Summary of the invention
Purpose of the present invention is intended to solve at least one of above-mentioned technological deficiency, particularly solves fail safe and the not high technological deficiency of authenticity of existing monitor message.
For achieving the above object, the present invention one side proposes a kind of method that improves safety of monitoring data, may further comprise the steps: coding side acquisition monitoring data; Described coding side is encoded described monitor data and cut apart and is encapsulated as corresponding initial data unit; Described coding side is encrypted the unit loads of described initial data unit, generates the unit loads of corresponding enciphered data unit; Described coding side encapsulates described enciphered data unit and sends to decoding end, and encryption indicator is set with the algorithm that unit loads is encrypted and encryption is adopted of the described enciphered data of indication decoding end unit in the unit header of enciphered data unit.
As one embodiment of the present of invention, described enciphered data unit is encapsulated and after decoding end sends at described coding side, further comprising the steps of: described decoding end receives the enciphered data unit that described coding side sends, and resolves the unit header of described enciphered data unit; When the described encryption indicator in the unit header of described enciphered data unit is effective, described decoding end is according to default key, be decrypted according to resolving cryptographic algorithm that described encryption indicator the obtains unit loads to described enciphered data unit, obtain the unit loads of described initial data unit.
As one embodiment of the present of invention, described coding side encapsulates specifically described enciphered data unit and comprises: described coding side with unit header, unit loads and the encryption key message of described enciphered data unit as described enciphered data unit.
In the above-described embodiments, described enciphered data unit is encapsulated and after decoding end sends at described coding side, further comprising the steps of: described decoding end receives the enciphered data unit that described coding side sends, and resolves the unit header of described enciphered data unit; When the described encryption indicator in the unit header of described enciphered data unit is effective, at first obtain the encryption key message in the described enciphered data unit, again according to the described encryption key message that obtains, the cryptographic algorithm of obtaining according to the described encryption indicator of parsing is decrypted described enciphered data unit, obtains the unit loads of described initial data unit.
As one embodiment of the present of invention, the unit loads length of described enciphered data unit is identical with the unit loads length of described initial data unit.
As one embodiment of the present of invention, described coding side with described monitor data coding and cut apart be encapsulated as corresponding initial data unit after, also comprise: described coding side carries out authentication processing to the unit loads of described initial data unit, generates verify data; Described coding side is encrypted the unit loads of described initial data unit, the unit loads that generates corresponding enciphered data unit is specially: described coding side together is encrypted unit loads and the described verify data of described initial data unit, generate the unit loads of corresponding enciphered data unit, and when described enciphered data unit is encapsulated, in the unit header of described enciphered data unit, authentication marks are set.
As one embodiment of the present of invention, described enciphered data unit is encapsulated and after decoding end sends at described coding side, further comprising the steps of: described decoding end receives the enciphered data unit that described coding side sends, and resolve the unit header of described enciphered data unit, judge whether described encryption indicator and the described authentication marks in the described enciphered data unit unit header are effective; If the described encryption indicator in the described enciphered data unit unit header is effective, then described decoding end is decrypted the unit loads that obtains corresponding initial data unit to the unit loads of described enciphered data unit according to the cryptographic algorithm that the described encryption indicator of parsing obtains; If the described authentication marks in the described enciphered data unit unit header are effective, then described decoding end judges according to the unit loads of the verify data in the described initial data unit and described initial data unit whether the unit loads of described initial data unit is tampered; Be tampered if judge the unit loads of described initial data unit, then to User Alarms.
As one embodiment of the present of invention, described decoding end is judged according to the unit loads of the verify data in the described initial data unit and described initial data unit whether the unit loads of described initial data unit is tampered specifically and be may further comprise the steps: described decoding end is carried out authentication processing to the unit loads of described initial data unit and is obtained contrasting verify data according to resolving identifying algorithm that described authentication marks obtain; Described decoding end judges whether described contrast verify data is identical with the described verify data of obtaining, if described contrast verify data is not identical with the described verify data of obtaining, judges that then the unit loads of described initial data unit is tampered.
