CN101247232B - Encryption technique method based on digital signature in data communication transmission - Google Patents

Encryption technique method based on digital signature in data communication transmission Download PDF

Info

Publication number
CN101247232B
CN101247232B CN200810035274A CN200810035274A CN101247232B CN 101247232 B CN101247232 B CN 101247232B CN 200810035274 A CN200810035274 A CN 200810035274A CN 200810035274 A CN200810035274 A CN 200810035274A CN 101247232 B CN101247232 B CN 101247232B
Authority
CN
China
Prior art keywords
module
file
agent side
data
certificate
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN200810035274A
Other languages
Chinese (zh)
Other versions
CN101247232A (en
Inventor
计岩平
陈铭
袁文聪
童茵
陈任
张彬
李晓丹
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
SHANGHAI JINXIN COMPUTER SYSTEM ENGINEERING Co Ltd
Original Assignee
SHANGHAI JINXIN COMPUTER SYSTEM ENGINEERING Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by SHANGHAI JINXIN COMPUTER SYSTEM ENGINEERING Co Ltd filed Critical SHANGHAI JINXIN COMPUTER SYSTEM ENGINEERING Co Ltd
Priority to CN200810035274A priority Critical patent/CN101247232B/en
Publication of CN101247232A publication Critical patent/CN101247232A/en
Application granted granted Critical
Publication of CN101247232B publication Critical patent/CN101247232B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

An electric products service method relating to information technology region, is particularly for implementing encryption techniques of digital signing in data interchange transmission process between different structure systems, and is mainly applied to encryption techniques method of digital signing in data interchange transmission of network service. The method access agreement SOAP processing network service filtering and data interchange to obtain message level safe between end to end by network service using simple object; digital signing and ciphering work are executed for expandable making language XML to implementing data safety by data ciphering, digital certificate and safe network service in data sharing exchange process; is mainly used for resolving relative technical problems such as confidentiality, integrality and consistency in information transfer process. Active effect of the present invention is: adopting encryption techniques based on digital signing can secure confidentiality, integrality and consistency in the process of information transfer; having advantages such as convenient use, improving service quality.

