of a user account, and the user account is an account shared by the originating device and a receiving device;
and after the first authentication code is successfully authenticated, decrypting the encrypted data to obtain the service data.
In a third aspect, an embodiment of the present application provides a data transmission system, including an originating device and a receiving device, where:
The originating equipment is used for acquiring account key information and service data to be transmitted, wherein the account key information is shared key information of a user account, and the user account is an account shared by the originating equipment and the receiving equipment; encrypting the service data and calculating an authentication code according to the account key information to obtain corresponding encrypted data and a first authentication code; transmitting a data message to the receiving end equipment, wherein the data message carries the encrypted data and the first authentication code;
the receiving device is configured to receive the data message, and decrypt the encrypted data after the authentication of the first authentication code is successful, to obtain the service data.
In a fourth aspect, an embodiment of the present application provides a computer device, including a memory and a processor, where the memory stores a computer program executable on the processor, and the processor implements the method provided in the first aspect or the second aspect of the embodiment of the present application when the processor executes the program.
In a fifth aspect, an embodiment of the present application provides a computer readable storage medium, on which a computer program is stored, which when executed by a processor implements the method provided by the first aspect or the second aspect of the embodiment of the present application.
Compared with the prior art, the application has at least the following beneficial effects:
In the embodiment of the application, an originating device acquires account key information and service data to be transmitted, wherein the account key information is shared key information of a user account, and the user account is an account shared by the originating device and a receiving device; encrypting the service data and calculating an authentication code according to the account key information to obtain corresponding encrypted data and a first authentication code; and sending a data message to the receiving end equipment, wherein the data message carries the encrypted data and the first authentication code. Therefore, the application can perform mutual data communication based on the account key information of the user account shared by the originating equipment and the receiving equipment, and compared with the prior art, the application avoids account certificates, avoids the problems of unsafe communication caused by hacker invasion to maliciously issue the account certificates, reduces the research and development cost of the terminal, and reduces the storage and maintenance cost of the account key information of the equipment side. Therefore, the data security is ensured, and the convenience and the high efficiency of data transmission can be improved. Meanwhile, the problems of longer time delay and reduced communication efficiency of communication establishment in the prior art can be solved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application.
Fig. 1 is a schematic flow chart of issuing an account certificate provided in the prior art.
Fig. 2 is a flow chart of a data transmission method provided in the prior art.
Fig. 3 is a schematic structural diagram of a data transmission system according to an embodiment of the present application.
Fig. 4 is a schematic flow chart of obtaining account key information according to an embodiment of the present application.
Fig. 5 is a flow chart of a data transmission method according to an embodiment of the present application.
Fig. 6 is a flowchart of another data transmission method according to an embodiment of the present application.
Fig. 7 is a schematic structural diagram of a data transmission device according to an embodiment of the present application.
Fig. 8 is a schematic structural diagram of another data transmission device according to an embodiment of the present application.
Fig. 9 is a schematic structural diagram of a data transmission system according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application more apparent, the specific technical solutions of the present application will be described in further detail below with reference to the accompanying drawings in the embodiments of the present application. The following examples are illustrative of the application and are not intended to limit the scope of the application.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used herein is for the purpose of describing embodiments of the application only and is not intended to be limiting of the application.
In the following description, reference is made to "some embodiments" which describe a subset of all possible embodiments, but it is to be understood that "some embodiments" can be the same subset or different subsets of all possible embodiments and can be combined with one another without conflict.
It should be noted that the term "first/second/third" in relation to embodiments of the present application is used to distinguish between similar or different objects, and does not represent a particular ordering of the objects, it being understood that the "first/second/third" may be interchanged with a particular order or sequencing, as permitted, to enable embodiments of the present application described herein to be implemented in an order other than that illustrated or described herein.
The applicant has also found in the course of proposing the present application that: in a service scenario of interconnection and interworking between terminal devices (such as video chat facetime of a mobile phone, taking over phone communication of the mobile phone by a tablet ipad), secure communication between different terminal devices bound under the same user account in a near field environment is often involved. Such terminal devices include, but are not limited to, for example, cell phones, tablets, watches, smart speakers, and the like. The communication implementation scheme is as follows:
Fig. 1 is a schematic flow chart of issuing an account certificate in the prior art. The flow shown in fig. 1 includes the following steps:
S101, a user logs in a user account number (U_ID) at a terminal A side, and login authentication is carried out by a server S of an OEM manufacturer.
S102, a user operates on the terminal A, and an account public and private key pair bound with a user account is randomly generated and is marked as (U_A_private_key, U_A_public_key).
S103, the user safely stores an account private key U_A_public_key at the side of the terminal A.
S104, the user sends a certificate issuing request to the server S at the terminal A, wherein the request is used for applying for issuing account certificates. The request carries information such as U_ID and U_A_public_key.