In the above-described embodiments, the unit loads of described initial data unit is one or more in compression layer data, coding parameter collection and the warning message.
The present invention also proposes a kind of monitor data encryption system, comprise decoding end and at least one coding side, described coding side, be used for the acquisition monitoring data, and with described monitor data coding and cut apart and be encapsulated as corresponding initial data unit, and the unit loads that the unit loads of described initial data unit is encrypted the enciphered data unit that generates correspondence, and described enciphered data unit is encapsulated backward decoding end send, encryption indicator is set encrypted and encrypt the algorithm that is adopted with the unit loads of the described enciphered data of indication decoding end unit simultaneously in the unit header of enciphered data unit; Described decoding end, after being used for receiving the enciphered data unit of described coding side transmission, resolve the unit header of described enciphered data unit, when the described encryption indicator in the unit header of described enciphered data unit is effective, according to default key, be decrypted according to resolving cryptographic algorithm that described encryption indicator the obtains unit loads to described enciphered data unit, obtain the unit loads of described initial data unit.
As one embodiment of the present of invention, described enciphered data also includes encryption key message in the unit, described decoding end is according to described encryption key message and predetermined key generation rule, be decrypted according to resolving cryptographic algorithm that described encryption indicator the obtains unit loads to described enciphered data unit, obtain the unit loads of described initial data unit.
As one embodiment of the present of invention, the unit loads length of described enciphered data unit is identical with the unit loads length of described initial data unit.
As one embodiment of the present of invention, described coding side, also be used for the unit loads of described initial data unit is carried out authentication processing, generate verify data, and unit loads and the described verify data of described initial data unit together be encrypted, generate the unit loads of corresponding enciphered data unit, and when described enciphered data unit is encapsulated, in the unit header of described enciphered data unit, authentication marks are set.
As one embodiment of the present of invention, described decoding end, also be used for when described coding side carries out authentication processing to the unit loads of described initial data unit, be decrypted the unit loads and verify data of the corresponding initial data of acquisition unit in the unit loads to described enciphered data unit after, unit loads according to the verify data in the described initial data unit and described initial data unit, judge according to the identifying algorithm that the described authentication marks of parsing obtain whether the unit loads of described initial data unit is tampered, be tampered if judge the unit loads of described initial data unit, then to User Alarms.
In the above-described embodiments, the unit loads of described initial data unit is one or more in compression layer data, coding parameter collection and the warning message.
The present invention also proposes a kind of coding side, comprises data acquisition module, code division module, encrypting module and sending module, and described data acquisition module is used for the acquisition monitoring data; Described code division module is encapsulated as corresponding initial data unit for the monitor data of described data collecting module collected is encoded and cut apart; Described encrypting module, the unit loads that is used for initial data unit that described code division module is obtained is encrypted, and generates the unit loads of corresponding enciphered data unit; Described sending module, be used for described enciphered data unit is encapsulated and sends to decoding end, and encryption indicator be set with the algorithm that unit loads is encrypted and encryption is adopted of the described enciphered data of indication decoding end unit in the unit header of enciphered data unit.
As one embodiment of the present of invention, the unit loads length of described enciphered data unit is identical with the unit loads length of described initial data unit.
As one embodiment of the present of invention, also comprise authentication module, be used for the unit loads of described initial data unit is carried out authentication processing, generate verify data.
The present invention also proposes a kind of decoding end, comprises receiver module and deciphering module, and described receiver module is used for the enciphered data unit that the received code end sends; Described deciphering module, when effective for the described encryption indicator in the unit header of described enciphered data unit, according to default key, and be decrypted according to resolving cryptographic algorithm that described encryption indicator the obtains unit loads to described enciphered data unit, obtain the unit loads of initial data unit.
As one embodiment of the present of invention, also comprise authentication module and alarm module, described authentication module, for the unit loads of the initial data unit that obtains according to described deciphering module and the verify data in the described initial data unit, judge according to the identifying algorithm that the described authentication marks of parsing obtain whether the unit loads of described initial data unit is tampered; Described alarm module is used for when described authentication module judges that the unit loads of described initial data unit is tampered to User Alarms.