Description

In the exchanges data transmission based on the encryption technique method of digital signature
Technical field
The present invention relates to a kind of electronic product method of servicing of areas of information technology.Especially be intended between the heterogeneous system in the exchanges data transmission course realization based on the encryption technology of digital signature; Be mainly used in the network service; Use simple object access protocol SOAP (SIMPLE OBJECTACCESS PROTOCOL) when carrying out exchanges data; Expandable mark language XML (EXTENSIBLE MARKUP LANGUAGE) is expressly to encode under default situations; Information confidentiality in transmission course is on the hazard, therefore takes encryption technology, can guarantee confidentiality in the information exchanging process, integrality and consistency based on digital signature.
Background technology
The network service of safety is the successful necessary guarantee of network service.But well-knownly be; Simple object access protocol SOAP (SIMPLE OBJECT ACCESSPROTOCOL) is used in the network service; (EXTENSIBLE MARKUP LANGUAGE) carries out exchanges data based on expandable mark language XML, and XML expressly encodes; Simultaneously, most of network service uses host-host protocol HTTP (HYPERTEXT TRANSPORT PROTOCOL) agreement as host-host protocol, and is same, and host-host protocol HTTP also is to use clear-text way to transmit data.The confidentiality of message transmission is on the hazard, can not satisfies the fail safe basic demand:
The confidentiality is guaranteed the confidentiality of data.Typically use and encrypt to realize, use AES to convert plaintext into ciphertext, and use corresponding decipherment algorithm that ciphertext is changed back plaintext.
The data integrity guarantees that data avoid unexpected or intentional distorting of (malice).Integrality is normally provided by Message Authentication Code or cryptographic hash.
The authentication, the source of specified data.Digital certificate is used to provide authentication.Digital signature is applied to cryptographic hash usually, because these values are much littler than the source data of their representatives.
IBM, Microsoft and Verisign united and issued a standard about network service safe property network service (WS-Security) in December, 2002; How this specification description provides a cover network developer of services protect the mechanism of simple object access protocol soap message exchange to simple object access protocol SOAP (SIMPLE OBJECT ACCESS PROTOCOL) message attaching signature and encryption header.
Two types of different encrypted technology are arranged at present:
One type is symmetric cryptography, and both sides have cipher key shared, only under both sides know the situation of key, could use, and among the environment that is applied to usually isolate, if number of users is many, this mechanism is also unreliable.Algorithm commonly used: DES Cipher (DATA ENCRYPTIONSTANDARD), TripleDES (triple des), Rijndael, RC2 etc.
Another kind of is asymmetric encryption, is also referred to as public key encryption PKI (Public KeyInfrastructure), and the key that key is made up of public-key cryptography/private cipher key is right; Encrypt with private cipher key, utilize public-key cryptography to decipher, but because public-key cryptography can't be extrapolated private cipher key; So disclosed key can't damage the safety of private cipher key; Public-key cryptography need not be maintained secrecy, and can openly propagate, and private cipher key must be maintained secrecy.Algorithms most in use: Digital Signature Algorithm DSA (Digital Signature Algorithm), RSA etc.
Digital signature is a kind of emerging safe practice that is used for the guarantee information integrality, and the safety of its guarantee information is inviolable, and can solve problems such as denying, forge, distort and pretend to be.Its actual required information transmitted of private cipher key conversion of having used information transmitter.Algorithms most in use: Hash Hash, DSS, RSA etc.
Usually public key information, user profile all are to be kept in the digital certificate.Digital certificate is one section data that comprise subscriber identity information, client public key information and authentication mechanism digital signature.The digital signature of authentication mechanism can be guaranteed the authenticity of certificate information, and client public key information can guarantee the integrality of digital information transmission, and user's digital signature can guarantee the non-repudiation of digital information.X.509V3 many network securitys are widely being accepted and be applied to standard aspect the layout public key cryptography form.
Because China's information technology is flourish in recent years; Data integration requires increasingly high between the isomerized sub-system; Therefore when exchanges data is shared, how to ensure confidentiality, integrality, fail safe and the consistency of data content, just become the problem that to think deeply.
Summary of the invention
In order to overcome above-mentioned weak point, main purpose of the present invention aims to provide and a kind ofly can in data exchange process, realize the encryption technology based on digital signature according to the standard of international network service safe property; Use simple object access protocol SOAP to carry out network service filtration and exchanges data through the network service; Through secure network service in data encryption, digital certificate and the data sharing exchange process; Adopt the trust service integration tool case of the Verisign host-host protocol HTTP of company, support to accomplish in the exchanges data transmission of digital signature, checking, encrypt and decrypt work of simple object access protocol SOAP bag encryption technique method based on digital signature.
Internet security service request when another purpose of the present invention is intended to use data encryption and digital certificate to satisfy the data sharing exchange; When using the digital certificate method, network service request person must have a digital certificate by the signature of authentic authentication center; The requestor uses this certificate to show their identity, and simple object access protocol SOAP (SIMPLE OBJECT ACCESSPROTOCOL) message is carried out digital signature; After method, system received message, just can do time stamp and carry out log record, checking message.Proof procedure will be guaranteed message from transmit leg, and will verify that message content is not distorted in transmission course.