S105, the server S issues an account certificate bound with the terminal A for the user and marks U_A_Cert. The account certificate carries information such as U_ID, U_A_public_key and the like.
S106, the server S returns an account certificate U_A_Cert to the terminal A.
S107, the terminal A securely stores the account certificate U_A_Cert.
In practical application, if the user needs to unbind at the terminal a side in the future, that is, unbind between the terminal a and the user account, the server S will revoke/cancel the account certificate u_a_cert. Similar to the flow shown in fig. 1, the user may also generate an account public-private key pair on the terminal B side, which is denoted as (u_b_private_key, u_b_public_key) and obtain an account certificate u_b_cert, which will not be described herein.
Fig. 2 is a flow chart of a data transmission method according to the prior art. The method as shown in fig. 2 comprises the following implementation steps:
S201, the terminal a initiates a transport layer security protocol (Transport Layer Security, TLS) secure connection request to the terminal B, and the content of the TLS protocol may be correspondingly referred to the related description in the international standard RFC8446, which is not described in detail herein.
S202, the terminal B loads the own account private key U_B_private_key, and returns an account certificate U_B_Cert to the terminal A.
S203, the terminal A checks that the certificate trust chain of the account number certificate U_B_Cert comes from a trusted OEM manufacturer (or can check that the certificate trust chain comes from a server S issuing a certificate), and the user account number U_ID in the certificate is the same as the user account number currently bound by the terminal A. If it is different, the communication is terminated.
S204, the terminal A loads the own account private key U_A_private_key, and returns an account certificate U_A_Cert to the terminal B.
S205, the terminal B checks that the certificate trust chain of the account number certificate U_A_Cert is from a trusted OEM manufacturer, and the user account number U_ID in the certificate is the same as the user account number currently bound by the terminal B. If it is different, the communication is terminated.
S206, after both sides check successfully, the terminal A and the terminal B successfully establish TLS communication connection to carry out safety communication, and the service data of the users and the like can be transmitted mutually.
However, in practice it has been found that the existing solutions have several drawbacks: the judgment of the same account terminal depends on an account certificate mechanism, so that the research and development cost of the terminal side is high. The terminal checks whether the certificate trust chain provided by the opposite communication end is from a trusted OEM manufacturer or not and checks whether the user account number in the certificate is the same as the self account number or not, so that the authentication process is complex and inconvenient, and the communication efficiency is reduced. The communication connection with the account terminal is a TLS connection established based on the bidirectional account certificate, and the communication establishment time delay is long. In addition, since the account certificate is issued by the server S of the OEM manufacturer, if there is a security event such as hacking in the server S, the account certificate u_c_cert may be issued to the terminal C without the knowledge of the user. When the terminal A and the terminal B do not have other auxiliary security mechanisms, a hacker establishes secure communication with the terminal A or the terminal B through a certificate U_C_Cert issued by the intrusion server S, so that user data is leaked, and the security of data transmission is reduced.
In order to solve the above-mentioned problems, the present application provides a data transmission method and related products. The application can derive the general account key information for each device under the same user account, and the same account terminal can carry out safe communication based on the account key information.
First, a system embodiment to which the present application is applicable will be described. Fig. 3 is a schematic structural diagram of a data transmission system according to an embodiment of the present application. The system as shown in fig. 3 includes: the originating device 100 and the terminating device 200 may optionally also include a server 300. Any two devices in the system can communicate with each other through a network according to service requirements.
The originating device 100 of the present application may also be referred to as a sender, and is generally referred to as a source. The sink device 200 may also be referred to as a receiving end, and is generally referred to as a sink end. There is typically interaction of traffic data between the originating device 100 and the receiving device 200, as detailed below in the present application. The originating device 100 and the receiving device 200 in the present application may refer to terminal devices, which may include, but are not limited to, smart phones (such as Android Mobile phones, IOS Mobile phones, etc.), personal computers, tablet computers, palm computers, electronic readers, mobile internet devices (MID, mobile INTERNET DEVICES), wearable smart devices, or other devices with communication functions, etc.
The server 300 of the present application is configured to negotiate corresponding account key information with a terminal device (specifically, the originating device 100 or the receiving device 200), which is described in detail below. The server 300 of the present application may be a local server or a cloud server. The number of the originating device 100, the receiving device 200, and the server 300 is not limited, and may be determined according to actual requirements.
Next, a key derivation embodiment according to the present application will be described. Fig. 4 is a schematic flow chart of obtaining account key information according to an embodiment of the present application. In the drawing, description of related content is given by taking as an example deriving/acquiring account key information by a user on the originating device 100 side, but the description is not limited thereto. The flow shown in fig. 4 includes the following implementation steps:
S401, the sender device 100 sends an account binding request to the server 300, wherein the account binding request carries an account identifier and a user identity code of the user account. Accordingly, the server 300 receives the account binding request.