The present invention also proposes a kind of method that improves safety of monitoring data, may further comprise the steps: coding side acquisition monitoring data; Described coding side is encoded described monitor data and cut apart and is encapsulated as corresponding initial data unit, and described initial data unit comprises unit header and unit loads; Described coding side carries out authentication processing to the unit loads of described initial data unit, generates corresponding verify data; Described coding side together as the described data cell that sends to decoding end, and arranges unit header, unit loads and the verify data of described initial data unit and includes the algorithm that verify data and authentication are adopted in the unit loads of authentication marks with the described data cell of indication decoding end in the unit header of data cell.
As one embodiment of the present of invention, also comprise: if described authentication marks are effective in the unit header of the described data cell that decoding end receives, then described decoding end is according to the identifying algorithm of resolving described authentication marks and obtaining, and judges according to the unit loads of the verify data in the described initial data unit and described initial data unit whether the unit loads of described initial data unit is tampered; Be tampered if judge the unit loads of described initial data unit, then to User Alarms.
As one embodiment of the present of invention, also comprise: also include approval-key information in the unit loads of described data cell, described decoding end is according to described approval-key information, according to the identifying algorithm of resolving described authentication marks and obtaining, and judge according to the unit loads of the verify data in the described initial data unit and described initial data unit whether the unit loads of described initial data unit is tampered.
The present invention also proposes a kind of coding side, comprises data acquisition module, code division module, authentication module and sending module, and described data acquisition module is used for the acquisition monitoring data; Described code division module is encapsulated as corresponding initial data unit for the monitor data of described data collecting module collected is encoded and cut apart; Described authentication module is used for the unit loads of described initial data unit is carried out authentication processing, generates corresponding verify data; Described sending module, be used for verify data that unit header, unit loads and described authentication module with described initial data unit generate together as the described data cell that sends to decoding end, and in the unit header of data cell, arrange and include the algorithm that verify data and authentication are adopted in the unit loads of authentication marks with the described data cell of indication decoding end.
As one embodiment of the present of invention, also comprise: also include approval-key information in the unit loads of described data cell.
The present invention can improve fail safe, the authenticity and integrity of data by encryption and the authentication processing of coding side to the initial data unit, and highly versatile of the present invention, realizes simple.
The aspect that the present invention adds and advantage in the following description part provide, and part will become obviously from the following description, or recognize by practice of the present invention.
Embodiment
The below describes embodiments of the invention in detail, and the example of described embodiment is shown in the drawings, and wherein same or similar label represents same or similar element or the element with identical or similar functions from start to finish.Be exemplary below by the embodiment that is described with reference to the drawings, only be used for explaining the present invention, and can not be interpreted as limitation of the present invention.
The present invention is that mainly coding side is encrypted and/or authentication processing the unit loads of initial data unit, thereby improves the fail safe of monitor data.In order to realize purpose of the present invention, also need in unit header, correspondingly add encryption indicator and/or authentication marks in addition, existing cellular construction is carried out corresponding modify.Need to prove that the present invention can realize improving by various embodiments the purpose of safety of monitoring data method, encipher only for example, perhaps only authenticate, perhaps both combinations, below will be introduced the present invention with various embodiments, need to prove that following embodiment only is for can the clearer the present invention of understanding, is not that the present invention only can realize by following examples.
As one embodiment of the present of invention, encryption indicator is set encrypted with the unit loads of this enciphered data unit of indication decoding end when can be encrypted in the unit loads to the initial data unit in the unit header of enciphered data unit, reach and encrypt the algorithm that adopts, thereby decoding end can be decrypted according to this indication and the predetermined key unit loads to the enciphered data unit, thereby the fail safe that improves monitoring data transmission.As the preferred embodiments of the present invention, on the basis of above-described embodiment, also can be authenticated by the unit loads of coding side to the initial data unit, generate corresponding verify data and initial data and together send to decoding end, thereby decoding end can authenticate the initial data that receives according to verify data, judge whether the initial data that receives is tampered, thereby guarantee the reliability of monitoring data transmission.