After being signed, information encrypts again, then propagating on the information network after encrypting, like this, even the transmission information after the third party obtains to encrypt can not be deciphered.
The technical problem that the present invention will solve is: mainly solve between heterogeneous system in the exchanges data transmission course, how to guarantee confidentiality in the information exchanging process, integrality and consistency problem; Solve and how to obtain message-level safety problem end to end through the network service; Solve relevant technologies problems such as digital signature how to accomplish simple object access protocol SOAP bag, checking, encrypt and decrypt work.
The technical solution adopted for the present invention to solve the technical problems is: this method runs on exchanges data transmission course between the heterogeneous system; Use simple object access protocol SOAP to carry out network service filtration and exchanges data through the network service, obtain message-level safety end to end; Through secure network service in data encryption, digital certificate and the data sharing exchange process, expandable mark language XML is carried out digital signature and encrypted work, realize safety of data; Adopt the trust service integration tool case of the Verisign host-host protocol HTTP of company, support to accomplish digital signature, checking, the encrypt and decrypt work of simple object access protocol SOAP bag; The workflow of secure network service in this data sharing exchange process specifically may further comprise the steps:
Step 1: write the certificate script
With the use standard of the trust service integration tool case of Verisign company, write data certificate generation script, for writing the certificate script module;
Step 2: carry out script
Execute write the certificate script module after, the output signal of writing the certificate script module is delivered to the execution script module;
Step 3: Generate Certificate
After executing the execution script module, the output signal of carrying out script module is delivered to the module that Generates Certificate; Generate four files through the digital certificate script: server end file: bms.keystore; Agent side file: bmc.keystore; Server trust file: bms.truststore and agent side are trusted file: bmc.truststore;
Step 4: client deployment agent side file and server end are trusted file
After executing the module that Generates Certificate; The output signal of the module that Generates Certificate is divided into two-way; One the tunnel is delivered to client deployment agent side file and server end trust file module, is that networking client is disposed agent side file bmc.keystore and two files of server trust file bms.truststore;
Step 5: service end deployment services end file and agent side are trusted file
After executing the module that Generates Certificate; Another road of the output signal of the module that Generates Certificate is delivered to service end deployment services end file and agent side is trusted file module, is service end deployment server end file bms.keystore and two files of agent side trust file bmc.truststore;
Step 6: use the agent side file to obtain digital signature
Execute after client deployment agent side file and server end trust file module, then get into and use the agent side file to obtain the digital signature module, during the client call interface with the private key digital signature of agent side file bmc.keystore;
Step 7: use server end to trust file and encrypt
Execute use the agent side file to obtain the digital signature module after; Then get into and use server end trust file to carry out encrypting module, the output signal that uses server end trust file to carry out encrypting module is delivered to service end deployment services end file and agent side is trusted file module; PKI with server trust file bms.truststore is done encryption to simple object access protocol SOAP bag;
Step 8: use agent side to trust file decryption
After executing service end deployment services end file and agent side trust file module, then get into and use agent side to trust the file decryption module, the private key with agent side file bmc.keystore during processing response is done deciphering to simple object access protocol SOAP bag;
Step 9: use the service end file to carry out digital signature authentication
After executing use agent side trust file decryption module, then get into and use the service end file to carry out the digital signature authentication module, with the public key verifications digital signature of server trust file bms.truststore.
In the transmission of described exchanges data based on the digital signature of the encryption technique method of digital signature and encrypted work for to expand internet system AXIS based on Apache; Through the transmission between client and the service end A with finish receiving; The electrical connection of wrapping module and host-host protocol HTTP for encryption SOAP between client and the service end A, wherein:
Client comprises: use digital certificate to carry out signature blocks, soap message is carried out encrypting module and encryption function module to soap message, the output signal that uses digital certificate to carry out signature blocks to soap message is delivered to soap message is carried out encryption module input end; The output signal of encryption function module is delivered to soap message is carried out encryption module input end;
Service end A comprises: digital certificate is carried out authentication module, soap message is carried out deciphering module and deciphering function module, the output signal that digital certificate is carried out authentication module is delivered to the input that soap message is carried out deciphering module; The output signal of decryption function module is delivered to the input that soap message is carried out deciphering module; This digital signature and encrypted work may further comprise the steps:
Step 1: client
Simple object access protocol SOAP information is encrypted through signature function in client;
Step 2: ciphering process
During encryption, at first obtain privately owned key and related credentials, then simple object access protocol soap message is signed, the file after will signing at last sends to service end through the host-host protocol http protocol;
Step 3: service end A
The simple object access protocol soap message that service end A has signed through the data verification function validates;
Step 4: decrypting process
Decipher document according to privately owned key and related credentials the checking back.