In a specific implementation, a user logs in to a user account (whose account identifier may be denoted as u_id) on the originating device 100 side, and the server 300 of the device OEM manufacturer performs login authentication. The user inputs a user identification code (Personal identification number, PIN) code at the originating device 100 side, and submits an account binding request to the server 300 based on the PIN code, denoted as u_ KeyPair _ Reqest. In practical applications, the account binding request may carry an account identifier and a PIN code of a user account, and optionally may also carry information such as some public key parameters generated/generated by the originating device 100 based on its own service data.
S402, the server 300 derives key generation parameters based on the account identification of the user account and the user identification code.
The server 300 may derive the corresponding key generation parameter according to the account identifier and the PIN code in combination with other information (such as the secret value s_secret of the server itself) in response to the account binding request. The key generation parameter is used for generating corresponding account key information for the user account.
The application is not limited to the specific embodiment of deriving the key generation parameter, for example, the key generation parameter is generated by a preset key generation algorithm. The key generation algorithm is set by a system or a user in a self-defined way, and the application is not limited.
S403, the server 300 sends an account binding response to the originating device 100. Accordingly, the originating device 100 receives the account binding response, where the account binding response carries a key generation parameter, and the key generation parameter is generated by the server according to the account identifier and the user identity identifier.
The server 300 may generate a corresponding account binding Response, denoted u_ KeyPair _response, based on the key generation parameters. And returns the account binding response to the originating device 100. In practical application, the account binding response carries at least a key generation parameter, and optionally other information can be carried according to practical requirements.
S404, the originating device 100 derives the account key information based on the key generation parameters.
After obtaining the account binding response, the originating device 100 of the present application can generate corresponding account key information for the user account according to the key generation parameters in the response and in combination with other information (such as the private key parameters generated by initializing the originating device 100, etc.). The account key information may include an account public-private key pair (specifically including an account shared private key and an account shared public key), denoted as (u_private_key, u_public_key); and the account symmetric key is marked as U_symmetry_key and other information.
The present application is not limited to the embodiment of deriving the account key information, and may be derived by, for example, a derivation mechanism defined in OPAQUE, which is an international standard.
S405, the originating device 100 securely stores the account shared private key and the account symmetric key.
In the application, the user can safely store the account sharing private key U_private_key and the account symmetric key U_symmetric_key at the side of the originating device 100.
S406, the sender device 100 sends the account sharing public key to the server 300. Accordingly, the server 300 receives and saves the account shared public key.
The user may securely submit the account shared public key u_public_key to the server 300 at the originating device 100. In practical applications, if the future user unbinds on the side of the originating device 100, that is, unbinds the originating device 100 and the user account, the server 300 may delete the account shared public key u_public_key. If the user needs to modify the PIN code, the user needs to renegotiate with the server 300 at the originating device 100 side to generate new account key information. Similar to the flow shown in fig. 4, the user may also negotiate with the server 300 to obtain the account key information of the user account on the receiving device 200 side, which is not described herein.
Based on the foregoing embodiments, please refer to fig. 5, which is a flowchart illustrating a data transmission method according to an embodiment of the present application. The method as shown in fig. 5 comprises the following implementation steps:
S501, the originating device 100 acquires account key information and service data to be transmitted, wherein the account key information is shared key information of a user account, and the user account is an account shared by the originating device 100 and the receiving device 200.
The embodiment of the present application for obtaining account key information is not limited, and for example, the process shown in fig. 4 may be used to obtain account key information of a user account. The account key information related to the present application refers to information related to a user account, which may include, but is not limited to, information such as an account public-private key pair (specifically may include an account shared public key and an account shared private key) and an account symmetric key of the user account.
The application also does not limit the acquisition implementation of the service data, for example, the service data to be transmitted is directly acquired from the database, and the data corresponding to the selection operation is used as the service data to be transmitted after the selection operation of the user is detected.
S502, the originating device 100 encrypts the service data and calculates an authentication code according to the account key information to obtain corresponding encrypted data and a first authentication code.
S503, the originating device 100 sends a data message to the receiving device 200, where the data message carries the encrypted data and the first authentication code. Accordingly, the sink device 200 receives the data message.
S504, after the authentication of the first authentication code is successful, the receiving end device 200 decrypts the encrypted data to obtain the service data.
The first authentication code of the present application is used to authenticate the identity of the originating device 100. After the authentication is successful, the receiving device 200 may parse the encrypted data to obtain the service data sent by the originating device 10.