Embodiment one,
In this embodiment, coding side is encrypted processing to the unit loads of initial data unit, encryption indicator is set with the algorithm that unit loads is encrypted and encryption is adopted of the described enciphered data of indication decoding end unit simultaneously in the unit header of enciphered data unit.In order clearer and comprehensive understanding to be arranged to the present invention, below coding side is simply introduced the monitor data compression that gathers and the process of coding.
The monitor data (such as the data such as warning message of audio-video frequency content and generation) of coding side coding need to be passed Surveillance center's (such as decoding end among the present invention) back by network in the supervisory control system.Usually, coding side carries out compressed encoding to the monitor data that gathers and generates the compression layer data, and some coding parameters composition coding parameter collection, the parameters such as the class during such as video compression and rank, image resolution ratio, data bit width, video type, quantization parameter, the parameters such as the coding mode when audio frequency and/or compress speech, sample frequency, port number, code check.When carrying out Internet Transmission, the general data cell that also compression layer data, coding parameter collection and the warning message that may exist will be further subdivided into certain-length is called the network abstract layer data cell.Divide the schematic diagram of network abstract layer data cell during as shown in Figure 1, for Internet Transmission.
As shown in Figure 2, be the data cell structural representation, each data cell generally comprises two parts, unit header and unit loads.Wherein, in unit header, include some syntactic elements, between coding side and Surveillance center's (decoding end), transmit relevant information, such as syntactic elements such as element length, cell types.
Wherein, initial data unit R DU can be called before the above-mentioned network abstract layer data cell unencryption, enciphered data unit EDU can be called after the encryption.
As shown in Figure 3, the method flow diagram for the raising safety of monitoring data of the embodiment of the invention one may further comprise the steps:
Step S301, coding side acquisition monitoring data.Wherein, described monitor data comprises the data such as warning message of audio, video data and generation.
Step S302, coding side are with monitor data coding and cut apart and be encapsulated as corresponding initial data unit R DU, and the unit loads of initial data unit R DU can be one or more in aforesaid compression layer data, coding parameter collection and the warning message.
Step S303, coding side is encrypted initial data unit R DU, generates corresponding enciphered data unit EDU.Wherein, when initial data unit R DU was encrypted, unit header was not encrypted, and only unit loads was encrypted, and did not change the data length of unit loads.As one embodiment of the present of invention, the unit header of enciphered data unit EDU is identical with the unit header of initial data unit R DU.As shown in Figure 4, be the schematic diagram that initial data unit R DU is encrypted of the embodiment of the invention one.As one embodiment of the present of invention, it both can be (being that decoding end is known) that presets that this step is encrypted used key, also can produce according to preset rules.If produce according to preset rules, in enciphered data unit EDU, increase the key information of a regular length, the notice decoding end adopts this key information to decode.Wherein, can adopt such as common crypto algorithms such as DES, 3DES, AES for encryption and decryption process of the present invention, also can adopt the encryption and decryption mode of other wildcard.Key length can adopt 40-bit, 56-bit, and 64-bit, 80-bit, 128-bit etc., wherein key length is larger, and fail safe is higher, and computing is more complicated.To different data types, such as compression layer data, coding parameter collection and warning message, can adopt the cryptographic algorithm of different brackets, thereby can realize the control of a plurality of level of securitys and data access authority.
Step S304, coding side encapsulate enciphered data unit EDU and send to decoding end, and encryption indicator are set with the algorithm that unit loads is encrypted and encryption is adopted of this enciphered data unit of indication decoding end in the unit header of enciphered data unit.As shown in Figure 5, be the schematic diagram to enciphered data unit EDU encapsulation of the embodiment of the invention one, in this embodiment, coding side together transmits unit header and the unit loads of key information and enciphered data unit EDU, and wherein key information itself is not encrypted.As foregoing description, when decoding end well-known key information, coding side also can only together transmit unit header and the unit loads of enciphered data unit EDU.