Filter based on the network service of the encryption technique method of digital signature in the transmission of described exchanges data and comprise: agent side and service end B, the electrical connection completion through request and response signal between agent side and the service end B, wherein:
Agent side comprises: digital certificate authentication, digital certificate mandate, content-encrypt and logger module are parallel electrical connection between each module;
Service end B comprises: digital certificate checking, contents decryption and network service cache module are parallel electrical connection between each module; This network service filtration work may further comprise the steps:
A), client is carried out authentication, mandate;
B), user's visit writing system daily record;
C), the simple object access protocol soap message of request is encrypted deciphering;
D), do buffer memory for the network service object.
Based on the device of the encryption technology of digital signature, this device has operation system, central database and Service Database, also comprises: operation system A, data center and operation system B in the transmission of a kind of exchanges data; Be electrically connected each other between the Shared Folders B among Shared Folders A among the operation system A and the operation system B; Be electrically connected each other between the data switching center in agent data A among the operation system A and the data center; Be electrically connected each other between the agent data B among data switching center in the data center and the operation system B; Wherein:
Shared Folders A, agent data A and Service Database A successively have been linked in sequence among the operation system A; Be each other to be electrically connected between Shared Folders A, agent data A and the Service Database A, be electrically connected each other between Shared Folders A and the Shared Folders B;
Central database and data switching center successively have been linked in sequence in the data center; Be electrically connected each other between central database and the data switching center;
Shared Folders B, agent data B and Service Database B successively have been linked in sequence among the operation system B; Be each other to be electrically connected between Shared Folders B, agent data B and the Service Database B, be electrically connected each other between agent data B and the data switching center.
The invention has the beneficial effects as follows: this method provide a kind of in the process of data sharing exchange the secure network service implementing, make application program can make up safe simple object access protocol soap message exchange, obtain message-level safety end to end; Expandable mark language XML signature be used for the authentication sender identity, guarantee the integrality of simple object access protocol soap message, and expandable mark language XML encrypted improved safety of data; Take encryption technology, can guarantee confidentiality in the information exchanging process, integrality and consistency based on digital signature; Have and made things convenient for the user, promoted advantages such as service quality.
Description of drawings
Below in conjunction with accompanying drawing and embodiment the present invention is further specified.
Accompanying drawing 1 is hardware environment structure block diagram of the present invention;
Accompanying drawing 2 is total work schematic flow sheet of secure network service in the data sharing exchange process of the present invention;
Accompanying drawing 3 is digital signature of the present invention and encrypted work schematic flow sheet;
Accompanying drawing 4 is a network service filtering process sketch map of the present invention;
Accompanying drawing 5 is the functions of application system schematic flow sheet of one of embodiment of the invention;
Label declaration in the accompanying drawing:
1-writes the certificate script;
2-carries out script;
3-Generates Certificate;
4-client deployment agent side file and server end are trusted file;
5-service end deployment services end file and agent side are trusted file;
6-uses the agent side file to obtain digital signature;
7-uses server end to trust file and encrypts;
8-uses agent side to trust file decryption;
9-uses the service end file to carry out digital signature authentication;
10-Service Database B;
11-operation system A;
12-Shared Folders A;
13-Service Database A;
14-agent data A;
15-data center;
The 16-central database;
17-data switching center;
18-operation system B;
19-Shared Folders B;
20-agent data B;
The 21-client;
22-service end A;
23-encrypts the SOAP bag;
24-host-host protocol HTTP;
25-uses digital certificate to sign to soap message;
26-encrypts soap message;
The 27-encryption function;
28-verifies digital certificate;
29-deciphers soap message;
The 30-decryption function; 51-transmit leg A packing data;
The 31-agent side; The 52-digital signature is also encrypted;
32-service end B; 53-sends the result to middle database;
The 33-request; 54-middle database C checking is also preserved data;
The 34-response; 55-returns historical record to transmit leg;
The 35-digital certificate authentication; 56-recipient B obtains XML from middle database;
The mandate of 36-digital certificate; 57-deciphers XML, the checking digital certificate;
The 37-content-encrypt; 58-is to the middle database dataset;
The 38-log record; 59-analyzing XML warehouse-in;
The checking of 39-digital certificate; 60-returns historical record to the recipient.
The 40-contents decryption;
41-network service buffer memory;
Embodiment
See also accompanying drawing 1,2,3, shown in 4, this method runs on exchanges data transmission course between the heterogeneous system, uses simple object access protocol SOAP to carry out network service filtration and exchanges data through the network service, obtains message-level safety end to end; Through secure network service in data encryption, digital certificate and the data sharing exchange process, expandable mark language XML is carried out digital signature and encrypted work, realize safety of data; Adopt the trust service integration tool case of the Verisign host-host protocol HTTP of company, support to accomplish digital signature, checking, the encrypt and decrypt work of simple object access protocol SOAP bag; The workflow of secure network service in this data sharing exchange process specifically may further comprise the steps:
Step 1: write certificate script 1
With the use standard of the trust service integration tool case of Verisign company, write data certificate generation script, for writing certificate script 1 module;