By implementing the embodiment of the application, the originating device acquires account key information and service data to be transmitted, wherein the account key information is shared key information of a user account, and the user account is an account shared by the originating device and the receiving device; encrypting the service data and calculating an authentication code according to the account key information to obtain corresponding encrypted data and a first authentication code; and sending a data message to the receiving end equipment, wherein the data message carries the encrypted data and the first authentication code. Therefore, the application can perform mutual data communication based on the account key information of the user account shared by the originating equipment and the receiving equipment, and compared with the prior art, the application avoids account certificates, avoids the problems of unsafe communication caused by hacker invasion to maliciously issue the account certificates, reduces the research and development cost of the terminal, and reduces the storage and maintenance cost of the account key information of the equipment side. Therefore, the data security is ensured, and the convenience and the high efficiency of data transmission can be improved. Meanwhile, the problems of longer time delay and reduced communication efficiency of communication establishment in the prior art can be solved.
Fig. 6 is a flowchart of another data transmission method according to an embodiment of the present application. The method as shown in fig. 6 comprises the following implementation steps:
s601, the sender device 100 acquires account key information and service data to be transmitted, wherein the account key information is shared key information of a user account, the user account is an account shared by the sender device 100 and the receiver device 200, and the account key information comprises an account shared public key and an account symmetric key.
S602, the originating device 100 encrypts the service data according to the account sharing public key to obtain encrypted data.
The specific implementation mode of encryption is not limited, for example, a preset encryption algorithm can be adopted to carry out digital Envelope encryption on the service Data by using an account shared public key U_public_key, so as to obtain encrypted Data, and the encrypted Data is recorded as data_environment. The encryption algorithm is a system custom set encryption algorithm that may include, but is not limited to, digital envelope functions/algorithms, etc., as specified in, for example, the international standard ECIES.
S603, the sender device 100 calculates an authentication code of the encrypted data according to the account symmetric key to obtain a first authentication code.
The application can use the account symmetric key U_symmetric_key to calculate the message authentication code of the encrypted Data data_Envelope, and obtain a first authentication code which is marked as data_Envelope_MAC. The specific embodiment of the authentication code calculation is not limited in the present application, and for example, the authentication code function calculation is obtained by adopting the related message specified in the international standard HMAC and CMAC.
S604, the originating device 100 sends a data message to the receiving device 200, where the data message carries the encrypted data and the first authentication code.
The originating device 100 of the present application may transmit the above-described encrypted Data data_en velope and the first authentication code data_en velope_mac to the terminating device 200. Specifically, the above-mentioned encrypted Data data_Envelope and the first authentication code data_Envelope_MAC may be carried in a Data message and sent to the sink device 200. Accordingly, the sink device 200 may receive the encrypted Data and the first authentication code and correspondingly record as (recv_data_environment, recv_data_environment_mac).
S605, the receiving end device 200 acquires account key information of the user account, wherein the account key information at least comprises an account symmetric key and an account sharing private key.
In the present application, the embodiment of obtaining account key information by the receiving end device 200 is not limited, for example, after the receiving end device 200 establishes mutual trust with the transmitting end device 100 in one example, account key information of the user account may be obtained from the transmitting end device 100 side. In another example, the receiving device 200 may negotiate with the server 300 to obtain the account key information of the user account using a procedure similar to that described above with respect to fig. 4. The content of the account key information may correspond to the related description in the foregoing embodiment, and will not be described herein.
S606, the receiving device 200 calculates an authentication code of the encrypted data according to the account symmetric key to obtain a second authentication code.
The receiving device 200 calculates a message authentication code of the received encrypted Data recv_data_environment by using the account symmetric key u_symmetric_key, and obtains a second authentication code, which is denoted as data_environment_mac2.
S607, the sink device 200 authenticates the first authentication code based on the second authentication code.
The sink device 200 compares the first authentication code recv_data_environment_mac with the second authentication code data_environment_mac2. When the first authentication code and the second authentication code are the same, it may be determined that the authentication of the first authentication code is successful, and the step S608 is continued. Otherwise, when the first authentication code and the second authentication code are different, it may be determined that the authentication of the first authentication code fails, and step S609 is continued.
And S608, after the first authentication code is successfully authenticated, the receiving end device 200 decrypts the encrypted data according to the account sharing private key to obtain the service data.
The sink device 200 decrypts the received encrypted Data recv_data_environment using the account shared private key u_private_key, thereby obtaining the service Data transmitted by the source device 100.
The application is not limited to the specific implementation mode of decryption, for example, decryption is performed by adopting a preset decryption algorithm, and the decryption algorithm is set by a system or a user in a self-defining way, and the application is not limited to the specific implementation mode.
S609, after the authentication of the first authentication code fails, the receiving end device 200 sends a failure message to the originating end device 100, where the failure message is used to indicate that the service data sending fails. Accordingly, the originating device 100 receives the failure message.
S610, after receiving the failure message sent by the sink device 200, the source device 100 repeatedly executes the steps of S601 to S609.