Wherein as a specific embodiment of the present invention, in the unit header of enciphered data unit, increase by two flag informations and an optional key information, as follows:
{
Encryption indicator;
There is sign in encryption key message;
Be masked as effectively if encryption key message exists, then exist
{
Encryption key message length;
Encryption key message;
}
}
Wherein, the encryption indicator in the above-mentioned grammer represents that unit loads is whether encrypted and encrypt the algorithm that adopts.Preferably, encryption indicator can represent with 3-bit, and " 000 " expression encryption indicator is invalid, and namely unit loads is not encrypted; Other non-" 000 " value representation is effective, and namely unit loads is encrypted, and has shown the cryptographic algorithm that adopts, for example, " 001 " expression unit loads is encrypted and adopt cryptographic algorithm A, and " 010 " expression unit loads is encrypted and adopt cryptographic algorithm B, and the rest may be inferred.Encryption key message exists the sign expression whether to have encryption key message.Preferably, encryption key message exists sign to represent with 1-bit, and effectively namely there is encryption key message in " 1 " expression; " 0 " expression is invalid, does not namely have encryption key message.Encryption key message length represents the length of encryption key message thereafter.Preferably, encryption key message length can represent with 8-bit, the length of expression encryption key message take bit or byte as unit, and for example, " 0100,0000 " expression encryption key message has 64 bits or 64 bytes.The all or part of information that includes encryption key in the encryption key message, wherein, as one embodiment of the present of invention, encryption key message is one group of pseudo random number that produces by certain preset rules, and it has consisted of encryption key with preset-key according to ad hoc rules.Preferably, preset-key can be unique identify label ID of coding side.
Step S305, the enciphered data unit that decoding end received code end sends, and the unit header of parsing enciphered data unit, whether the encryption indicator in the judging unit head is effective.If the encryption indicator in the unit header of enciphered data unit is invalid, the unit loads that then represents the enciphered data unit does not have encrypted, directly obtains the unit loads of initial data unit R DU.
Step S306, if the encryption indicator in the unit header of enciphered data unit is effective, the unit loads that then represents the enciphered data unit is encrypted, decoding end is decrypted according to the cryptographic algorithm that the parsing encryption indicator obtains according to the unit loads of default key to enciphered data unit EDU, obtains the unit loads of initial data unit R DU.If encryption key message exists sign effectively, then decoding end is obtained first key information (key information is not encrypted) from the unit loads of enciphered data unit, be decrypted according to the cryptographic algorithm that the parsing encryption indicator obtains according to the key information that obtains and the unit loads of the key generation rule of being scheduled to enciphered data unit EDU again, obtain the unit loads of initial data unit R DU.
Embodiment two,
This embodiment is with respect to embodiment one, not only to the unit loads of initial data unit R DU be encrypted, also need to be before encrypting, unit loads to initial data unit R DU authenticates the corresponding verify data of generation, when encrypting, also verify data is encrypted simultaneously, decoding end equally also will authenticate the unit loads of the initial data unit R DU that obtains after deciphering obtains the unit loads of initial data unit R DU and verify data, generate the verify data of corresponding decoding end, and judge whether the verify data that generates is consistent with the verify data of deciphering, if inconsistent words, think that then the unit loads of this initial data unit R DU is tampered, sends alarm signal to the user.
As shown in Figure 6, the method flow diagram for the raising safety of monitoring data of the embodiment of the invention two may further comprise the steps:
Step S601, coding side acquisition monitoring data.Wherein, described monitor data comprises the data such as warning message of audio, video data and generation.
Step S602, coding side are with monitor data coding and cut apart and be encapsulated as corresponding initial data unit R DU, and the unit loads of initial data unit R DU can be one or more in aforesaid compression layer data, coding parameter collection and the warning message.