Step 2: carry out script 2
Execute write certificate script 1 module after, the output signal of writing certificate script 1 module is delivered to carries out script 2 modules;
Step 3: Generate Certificate 3
After executing execution script 2 modules, the output signal of carrying out script 2 modules is delivered to 3 modules that Generate Certificate; Generate four files through the digital certificate script: server end file: bms.keystore; Agent side file: bmc.keystore; Server trust file: bms.truststore and agent side are trusted file: bmc.truststore;
Step 4: client deployment agent side file and server end are trusted file 4
After executing 3 modules that Generate Certificate; The output signal of 3 modules that Generate Certificate is divided into two-way; One the tunnel is delivered to client deployment agent side file and server end trust file 4 modules, is that networking client is disposed agent side file bmc.keystore and two files of server trust file bms.truststore;
Step 5: service end deployment services end file and agent side are trusted file 5
After executing 3 modules that Generate Certificate; Another road of the output signal of 3 modules that Generate Certificate is delivered to service end deployment services end file and agent side is trusted file 5 modules, is service end deployment server end file bms.keystore and two files of agent side trust file bmc.truststore;
Step 6: use the agent side file to obtain digital signature 6
Execute after client deployment agent side file and server end trust file 4 modules, then get into and use the agent side file to obtain digital signature 6 modules, during the client call interface with the private key digital signature of agent side file bmc.keystore;
Step 7: use server end to trust file and encrypt 7
Execute use the agent side file to obtain digital signature 6 modules after; Then get into and use server end trust file to encrypt 7 modules, the output signal that uses server end trust file to encrypt 7 modules is delivered to service end deployment services end file and agent side is trusted file 5 modules; PKI with server trust file bms.truststore is done encryption to simple object access protocol SOAP bag;
Step 8: use agent side to trust file decryption 8
After executing service end deployment services end file and agent side trust file 5 modules, then get into and use agent side to trust file decryption 8 modules, the private key with agent side file bmc.keystore during processing response is done deciphering to simple object access protocol SOAP bag;
Step 9: use the service end file to carry out digital signature authentication 9
After executing use agent side trust file decryption 8 modules, then get into and use the service end file to carry out digital signature authentication 9 modules, with the public key verifications digital signature of server trust file bms.truststore.
See also shown in the accompanying drawing 3; In the transmission of described exchanges data based on the digital signature of the encryption technique method of digital signature and encrypted work for to expand internet system AXIS based on Apache; Through the transmission between client 21 and the service end A 22 with finish receiving; The electrical connection of wrapping 23 modules and host-host protocol HTTP 24 for encryption SOAP between client 21 and the service end A 22, wherein:
Client 21 comprises: to soap message use digital certificate sign 25 modules, soap message is encrypted 26 modules and encryption function 27 modules, use the sign output signal of 25 modules of digital certificate to be delivered to the input of soap message being encrypted 26 modules to soap message; The output signal of encryption function 27 modules is delivered to the input of soap message being encrypted 26 modules;
Service end A 22 comprises: digital certificate is verified 28 modules, soap message is deciphered 29 modules and decryption function 30 modules, digital certificate is verified the output signal of 28 modules is delivered to the input of soap message being deciphered 29 modules; The output signal of decryption function 30 modules is delivered to the input of soap message being deciphered 29 modules; This digital signature and encrypted work may further comprise the steps:
Step 1: client 21
Simple object access protocol SOAP information is encrypted through signature function in client 21;
Step 2: ciphering process
During encryption, at first obtain privately owned key and related credentials, then simple object access protocol soap message is signed, the file after will signing at last sends to service end through host-host protocol HTTP 24 agreements;
Step 3: service end A 22
The simple object access protocol soap message that service end A 22 has signed through the data verification function validates;
Step 4: decrypting process
Decipher document according to privately owned key and related credentials the checking back.
The execution mode of digital signature of the present invention and encrypted work:
1. simple object access protocol SOAP (SIMPLEOBJECT ACCESS PROTOCOL) information is encrypted through signature function in client;
When 2. encrypting; At first obtain privately owned key and related credentials; Then simple object access protocol SOAP (SIMPLE OBJECT ACCESS PROTOCOL) message is signed, the file after will signing at last sends to service end through host-host protocol HTTP (HYPERTEXT TRANSPORTPROTOCOL) agreement;
3. service end simple object access protocol (SOAP the is written as SIMPLE OBJECT ACCESS PROTOCOL entirely) message of having signed through the data verification function validates;
4. decipher document according to privately owned key and related credentials the checking back.
See also shown in the accompanying drawing 4; Filter based on the network service of the encryption technique method of digital signature in the transmission of described exchanges data and comprise: agent side 31 and service end B 32; Accomplish through the request 33 and the electrical connection of response 34 signals between agent side 31 and the service end B 32, wherein:
Agent side 31 comprises: digital certificate authentication 35, digital certificate mandate 36, content-encrypt 37 and log record 38 modules are parallel electrical connection between each module;
Service end B 32 comprises: digital certificate checking 39, contents decryption 40 and network service buffer memory 41 modules are parallel electrical connection between each module; This network service filtration work may further comprise the steps:
A), client is carried out authentication, mandate;
B), user's visit writing system daily record;
C), the simple object access protocol soap message of request is encrypted deciphering;
D), do buffer memory for the network service object.
See also shown in the accompanying drawing 1, based on the device of the encryption technology of digital signature, this installs by modules such as operation system, central database and Service Databases, also comprises: operation system A 11, data center 15 and operation system B 18 in the transmission of a kind of exchanges data; Be electrically connected each other between the Shared Folders B 19 among Shared Folders A 12 among the operation system A 11 and the operation system B 18; Be electrically connected each other between the data switching center 17 in agent data A 14 among the operation system A 11 and the data center 15; Be electrically connected each other between the agent data B 20 among data switching center 17 in the data center 15 and the operation system B 18; Wherein:
Shared Folders A 12, agent data A 14 and Service Database A 13 successively have been linked in sequence among the operation system A 11; Be each other to be electrically connected between Shared Folders A 12, agent data A 14 and the Service Database A 13, be electrically connected each other between Shared Folders A 12 and the Shared Folders B 19;
Central database 16 and data switching center 17 successively have been linked in sequence in the data center 15; Be electrically connected each other between central database 16 and the data switching center 17;
Shared Folders B 19, agent data B20 and Service Database B 10 successively have been linked in sequence among the operation system B 18; Be each other to be electrically connected between Shared Folders B 19, agent data B 20 and the Service Database B 10, be electrically connected each other between agent data B 20 and the data switching center 17.
The execution mode of hardware environment of the present invention:
1. data center comprises encryption, the decipher function of data item management, network service and simple object access protocol SOAP (SIMPLE OBJECT ACCESS PROTOCOL) information; The network service processing is from the interface interchange of agent data end.
2. agent data is mainly accomplished data provides and Data Receiving two parts function.Data agent side of each database operation also can agent side of a plurality of databases operations, and agency's section is also provided services on the Internet and encryption, the decipher function of simple object access protocol SOAP (SIMPLE OBJECT ACCESSPROTOCOL) information.
See also shown in the accompanying drawing 5, the functions of application system flow chart for one of embodiment of the invention specifically may further comprise the steps:
Step 1. transmit leg A packing data (51)
If operation system A 11 is transmit leg A, i.e. data provider A, the side of being ready for sending A packing data (51) work;
Step 2. digital signature is also encrypted (52)
After executing transmit leg A packing data (51) module, then get into digital signature and encrypt (52) module;
Step 3. is sent the result to middle database (53)
After executing digital signature and encrypting (52) module, then get into and send the result to middle database (53) module;
Step 4. middle database C checking is also preserved data (54)
Execute and send the result after middle database (53) module; Then get into middle database C checking and preserve data (54) module; The output signal of middle database C checking and preservation data (54) is divided into three the tunnel; The first via is delivered to transmit leg and returns historical record (55) module, and the second the tunnel is delivered to recipient B obtains XML (56) module from middle database, and Third Road is delivered to the recipient and returns historical record (60) module;
Step 5. deciphering XML, checking digital certificate (57)
Execute after recipient B obtains XML (56) module from middle database, then get into deciphering XML, checking digital certificate (57);
Step 6. is to middle database dataset (58)
Execute deciphering XML, after checking digital certificate (57) module, then get into to middle database dataset (58);
Step 7. analyzing XML warehouse-in (59)
Execute after middle database dataset (58) module, then get into analyzing XML warehouse-in (59) module.
The application system execution mode of one of embodiment of the invention:
Existing operation system A 11 is data provider A for transmit leg, and operation system B 12 is the data side of obtaining B for the side of obtaining, and data center is that middle database is C, and A gives B through the C shared data:
1. the relational data table that will be shared by the A definition is described, and submits to C and B; Each agent side is set up in own system item is provided accordingly, and the description that provides according to A forms the lead in item of oneself;
2. C describes according to the tables of data that A provides, and in system, sets up corresponding shared data directory, data format expandable mark language XML (EXTENSIBLE MARKUPLANGUAGE) Schema (being stored in the webserver) when definition is shared.B also can set up Data Receiving item and expandable mark language XML (EXTENSIBLE MARKUP LANGUAGE) Element/ field corresponding relation in native system, be convenient to B and receive data.B side's corresponding database list structure defines voluntarily, but will coincide with the coherent element of Data Receiving project;
3. A timing log-on data provides process; The record of not sharing the last time (newly-increased or revised) breaks into expandable mark language XML (EXTENSIBLE MARKUPLANGUAGE) bag according to rule, XML (EXTENSIBLEMARKUP LANGUAGE) Schema of definition above this XML file must be followed.Interface through providing through C after the safe handling is saved to central database, revises the flag bit sign of respective record if C confirms to receive and sends.If the priority of data demand is higher, require notice B;
4. B log-on data receiving process regularly.Whether the query interface that provides through C knows the oriented data of oneself sharing; Have then and obtain expandable mark language XML (EXTENSIBLE MARKUP LANGUAGE) data from central database; After receiving data; Be transformed in the database through XML (EXTENSIBLE MARKUP LANGUAGE)-to-Table, and revise the receiving flag among the C; Comprise accessory information in expandable mark language XML (EXTENSIBLEMARKUP LANGUAGE) bag that A makes up; Then B will extract corresponding FTP address or host-host protocol HTTP (HYPERTEXT TRANSPORT PROTOCOL) address when resolving; Join annex and obtain tabulation, from the Shared Folders of A, download in the Shared Folders of B.

Claims (2)

  1. In the exchanges data transmission based on the encryption technique method of digital signature; It is characterized in that: this method runs on exchanges data transmission course between the heterogeneous system; Use simple object access protocol SOAP to carry out network service filtration and exchanges data through the network service, obtain message-level safety end to end; Through secure network service in data encryption, digital certificate and the data sharing exchange process, expandable mark language XML is carried out digital signature and encrypted work, realize safety of data; Adopt the trust service integration tool case of the Verisign host-host protocol HTTP of company, support to accomplish digital signature, checking, the encrypt and decrypt work of simple object access protocol SOAP bag; The workflow of secure network service in this data sharing exchange process specifically may further comprise the steps:
    Step 1: write certificate script (1)
    With the use standard of the trust service integration tool case of Verisign company, write data certificate generation script, for writing certificate script (1) module;
    Step 2: carry out script (2)
    Execute write certificate script (1) module after, the output signal of writing certificate script (1) module is delivered to carries out script (2) module;
    Step 3: (3) Generate Certificate
    After executing execution script (2) module, the output signal of carrying out script (2) module is delivered to (3) module that Generates Certificate; Generate four files through the digital certificate script: server end file: bms.keystore; Agent side file: bmc.keystore; Server trust file: bms.truststore and agent side are trusted file: bmc.truststore;
    Step 4: client deployment agent side file and server end are trusted file (4)
    After executing (3) module that Generates Certificate; The output signal of (3) module that Generates Certificate is divided into two-way; One the tunnel is delivered to client deployment agent side file and server end trust file (4) module, is that networking client is disposed agent side file bmc.keystore and two files of server trust file bms.trust store;
    Step 5: service end deployment services end file and agent side are trusted file (5)
    After executing (3) module that Generates Certificate; Another road of the output signal of (3) module that Generates Certificate is delivered to service end deployment services end file and agent side is trusted file (5) module, is service end deployment server end file bms.keystore and two files of agent side trust file bmc.truststore;
    Step 6: use the agent side file to obtain digital signature (6)
    Execute after client deployment agent side file and server end trust file (4) module, then get into and use the agent side file to obtain digital signature (6) module, during the client call interface with the private key digital signature of agent side file bmc.keystore;
    Step 7: use server end to trust file and encrypt (7)
    Execute use the agent side file to obtain digital signature (6) module after; Then get into and use server end trust file to encrypt (7) module, the output signal that uses server end trust file to encrypt (7) module is delivered to service end deployment services end file and agent side is trusted file (5) module; PKI with server trust file bms.truststore is done encryption to simple object access protocol SOAP bag;
    Step 8: use agent side to trust file decryption (8)
    After executing service end deployment services end file and agent side trust file (5) module; Then get into and use agent side to trust file decryption (8) module, the private key with agent side file bmc.keystore during processing response is done deciphering to simple object access protocol SOAP bag;
    Step 9: use the service end file to carry out digital signature authentication (9)
    After executing use agent side trust file decryption (8) module, then get into and use the service end file to carry out digital signature authentication (9) module, with the public key verifications digital signature of server trust file bms.truststore.
  2. 2. in the exchanges data according to claim 1 transmission based on the encryption technique method of digital signature; It is characterized in that: described digital signature and encrypted work are for to expand internet system AXIS based on Apache; Through the transmission between client (21) and the service end A (22) with finish receiving; The electrical connection of wrapping (23) module and host-host protocol HTTP (24) for encryption SOAP between client (21) and the service end A (22), wherein:
    Client (21) comprising: to soap message use digital certificate sign (25) module, soap message is encrypted (26) module and encryption function (27) module, the sign output signal of (25) module of soap message use digital certificate is delivered to the input of soap message being encrypted (26) module; The output signal of encryption function (27) module is delivered to the input of soap message being encrypted (26) module;
    Service end A (22) comprising: digital certificate is verified (28) module; Soap message is deciphered (29) module and decryption function (30) module, digital certificate is verified the output signal of (28) module is delivered to the input of soap message being deciphered (29) module; The output signal of decryption function (30) module is delivered to the input of soap message being deciphered (29) module; This digital signature and encrypted work may further comprise the steps:
    Step 1: client (21)
    Simple object access protocol SOAP information is encrypted through signature function in client (21);
    Step 2: ciphering process
    During encryption, at first obtain privately owned key and related credentials, then simple object access protocol soap message is signed, the file after will signing at last sends to service end through host-host protocol HTTP (24) agreement;
    Step 3: service end A (22)
    The simple object access protocol soap message that service end A (22) has signed through the data verification function validates;
    Step 4: decrypting process
    Decipher document according to privately owned key and related credentials the checking back.
CN200810035274A 2008-03-27 2008-03-27 Encryption technique method based on digital signature in data communication transmission Expired - Fee Related CN101247232B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN200810035274A CN101247232B (en) 2008-03-27 2008-03-27 Encryption technique method based on digital signature in data communication transmission

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200810035274A CN101247232B (en) 2008-03-27 2008-03-27 Encryption technique method based on digital signature in data communication transmission

Publications (2)

Publication Number Publication Date
CN101247232A CN101247232A (en) 2008-08-20
CN101247232B true CN101247232B (en) 2012-09-26

Family

ID=39947464

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200810035274A Expired - Fee Related CN101247232B (en) 2008-03-27 2008-03-27 Encryption technique method based on digital signature in data communication transmission

Country Status (1)

Country Link
CN (1) CN101247232B (en)

Families Citing this family (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101753539B (en) * 2008-12-01 2012-06-06 北京大学 Network data storage method and server
CN102256246A (en) * 2011-07-05 2011-11-23 上海市安全生产科学研究所 Data transfer encryption method for mobile communication
CN103227770B (en) * 2012-01-30 2016-01-20 凌群电脑股份有限公司 The safe delivery module of end-point data and method
CN104036198A (en) * 2014-06-11 2014-09-10 北京素志科技发展有限公司 WAN (wide area network) file encryption method
US9838870B2 (en) * 2015-03-25 2017-12-05 Juniper Networks, Inc. Apparatus and method for authenticating network devices
CN106970906A (en) * 2016-01-14 2017-07-21 芋头科技(杭州)有限公司 A kind of semantic analysis being segmented based on sentence
CN106970907A (en) * 2016-01-14 2017-07-21 芋头科技(杭州)有限公司 A kind of method for recognizing semantics
CN106970909A (en) * 2016-01-14 2017-07-21 芋头科技(杭州)有限公司 A kind of semantic semantic analysis of Secondary Match
CN106970905A (en) * 2016-01-14 2017-07-21 芋头科技(杭州)有限公司 A kind of semantic analysis
CN106970908A (en) * 2016-01-14 2017-07-21 芋头科技(杭州)有限公司 A kind of voice content analysis method
CN107294726B (en) * 2016-04-12 2021-01-15 阿里巴巴集团控股有限公司 Export, import and processing method, device and system of virtual encryption machine data
CN106921644B (en) * 2016-06-23 2020-09-01 阿里巴巴集团控股有限公司 Client data file verification method and device
CN106295377B (en) * 2016-08-24 2019-02-19 成都万联传感网络技术有限公司 A kind of construction method of medical treatment endowment data safety clearing agent device
US11070379B2 (en) 2019-04-18 2021-07-20 Advanced New Technologies Co., Ltd. Signature verification for a blockchain ledger
CN110163006B (en) * 2019-04-18 2020-07-07 阿里巴巴集团控股有限公司 Signature verification method, system, device and equipment in block chain type account book
CN112287364A (en) * 2020-10-22 2021-01-29 同盾控股有限公司 Data sharing method, device, system, medium and electronic equipment
EP4002788A1 (en) * 2020-11-13 2022-05-25 Secure Thingz Limited A system and devices for secure and efficient provisioning of electronic devices

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1352434A (en) * 2001-11-29 2002-06-05 上海维豪信息安全技术有限公司 Electronic government affairs safety platform system based on trust and authorization service
CN1505309A (en) * 2002-11-20 2004-06-16 Securely processing client credentials used for web-based access to resources
CN101119196A (en) * 2006-08-03 2008-02-06 西安电子科技大学 Bidirectional identification method and system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1352434A (en) * 2001-11-29 2002-06-05 上海维豪信息安全技术有限公司 Electronic government affairs safety platform system based on trust and authorization service
CN1505309A (en) * 2002-11-20 2004-06-16 Securely processing client credentials used for web-based access to resources
CN101119196A (en) * 2006-08-03 2008-02-06 西安电子科技大学 Bidirectional identification method and system

Also Published As

Publication number Publication date
CN101247232A (en) 2008-08-20

Similar Documents

Publication Publication Date Title
CN101247232B (en) Encryption technique method based on digital signature in data communication transmission
EP3318043B1 (en) Mutual authentication of confidential communication
US9704159B2 (en) Purchase transaction system with encrypted transaction information
CN102594558B (en) Anonymous digital certificate system and verification method of trustable computing environment
CN101964791B (en) Communication authenticating system and method of client and WEB application
Barker et al. Recommendation for key management part 3: Application-specific key management guidance
CN110460439A (en) Information transferring method, device, client, server-side and storage medium
JP5204090B2 (en) Communication network, e-mail registration server, network device, method, and computer program
CN109743171B (en) Key series method for solving multi-party digital signature, timestamp and encryption
CN103546289B (en) USB (universal serial bus) Key based secure data transmission method and system
CN101720071B (en) Short message two-stage encryption transmission and secure storage method based on safety SIM card
CN109450843B (en) SSL certificate management method and system based on block chain
CN113132099B (en) Method and device for encrypting and decrypting transmission file based on hardware password equipment
CN108696360A (en) A kind of CA certificate distribution method and system based on CPK keys
CN103580868A (en) Secure transmission method of electronic official document secure transmission system
US20240250826A1 (en) Cryptographic method for verifying data
CN104243439A (en) File transfer processing method and system and terminals
CN112564906A (en) Block chain-based data security interaction method and system
KR101839048B1 (en) End-to-End Security Platform of Internet of Things
CN101984626B (en) Method and system for safely exchanging files
US8520840B2 (en) System, method and computer product for PKI (public key infrastructure) enabled data transactions in wireless devices connected to the internet
CN112261002A (en) Data interface docking method and device
JPH0969831A (en) Cipher communication system
Barker et al. Sp 800-57. recommendation for key management, part 1: General (revised)
KR20080012402A (en) Method for authenticating and decrypting of short message based on public key

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20120926