After the authentication of the first authentication code fails, the receiving end device 200 may return a failure message to the sending end device 100 to inform that the sending of the service data fails, and terminate the communication. After receiving the failure message, the originating device 100 may repeatedly perform the steps S601 to S609 described above, and again encrypt and transmit the service data. The descriptions or details not described in the embodiments of the present application may be referred to the related descriptions in the foregoing embodiments, which are not repeated herein.
The application provides a lightweight secure communication scheme of the same-account terminal, which derives account key information (such as an account public-private key pair) common to all terminal devices under a user account by a mode that a user inputs a PIN code and a server cooperates with each other, so that secure communication can be established between different devices under the user account based on the account key information. In the traditional certificate scheme, the risk that a hacker invades the server to maliciously issue the user account certificate is avoided. Compared with the existing account and certificate chain security check and in-certificate account identification comparison mechanism, the method reduces the research and development cost of terminal equipment and reduces the cost of account key storage and maintenance at the equipment side. In addition, the application establishes two-way safety communication with each terminal equipment under the account based on the account key information, and the adopted communication protocol is not limited, for example, international standard SIGMA protocol and the like can be selected. In addition, the application establishes the secure communication by adopting a digital envelope and message authentication code mechanism supporting the lightweight, and compared with the traditional TLS connection established by the bidirectional account certificate, the application effectively reduces the size of a data packet and reduces the time delay of connection establishment.
That is, the application can perform data communication with each other based on the account key information of the user account shared by the originating device and the receiving device, compared with the prior art, the application avoids account certificates, avoids the problem that hackers invade to maliciously issue the account certificates and the communication is unsafe, reduces the research and development cost of the terminal, and reduces the storage and maintenance cost of the account key information of the device side. Therefore, the data security is ensured, and the convenience and the high efficiency of data transmission can be improved. Meanwhile, the problems of longer time delay and reduced communication efficiency of communication establishment in the prior art can be solved.
It should be understood that, although the steps in the flowcharts of fig. 4 to 6 are shown in order as indicated by the arrows, these steps are not necessarily performed in order as indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps of fig. 4-6 may include multiple sub-steps or stages that are not necessarily performed at the same time, but may be performed at different times, nor does the order in which the sub-steps or stages are performed necessarily occur in sequence, but may be performed alternately or alternately with at least a portion of other steps or sub-steps or stages of other steps.
Based on the foregoing embodiments, the embodiments of the present application provide several possible data transmission apparatuses, where the apparatuses include modules included, and units included in the modules may be implemented by a processor; of course, the method can also be realized by a specific logic circuit; in an implementation, the processor may be a Central Processing Unit (CPU), a Microprocessor (MPU), a Digital Signal Processor (DSP), a Field Programmable Gate Array (FPGA), or the like.
Fig. 7 is a schematic structural diagram of a data transmission device according to an embodiment of the present application. The apparatus shown in fig. 7 is applied to the originating device 100, and the apparatus includes an acquisition module 701, a calculation module 702, and a sending module 703; wherein:
the acquiring module 701 is configured to acquire account key information and service data to be transmitted, where the account key information is shared key information of a user account, and the user account is an account shared by the originating device and the receiving device;
The computing module 702 is configured to encrypt the service data and compute an authentication code according to the account key information, so as to obtain corresponding encrypted data and a first authentication code;
The sending module 703 is configured to send a data message to the receiving device, where the data message carries the encrypted data and the first authentication code.
Fig. 8 is a schematic structural diagram of another data transmission device according to an embodiment of the present application. The apparatus shown in fig. 8 is applied to the sink device 200, and includes a receiving module 801 and a processing module 802; wherein:
The receiving module 801 is configured to receive a data message sent by an originating device, where the data message carries encrypted data and a first authentication code, where the encrypted data and the first authentication code are both obtained by encrypting service data to be transmitted according to shared key information of a user account, and the user account is an account shared by the originating device and a receiving device;
the processing module 802 is configured to decrypt the encrypted data after the authentication of the first authentication code is successful, so as to obtain the service data.
The description of the apparatus embodiments above is similar to that of the method embodiments above, with similar advantageous effects as the method embodiments. For technical details not disclosed in the embodiments of the apparatus of the present application, please refer to the description of the embodiments of the method of the present application.
It should be noted that, in the embodiments of the present application, the division of modules by the data processing apparatus shown in fig. 7 and fig. 8 is schematic, and is merely a logic function division, and another division manner may be implemented in practical implementation. In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units. Or in a combination of software and hardware.
It should be noted that, in the embodiment of the present application, if the method is implemented in the form of a software functional module, and sold or used as a separate product, the method may also be stored in a computer readable storage medium. Based on such understanding, the technical solutions of the embodiments of the present application may be essentially or partly contributing to the related art, embodied in the form of a software product stored in a storage medium, including several instructions for causing an electronic device to execute all or part of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read Only Memory (ROM), a magnetic disk, an optical disk, or other various media capable of storing program codes. Thus, embodiments of the application are not limited to any specific combination of hardware and software.