Step S603, coding side carries out authentication processing to the unit loads of initial data unit R DU, generates verify data.Authentication processing can adopt such as common authentication algorithms such as MD5, SHA, HMAC, also can adopt other predefined authentication mode.
Step S604, coding side together is encrypted the unit loads of initial data unit R DU and the verify data of generation, generate the unit loads of corresponding enciphered data unit EDU, and authentication marks and encryption indicator are set in the unit header of enciphered data unit when enciphered data unit EDU is encapsulated.Wherein, the unit loads length of enciphered data unit EDU and the unit loads of initial data unit R DU add that the length of verify data of generation is identical.As shown in Figure 7, be a kind of authentication of the embodiment of the invention two and the schematic diagram of encrypting, approval-key information and encryption key message all do not transmit in this embodiment.As shown in Figure 8, be the another kind authentication of the embodiment of the invention two and the schematic diagram of encrypting, in this embodiment only certified transmission key information, not traffic encryption key information.As shown in Figure 9, be another authentication of the embodiment of the invention two and the schematic diagram of encryption, in this embodiment encrypt for transmission only key information, not certified transmission key information.As shown in figure 10, be another authentication of the embodiment of the invention two and the schematic diagram of encryption, in this embodiment both certified transmission key information, also traffic encryption key information.
With respect to above-described embodiment one, in this embodiment, also need in the unit header of enciphered data unit, increase authentication marks, as specific implementation of the present invention, can in the unit header of enciphered data unit, increase by two authentication marks information and an optional approval-key information by following grammer.
{
Authentication marks;
There is sign in approval-key information;
Be masked as effectively if approval-key information exists, then exist
{
Approval-key information length;
Approval-key information;
}
}
Wherein, authentication marks represent that whether the unit loads of initial data unit R DU is through authentication.Preferably, authentication marks can represent with 3-bit, and " 000 " expression is invalid, and namely the unit loads of initial data unit R DU is through authentication and do not comprise verify data; Other non-" 000 " value representation is effective, the unit loads that is initial data unit R DU is passed through authentication and is comprised verify data, and shown the identifying algorithm that adopts, for example, " 001 " represents that unit loads is certified and adopts identifying algorithm A, " 010 " expression unit loads is certified and adopt identifying algorithm B, and the rest may be inferred.Approval-key information exists the sign expression whether to have approval-key information.Preferably, approval-key information exists sign to represent with 1-bit, and effectively namely there is approval-key information in " 1 " expression; " 0 " expression is invalid, does not namely have approval-key information.Approval-key information length represents the length of approval-key information thereafter.Preferably, approval-key information length can represent with 8-bit, the length of expression approval-key information take bit or byte as unit, and for example, " 1000,0000 " expression approval-key information has 128 bits or 128 bytes.Approval-key information comprises all or part of information of authenticate key, and wherein in one embodiment of the invention, approval-key information is one group of pseudo random number that produces by certain preset rules, and it and preset-key have consisted of authenticate key according to ad hoc rules together.Preferably, authenticate key can be unique identify label ID of coding side.
Step S605, the enciphered data unit that decoding end received code end sends, and the unit header of parsing enciphered data unit, whether encryption indicator and authentication marks in the judging unit head are effective.If encryption indicator and authentication marks in the enciphered data unit unit header are all invalid, then decoding end directly obtains the unit loads of initial data unit R DU.If encryption indicator is only arranged effectively and authentication marks are invalid in the unit header of enciphered data unit, then the processing procedure of decoding end is identical with embodiment one, does not repeat them here.If authentication marks are only arranged effectively and encryption indicator is invalid in the unit header of enciphered data unit, then decoding end is directly obtained unit loads and the verify data of initial data unit R DU, and authenticate according to resolving identifying algorithm that authentication marks the obtain unit loads to the initial data unit R DU that obtains, judge that consequently no verify data with the coding side transmission is consistent, if inconsistent then illustrate that the unit loads of initial data unit R DU is tampered, then decoding end is to User Alarms.Following steps will all effectively be described as example take the encryption indicator in the enciphered data unit unit header and authentication marks.