The embodiment of the application provides a data transmission system, which comprises an originating device 100 and a receiving device 200. Optionally, a server 300 (not shown) may also be included. The originating device 100 and the receiving device 200 may be computer devices, and the internal structure thereof may be as shown in fig. 9. The computer device includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The database of the computer device is for storing data. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a data transmission method.
An embodiment of the present application provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the method provided in the above-described embodiment.
Embodiments of the present application provide a computer program product comprising instructions which, when run on a computer, cause the computer to perform the steps of the method provided by the method embodiments described above.
It will be appreciated by persons skilled in the art that the architecture shown in fig. 9 is merely a block diagram of some of the architecture relevant to the present inventive arrangements and is not limiting as to the computer device to which the present inventive arrangements are applicable, and that a particular computer device may include more or fewer components than shown, or may combine some of the components, or have a different arrangement of components.
In one embodiment, the apparatus provided by the present application may be implemented in the form of a computer program that is executable on a receiving device or an originating device as shown in fig. 9. The memory of the device may store various program modules constituting the sampling apparatus, such as an acquisition module, a calculation module, and a transmission module shown in fig. 7, and a reception module and a processing module shown in fig. 8. The computer program constituted by the respective program modules causes the processor to execute the steps in the data processing method of the respective embodiments of the present application described in the present specification.
In one embodiment, there is provided an originating device 100 comprising a memory storing a computer program and a processor that when executing the computer program performs the steps of:
acquiring account key information and service data to be transmitted, wherein the account key information is shared key information of a user account, and the user account is an account shared by the originating equipment and the receiving equipment;
encrypting the service data and calculating an authentication code according to the account key information to obtain corresponding encrypted data and a first authentication code;
and sending a data message to the receiving end equipment, wherein the data message carries the encrypted data and the first authentication code.
In one embodiment, the account key information includes an account shared public key and an account symmetric key, and the encrypting the service data and calculating the authentication code according to the account key information, to obtain the corresponding encrypted data and the first authentication code includes:
encrypting the service data according to the account sharing public key to obtain encrypted data;
and carrying out authentication code calculation on the encrypted data according to the account symmetric key to obtain a first authentication code.
In one embodiment, the processor when executing the computer program further performs the steps of:
And after receiving the failure message sent by the receiving terminal equipment, repeating the steps of acquiring the account key information and the service data to be transmitted.
In one embodiment, before the account key information is obtained, the processor further performs the following steps when executing the computer program:
An account binding request is sent to a server, wherein the account binding request carries an account identifier and a user identity identification code of the user account;
Receiving an account binding response returned by the server, wherein the account binding response carries a key generation parameter, and the key generation parameter is generated by the server according to the account identifier and the user identity identifier;
And deriving the account key information based on the key generation parameters.
In one embodiment, the account key information includes an account shared public key, and the processor when executing the computer program further performs the steps of:
and sending the account shared public key to the server.
In one embodiment, there is provided a sink device 200 comprising a memory storing a computer program and a processor which when executing the computer program performs the steps of:
receiving a data message sent by an originating device, wherein the data message carries encrypted data and a first authentication code, the encrypted data and the first authentication code are obtained by encrypting service data to be transmitted according to shared key information of a user account, and the user account is an account shared by the originating device and a receiving device;
and after the first authentication code is successfully authenticated, decrypting the encrypted data to obtain the service data.
In one embodiment, the account key information further includes an account shared private key, and the decrypting the encrypted data to obtain the service data includes:
And decrypting the encrypted data according to the account sharing private key to obtain the service data.
In one embodiment, the processor when executing the computer program further performs the steps of:
And after the authentication of the first authentication code fails, sending a failure message to the originating equipment, wherein the failure message is used for indicating that the service data transmission fails.
In one embodiment, a computer readable storage medium is provided having a computer program stored thereon which, when executed by a processor, implements some or all of the methods described above.
By implementing the embodiment of the application, the originating device acquires account key information and service data to be transmitted, wherein the account key information is shared key information of a user account, and the user account is an account shared by the originating device and the receiving device; encrypting the service data and calculating an authentication code according to the account key information to obtain corresponding encrypted data and a first authentication code; and sending a data message to the receiving end equipment, wherein the data message carries the encrypted data and the first authentication code. Therefore, the application can perform mutual data communication based on the account key information of the user account shared by the originating equipment and the receiving equipment, and compared with the prior art, the application avoids account certificates, avoids the problems of unsafe communication caused by hacker invasion to maliciously issue the account certificates, reduces the research and development cost of the terminal, and reduces the storage and maintenance cost of the account key information of the equipment side. Therefore, the data security is ensured, and the convenience and the high efficiency of data transmission can be improved. Meanwhile, the problems of longer time delay and reduced communication efficiency of communication establishment in the prior art can be solved.
It should be noted here that: the description of the storage medium and apparatus embodiments above is similar to that of the method embodiments described above, with similar benefits as the method embodiments. For technical details not disclosed in the storage medium, the storage medium and the device embodiments of the present application, please refer to the description of the method embodiments of the present application.
It should be appreciated that reference throughout this specification to "one embodiment" or "an embodiment" or "some embodiments" means that a particular feature, structure or characteristic described in connection with the embodiment is included in at least one embodiment of the present application. Thus, the appearances of the phrases "in one embodiment" or "in an embodiment" or "in some embodiments" in various places throughout this specification are not necessarily referring to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. It should be understood that, in various embodiments of the present application, the sequence numbers of the foregoing processes do not mean the order of execution, and the order of execution of the processes should be determined by the functions and internal logic thereof, and should not constitute any limitation on the implementation process of the embodiments of the present application. The foregoing embodiment numbers of the present application are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments. The foregoing description of various embodiments is intended to highlight differences between the various embodiments, which may be the same or similar to each other by reference, and is not repeated herein for the sake of brevity.
The term "and/or" is herein merely an association relation describing associated objects, meaning that there may be three relations, e.g. object a and/or object B, may represent: there are three cases where object a alone exists, object a and object B together, and object B alone exists.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
In the several embodiments provided by the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described embodiments are merely illustrative, and the division of the modules is merely a logical function division, and other divisions may be implemented in practice, such as: multiple modules or components may be combined, or may be integrated into another system, or some features may be omitted, or not performed. In addition, the various components shown or discussed may be coupled or directly coupled or communicatively coupled to each other via some interface, whether indirectly coupled or communicatively coupled to devices or modules, whether electrically, mechanically, or otherwise.
The modules described above as separate components may or may not be physically separate, and components shown as modules may or may not be physical modules; can be located in one place or distributed to a plurality of network units; some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional module in each embodiment of the present application may be integrated in one processing unit, or each module may be separately used as one unit, or two or more modules may be integrated in one unit; the integrated modules may be implemented in hardware or in hardware plus software functional units.
Those of ordinary skill in the art will appreciate that: all or part of the steps for implementing the above method embodiments may be implemented by hardware related to program instructions, and the foregoing program may be stored in a computer readable storage medium, where the program, when executed, performs steps including the above method embodiments; and the aforementioned storage medium includes: a mobile storage device, a Read Only Memory (ROM), a magnetic disk or an optical disk, or the like, which can store program codes.
Or the above-described integrated units of the application may be stored in a computer-readable storage medium if implemented in the form of software functional modules and sold or used as separate products. Based on such understanding, the technical solutions of the embodiments of the present application may be essentially or partly contributing to the related art, embodied in the form of a software product stored in a storage medium, including several instructions for causing an electronic device to execute all or part of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a removable storage device, a ROM, a magnetic disk, or an optical disk.
The methods disclosed in the method embodiments provided by the application can be arbitrarily combined under the condition of no conflict to obtain a new method embodiment.
The features disclosed in the several product embodiments provided by the application can be combined arbitrarily under the condition of no conflict to obtain new product embodiments.
The features disclosed in the embodiments of the method or the apparatus provided by the application can be arbitrarily combined without conflict to obtain new embodiments of the method or the apparatus.
The foregoing is merely an embodiment of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes and substitutions are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (12)

1. A data transmission method, applied to an originating device, the method comprising:
acquiring account key information and service data to be transmitted, wherein the account key information is shared key information of a user account, and the user account is an account shared by the originating equipment and the receiving equipment;
encrypting the service data and calculating an authentication code according to the account key information to obtain corresponding encrypted data and a first authentication code;
and sending a data message to the receiving end equipment, wherein the data message carries the encrypted data and the first authentication code.
2. The method of claim 1, wherein the account key information includes an account shared public key and an account symmetric key, wherein the encrypting the service data and calculating the authentication code according to the account key information to obtain the corresponding encrypted data and the first authentication code includes:
encrypting the service data according to the account sharing public key to obtain encrypted data;
and carrying out authentication code calculation on the encrypted data according to the account symmetric key to obtain a first authentication code.
3. The method according to claim 2, wherein the method further comprises:
And after receiving the failure message sent by the receiving terminal equipment, repeating the steps of acquiring the account key information and the service data to be transmitted.
4. The method of claim 1, wherein prior to the obtaining account key information, the method further comprises:
An account binding request is sent to a server, wherein the account binding request carries an account identifier and a user identity identification code of the user account;
Receiving an account binding response returned by the server, wherein the account binding response carries a key generation parameter, and the key generation parameter is generated by the server according to the account identifier and the user identity identifier;
And deriving the account key information based on the key generation parameters.