Step S606, the cryptographic algorithm that decoding end is obtained according to the parsing encryption indicator is decrypted unit loads and the verify data of the corresponding initial data unit R DU of acquisition to the unit loads of enciphered data unit EDU.
Step S607, decoding end is carried out authentication processing to the unit loads of the initial data unit R DU that deciphering obtains according to the identifying algorithm that the parsing authentication marks obtain, and obtains local contrast verify data.If approval-key information exists sign effectively, then decoding end is obtained approval-key information first from the initial data unit, again according to the approval-key information of obtaining and predetermined key generation rule, the unit loads of deciphering the initial data unit R DU that obtains is carried out authentication processing according to the identifying algorithm that the parsing authentication marks obtain, obtain local contrast verify data.
Step S608, decoding end judges whether this locality contrast verify data that obtains is identical with the verify data of obtaining, if the contrast verify data is not identical with the verify data of obtaining, the unit loads of then judging the initial data unit is tampered, decoding end is to User Alarms, and the unit loads of this initial data unit of prompting user is tampered.
Embodiment three,
This embodiment and above-described embodiment difference be, among this embodiment only the unit loads to the initial data unit carry out authentication processing, and be not encrypted processing.As shown in figure 11, a kind of authentication schematic diagram for the embodiment of the invention three transmits approval-key information in the figure together.Particularly, at first, coding side carries out authentication processing to the unit loads of initial data unit R DU, generates verify data.Wherein, authentication processing can adopt such as common authentication algorithms such as MD5, SHA, HMAC, also can adopt other predefined authentication mode.And coding side also need to increase authentication marks in unit header, and the authentication marks of increase such as above-mentioned embodiment do not repeat them here.Same decoding end need to be carried out authentication processing according to resolving the identifying algorithm that authentication marks obtain to the unit loads of the initial data unit R DU of transmission, obtains local contrast verify data.If approval-key information exists sign effectively, then decoding end is obtained approval-key information first from the initial data unit, again according to the approval-key information of obtaining and predetermined key generation rule, unit loads to initial data unit R DU is carried out authentication processing according to the identifying algorithm that the parsing authentication marks obtain, and obtains local contrast verify data.And judge whether this locality contrast verify data that obtains is identical with the verify data of obtaining, if the contrast verify data is not identical with the verify data of obtaining, the unit loads of then judging the initial data unit is tampered, decoding end is to User Alarms, and the unit loads of this initial data unit of prompting user is tampered.
As shown in figure 12, be the another kind authentication schematic diagram of the embodiment of the invention three, in the figure certified transmission key information not.
As shown in figure 13, be the structure chart of the monitor data encryption system of the embodiment of the invention, this system comprises decoding end 810 and at least one coding side 820.Coding side 820 is used for the acquisition monitoring data, and with the monitor data coding and cut apart and be encapsulated as corresponding initial data unit R DU, and the unit loads of initial data unit R DU is one or more in compression layer data, coding parameter collection and the warning message.And the unit loads of 820 pairs of initial data unit R of coding side DU is encrypted the unit loads that generates corresponding enciphered data unit EDU, wherein the unit loads length of enciphered data unit EDU is identical with the unit loads length of initial data unit R DU, and enciphered data unit EDU is encapsulated backward decoding end 810 send, encryption indicator is set encrypted and encrypt the algorithm that is adopted with the unit loads of indication decoding end 810 this enciphered data unit EDU simultaneously in the unit header of enciphered data unit EDU.After decoding end 810 is used for receiving the enciphered data unit EDU of coding side 820 transmissions, resolve the unit header of this enciphered data unit EDU, the default key of basis when encryption indicator is effective in unit header, be decrypted according to resolving cryptographic algorithm that encryption indicator the obtains unit loads to enciphered data unit EDU, obtain the unit loads of initial data unit R DU.
As one embodiment of the present of invention, in enciphered data unit EDU, also include encryption key message, decoding end 810 is according to encryption key message and predetermined key generation rule, be decrypted according to resolving cryptographic algorithm that encryption indicator the obtains unit loads to enciphered data unit EDU, obtain the unit loads of initial data unit R DU.
As one embodiment of the present of invention, coding side 820 also is used for the unit loads of initial data unit R DU is carried out authentication processing, generate verify data, and unit loads and the verify data of initial data unit R DU together be encrypted, generate the unit loads of corresponding enciphered data unit EDU, and when enciphered data unit EDU is encapsulated, in the unit header of enciphered data unit EDU, authentication marks are set.Simultaneously, decoding end 810 also is used for when the unit loads of 820 pairs of initial data unit R of coding side DU is carried out authentication processing, be decrypted the unit loads and verify data of the corresponding initial data unit R DU of acquisition in the unit loads to enciphered data unit EDU after, unit loads according to the verify data in the initial data unit R DU and initial data unit R DU, whether the unit loads of judging the initial data unit R DU of deciphering is tampered, be tampered if judge the unit loads of the initial data unit R DU of deciphering, then to User Alarms.
Wherein, coding side 820 comprises data acquisition module 821, code division module 822, encrypting module 823 and sending module 824.Data acquisition module 821 is used for the acquisition monitoring data.Code division module 822 is used for the monitor data coding that data acquisition module 821 is gathered and cuts apart being encapsulated as corresponding initial data unit R DU.Encrypting module 823 is encrypted for the unit loads of the initial data unit R DU that code division module 822 is obtained, generate the unit loads of corresponding enciphered data unit EDU, wherein the unit loads length of enciphered data unit EDU is identical with the unit loads length of initial data unit R DU.Sending module 824 is used for enciphered data unit EDU is encapsulated and sends to decoding end 810, and encryption indicator is set with the algorithm that unit loads is encrypted and encryption is adopted of indication decoding end 810 this enciphered data unit EDU in the unit header of enciphered data unit EDU.
As one embodiment of the present of invention, coding side 820 also comprises authentication module 825, is used for the unit loads of initial data unit R DU is carried out authentication processing, generates verify data.
Wherein, decoding end 810 comprises receiver module 811 and deciphering module 812.Receiver module 811 is used for the enciphered data unit EDU that received code end 820 sends.When deciphering module 812 is effective for the encryption indicator in the unit header of enciphered data unit EDU, according to default key, be decrypted according to resolving cryptographic algorithm that encryption indicator the obtains unit loads to enciphered data unit EDU, obtain the unit loads of initial data unit R DU.Certainly, as in enciphered data unit EDU, key information being arranged, then deciphering module 812 at first obtains this unencrypted key information, again according to default key generation rule and the key information of acquisition, be decrypted according to resolving cryptographic algorithm that encryption indicator the obtains unit loads to enciphered data unit EDU, obtain the unit loads of initial data unit R DU.
As one embodiment of the present of invention, decoding end 810 also comprises authentication module 813 and alarm module 814.Authentication module 813 judges for unit loads and the verify data in the initial data unit R DU of the initial data unit R DU that obtains according to deciphering module 812 whether the unit loads of initial data unit R DU is tampered.Alarm module 814 is used for when authentication module 813 judges that the unit loads of initial data unit R DU is tampered to User Alarms.
Above-described embodiment is the comparatively preferred scheme of the present invention, but the embodiment according to said method, it will be appreciated by those skilled in the art that, coding side also can only have authentication module in above-described embodiment, initial data is authenticated, and need not to include encrypting module, the fail safe that equally also can improve monitor data.The similar equivalent variations that does not break away from the above-mentioned thought of the present invention all should be protected within protection scope of the present invention.
The present invention can improve fail safe, the authenticity and integrity of data by encryption and the authentication processing of coding side to the initial data unit, and highly versatile of the present invention, realizes simple.
Although illustrated and described embodiments of the invention, for the ordinary skill in the art, be appreciated that without departing from the principles and spirit of the present invention and can carry out multiple variation, modification, replacement and modification to these embodiment, scope of the present invention is by claims and be equal to and limit.