5. The method of claim 4, wherein the account key information comprises an account shared public key, the method further comprising:
and sending the account shared public key to the server.
6. A data transmission method, applied to a receiving device, the method comprising:
receiving a data message sent by an originating device, wherein the data message carries encrypted data and a first authentication code, the encrypted data and the first authentication code are obtained by encrypting service data to be transmitted according to shared key information of a user account, and the user account is an account shared by the originating device and a receiving device;
and after the first authentication code is successfully authenticated, decrypting the encrypted data to obtain the service data.
7. The method of claim 6, wherein prior to decrypting the encrypted data, the method further comprises:
acquiring account key information of the user account, wherein the account key information at least comprises an account symmetric key;
Performing authentication code calculation on the encrypted data according to the account symmetric key to obtain a second authentication code;
When the first authentication code and the second authentication code are the same, determining that the authentication of the first authentication code is successful;
and determining that the first authentication code fails to authenticate when the first authentication code and the second authentication code are different.
8. The method of claim 7, wherein the account key information further comprises an account shared private key, and wherein decrypting the encrypted data to obtain the service data comprises:
And decrypting the encrypted data according to the account sharing private key to obtain the service data.
9. The method according to any one of claims 6-8, further comprising:
And after the authentication of the first authentication code fails, sending a failure message to the originating equipment, wherein the failure message is used for indicating that the service data transmission fails.
10. A data transmission system comprising an originating device and a receiving device, wherein:
The originating equipment is used for acquiring account key information and service data to be transmitted, wherein the account key information is shared key information of a user account, and the user account is an account shared by the originating equipment and the receiving equipment; encrypting the service data and calculating an authentication code according to the account key information to obtain corresponding encrypted data and a first authentication code; transmitting a data message to the receiving end equipment, wherein the data message carries the encrypted data and the first authentication code;
the receiving device is configured to receive the data message, and decrypt the encrypted data after the authentication of the first authentication code is successful, to obtain the service data.
11. A computer device comprising a memory and a processor, the memory storing a computer program executable on the processor, characterized in that the processor implements the method of any one of claims 1 to 5 or implements the method of any one of claims 6 to 9 when the program is executed.
12. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the method of any one of claims 1 to 5 or implements the method of any one of claims 6 to 9.
CN202211406803.8A 2022-11-10 2022-11-10 Data transmission method and related product Pending CN118018226A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211406803.8A CN118018226A (en) 2022-11-10 2022-11-10 Data transmission method and related product

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211406803.8A CN118018226A (en) 2022-11-10 2022-11-10 Data transmission method and related product

Publications (1)

Publication Number Publication Date
CN118018226A true CN118018226A (en) 2024-05-10

Family

ID=90958642

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211406803.8A Pending CN118018226A (en) 2022-11-10 2022-11-10 Data transmission method and related product

Country Status (1)

Country Link
CN (1) CN118018226A (en)

Similar Documents

Publication Publication Date Title
US11765172B2 (en) Network system for secure communication
US10326797B1 (en) Provisioning a secure connection using a pre-shared key
RU2734294C2 (en) Method and system for distributing keys between a server and a medical device
US10652738B2 (en) Authentication module
US20160269176A1 (en) Key Configuration Method, System, and Apparatus
US8868909B2 (en) Method for authenticating a communication channel between a client and a server
WO2015149723A1 (en) Method, device and system for establishing secure connection
US11736304B2 (en) Secure authentication of remote equipment
US7689211B2 (en) Secure login method for establishing a wireless local area network connection, and wireless local area network system
US20110131640A1 (en) Secure transfer of data
US20120137132A1 (en) Shared secret establishment and distribution
US8397281B2 (en) Service assisted secret provisioning
CN108809907B (en) Certificate request message sending method, receiving method and device
US20160021101A1 (en) Method for backing up a user secret and method for recovering a user secret
CN111756528A (en) Quantum session key distribution method and device and communication architecture
CN107104888B (en) Safe instant messaging method
EP3624394B1 (en) Establishing a protected communication channel through a ttp
CN107819751A (en) A kind of safe automated log on management system
CN118018226A (en) Data transmission method and related product
JP2009104509A (en) Terminal authentication system and terminal authentication method
WO2016003310A1 (en) Bootstrapping a device to a wireless network
CN111404670A (en) Key generation method, UE and network equipment
US20230297708A1 (en) System and method for managing data-file transmission and access right to data files
Yoon et al. Security enhancement scheme for mobile device using H/W cryptographic module
FI115097B (en) Circuit authentication method in online data communication, involves forming authentication key for encrypting client credentials independent of client response using client's secret

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination