CN101964805B - Method, equipment and system for safely sending and receiving data - Google Patents
Method, equipment and system for safely sending and receiving data Download PDFInfo
- Publication number
- CN101964805B CN101964805B CN201010524057.3A CN201010524057A CN101964805B CN 101964805 B CN101964805 B CN 101964805B CN 201010524057 A CN201010524057 A CN 201010524057A CN 101964805 B CN101964805 B CN 101964805B
- Authority
- CN
- China
- Prior art keywords
- smart card
- data
- session key
- encrypted
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The embodiment of the invention discloses a method, equipment and a system for safely sending and receiving data, relates to the technical field of network security, and aims to reduce the complexity of safe data transmission. The method for safely sending the data comprises the following steps of: generating a session key, and encrypting the data by using the session key to form encrypted data; acquiring an enterprise-level key in a first smart card of a sending end, and encrypting the session key by using the enterprise-level key to form an encrypted session key; and writing the encrypted data and the encrypted session key into a second smart card of the sending end, and sending data information containing the encrypted data and the encrypted session key to a receiving end by using the second smart card, wherein the second smart card is a smart card having the functions of data transmission. The embodiment of the invention is used for safely transmitting the data.
Description
Technical field
The present invention relates to the network security technology field, relate in particular to a kind of data security and send and the method, equipment and the system that receive.
Background technology
The network security transmission technology is that raw information waiting for transmission is encrypted the packet of handling the nested another kind of agreement of packing in back with protocol encapsulation, described packet is sent into the technology of transmitting as the general data bag in the network.After encryption of described raw information process and protocol encapsulation were handled, the user of only active end and destination can make an explanation and handle the nest information in the transmission channel, and can not decipher for other users.
Existing network safe transmission technology comprises technology and the Digital Envelope Technology based on the Internet Key Exchange (IKE, Internet Key Exchange) agreement.Source end that described technology based on internet key exchange is communication and destination adopt the Diffie-Hellman algorithm to calculate and generate shared key by swap data, and adopt public-key cryptosystem that described shared key is carried out authentication.Described Digital Envelope Technology comprises: the symmetric key encryption data that the source end utilization of communication produces at random, utilize the described symmetric key of public key encryption of destination again, and be referred to as digital envelope by the symmetric key behind the public key encryption.When Data transmission, destination must obtain described symmetric key earlier with the private key deciphering digital envelope of destination if want data decryption, utilizes described symmetric key data decryption.
But the inventor finds that there are the following problems in the prior art: described technology and described Digital Envelope Technology based on internet key exchange all needs third party's authenticating authority mechanism to carry out authentication and PKI distribution, sets up the complexity that has increased data safe transmission system with the protocol architecture of third party's authenticating authority mechanism.
Summary of the invention
Embodiments of the invention provide a kind of data security to send and the method, equipment and the system that receive, and the complexity of data security transmission is reduced.
For achieving the above object, embodiments of the invention adopt following technical scheme:
The method that a kind of data security sends comprises:
Generate session key, adopt described session key that data are encrypted, form enciphered data;
Obtain the enterprise-level key in first smart card of transmitting terminal, adopt described enterprise-level key that described session key is encrypted, form encrypted session key;
Described enciphered data and described encrypted session key are write second smart card of described transmitting terminal, send the data message that comprises described enciphered data and described encrypted session key to receiving terminal through described second smart card, wherein, described second smart card is the smart card with data-transformation facility.
The method corresponding with described data transmission method for uplink, that the embodiment of the invention also provides a kind of data security to receive comprises:
Obtain the data message that obtains from transmitting terminal from second smart card, wherein, described second smart card is the smart card with data-transformation facility, and described data message comprises through the data of transmitting terminal session key with through the session key of enterprise-level secret key encryption;
Obtain the enterprise-level key in receiving terminal first smart card, adopt the described data message of described enterprise-level secret key decryption, obtain session key through deciphering;
Adopt the described described data of session key deciphering, obtain data through the transmitting terminal session key through deciphering.
Be the method that realizes that above-mentioned data security sends, the equipment that the embodiment of the invention provides a kind of data security to send comprises:
First smart card, be used to generate session key and storage enterprise-level key, adopt described session key that data are encrypted, form enciphered data, and adopt described enterprise-level key that described session key is encrypted, form encrypted session key, described enciphered data and described encrypted session key are write second smart card, send the data message that comprises described enciphered data and described encrypted session key to receiving terminal through described second smart card; Wherein,
Described second smart card is the smart card with data-transformation facility.
Be the method that realizes that above-mentioned data security receives, the equipment that the embodiment of the invention also provides a kind of data security to receive comprises:
Second smart card is used to obtain the data message that transmitting terminal sends, and wherein, described second smart card is the smart card with data-transformation facility, and described data message comprises through the data of transmitting terminal session key with through the session key of enterprise-level secret key encryption;
First smart card, be used to store the enterprise-level key, obtain the described data message that described second smart card obtains, adopt the described data message of described enterprise-level secret key decryption, obtain session key through deciphering, adopt the described described data of session key deciphering, obtain data through the transmitting terminal session key through deciphering.
The embodiment of the invention also provides a kind of data security system for transmitting, comprising: the transmission channel that is made of transmitting terminal and receiving terminal; Wherein,
Described transmitting terminal comprises: first smart card of transmitting terminal, be used to generate the enterprise-level key of session key and storage transmitting terminal, adopt described session key that data are encrypted, form enciphered data, and adopt the enterprise-level key of described transmitting terminal that described session key is encrypted, form encrypted session key, described enciphered data and described encrypted session key are write second smart card of transmitting terminal, send the data message that comprises described enciphered data and described encrypted session key to receiving terminal through described second smart card; Wherein,
Second smart card of described transmitting terminal is the smart card with data-transformation facility;
Described receiving terminal comprises: second smart card of receiving terminal, be used to obtain the described data message that transmitting terminal sends, and wherein, second smart card of described receiving terminal is the smart card with data-transformation facility;
First smart card of receiving terminal, be used to store the enterprise-level key of receiving terminal, obtain the described data message of described second smart card of receiving terminal from the transmitting terminal acquisition, adopt the described data message of enterprise-level secret key decryption of described receiving terminal, obtain session key through deciphering, adopt the described described data of session key deciphering, obtain data through the transmitting terminal session key through deciphering.
When the embodiment of the invention sends in data security, adopt session key that data are encrypted, further, by the enterprise-level key session key is encrypted, and the enterprise-level key is stored in first smart card device, safety by first smart card guarantee enterprise-level key will send to receiving terminal by second smart card through having data-transformation facility through encrypted session key and data, be ensured the safety of data in the process of transmitting by second smart card.Corresponding with the data security transmission, when Data Receiving, ensure the safety of data equally by smart card.The data security that the embodiment of the invention provides sends and the method, equipment and the system that receive, realize the passage of transfer of data by smart card, smart card ensures data security, avoid third party's authenticating authority mechanism to the participation in the data safe transmission process, reduced realization data security complexity for transmitting.
Description of drawings
In order to be illustrated more clearly in the technical scheme in the embodiment of the invention, to do to introduce simply to the accompanying drawing of required use among the embodiment below, apparently, accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the method flow diagram that the embodiment of the invention one data security sends;
Fig. 2 is the method flow diagram that the embodiment of the invention one data security receives;
Fig. 3 carries out legitimacy authentication method flow chart in the embodiment of the invention one to equipment;
The method flow diagram that Fig. 4 authenticates second smart card for first smart card in the embodiment of the invention one;
The method flow diagram that Fig. 5 authenticates first smart card for second smart card in the embodiment of the invention one;
Fig. 6 is the equipment schematic diagram that data security sends in the embodiment of the invention two;
Fig. 7 is the equipment schematic diagram that data security receives in the embodiment of the invention two;
Fig. 8 is a data security system for transmitting schematic diagram in the embodiment of the invention three.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
Embodiment one
The embodiment of the invention aims to provide the method that a kind of data security sends, and the complexity of data security transmission is reduced.Referring to Fig. 1, present embodiment comprises the steps:
101, generate session key, adopt described session key that data are encrypted, form enciphered data.
Session key is the symmetric key between transmitting terminal and the receiving terminal, be used for the checking between transmitting terminal and the receiving terminal, session key can be generated when having data to send by first smart card of transmitting terminal at every turn, each session key that generates can be all inequality, encrypt to sent data by session key, to ensure data security.
102, obtain enterprise-level key in first smart card of transmitting terminal, adopt described enterprise-level key that described session key is encrypted, form encrypted session key.
First smart card of transmitting terminal can be for having the smart card of memory function, preserve the enterprise-level key by described first smart card, described enterprise-level key is to be used for session key is carried out encrypted secret key, when providing, equipment writes described first smart card, in same data safe transmission system, all enterprise-level keys all are consistent.
Present embodiment is encrypted session key by the enterprise-level key, ensures the safety of session key, and then guarantees data security.
103, described enciphered data and described encrypted session key are write second smart card of described transmitting terminal.
Wherein, described second smart card is the smart card with data-transformation facility, and the session key after data encrypted and the encryption is write to second smart card of transmitting terminal, sends to receiving terminal through described second smart card.
Further, described second smart card can be the smart card that integrates contact mode of operation and contactless mode of operation, for example, described second smart card can be for placing the two interfaces Subscriber Identity Module in the portable terminal, the Subscriber Identity Module SIM (User Recognition, Subscriber Identity Module) that promptly has contact mode of operation and contactless mode of operation.When double-interface smart card receives data from first smart card, described second smart card works in contactless mode of operation, when double-interface smart card when receiving terminal sends data, described second smart card works in the contact mode of operation, and then the terminal that electrically contacts by described second smart card sends data to receiving terminal.
Described enciphered data and described encrypted session key are write second smart card of described transmitting terminal, send the data message that comprises described enciphered data and described encrypted session key through described second smart card to receiving terminal, so present embodiment also comprises the steps:
104, send the data message that comprises described enciphered data and described encrypted session key to receiving terminal through described second smart card.
Described second smart card can be located at portable terminal, thereby the embodiment of the invention can realize the safe transmission of data between the portable terminal.
Generate session key in the present embodiment, can in described first smart card, carry out, but be not limited in first smart card, carry out, also can in the terminal that described first smart card electrically connects, carry out to the data encryption with to session key.
The method corresponding with the method that described data security sends, that the embodiment of the invention also provides a kind of data security to receive, referring to Fig. 2, present embodiment comprises the steps:
201, obtain the data message that obtains from transmitting terminal from second smart card.
So accordingly, second smart card of receiving terminal obtains the data message that transmitting terminal sends.
Wherein, described second smart card is the smart card with data-transformation facility, and described data message comprises through the data of transmitting terminal session key with through the session key of enterprise-level secret key encryption.
202, obtain enterprise-level key in receiving terminal first smart card, adopt the described data message of described enterprise-level secret key decryption, obtain session key through deciphering.
Enterprise-level key in described first smart card of receiving terminal is consistent with the enterprise-level key of transmitting terminal, writes when equipment is provided.
203, adopt the described described data of session key deciphering, obtain data through the transmitting terminal session key through deciphering.
Corresponding with sending method, decrypted session key, data decryption can carry out in described first smart card of receiving terminal, but are not limited to carry out in first smart card, also can carry out in the terminal that described first smart card electrically connects.
Transmitting terminal and receiving terminal are only distinguished with the source end and the destination of transfer of data in the present embodiment, can exchange at different transmission direction transmitting terminals and receiving terminal role.
The data security that the embodiment of the invention provides sends and the method that receives, adopt session key that data are encrypted, further, by the enterprise-level key session key is encrypted, and the enterprise-level key is stored in first smart card device, safety by first smart card guarantee enterprise-level key will send to receiving terminal by second smart card through having data-transformation facility through encrypted session key and data, be ensured the safety of data in the process of transmitting by second smart card.Corresponding with the data security transmission, when Data Receiving, ensure the safety of data equally by smart card.By the passage of smart card realization transfer of data, smart card ensures data security, avoids third party's authenticating authority mechanism to the participation in the data safe transmission process, has reduced realization data security complexity for transmitting.
Further, present embodiment adopts described session key that data are encrypted at described generation session key, form before the enciphered data, this method comprises that the employing dynamic password to the process that smart card carries out the legitimacy authentication, referring to Fig. 3, specifically comprises the steps:
111, described first smart card generates dynamic password, and described dynamic password is write described second smart card.
112, obtain the dynamic password of described second smart card.
Described second smart card receives the dynamic password that is sent by first smart card, dynamic password can be shown.
113, determine that described first smart card dynamic password that generates and the dynamic password that obtains from described second smart card are complementary.
The terminal that the dynamic password that second smart card is shown inputs to first smart card or is electrical connected with described first smart card, whether compare described first smart card dynamic password that generates and the dynamic password that obtains from described second smart card mates, if be complementary, then data can send and receive data by the transmission channel that described first smart card and described second smart card are formed, if be not complementary, can not transmit data between then described first smart card and described second smart card.Wherein, described dynamic password can be one-time pad.
Before each transmission data, adopt the matching between verifying dynamic password first smart card and second smart card, further strengthened safety of data transmission.
Above-mentioned steps 111 to 113 described methods are equally applicable to receive before the data, and first smart card and second smart card are carried out the legitimacy authentication, and concrete steps are the same, repeat no more herein.
Further, present embodiment also comprised the steps: before receiving and sending data
Described second smart card obtains user cipher, and described second smart card is carried out initial authentication.
The number that when described user cipher is the equipment granting described second smart card is carried out identify label adopts described user cipher to login second smart card, utilizes described second smart card to receive or the transmission data to prevent the disabled user.
Further, present embodiment adopts described session key that data are encrypted at described generation session key, forms before the enciphered data, referring to Fig. 4, can also comprise the authenticating step of following first smart card to second smart card:
121, described first smart card generates random number.
122, described first smart card sends described random number to described second smart card.
Described random number is sent to second smart card, thereby makes described second smart card adopt the internal authentication key that is stored in described second smart card that described random number is encrypted, form encrypted random number, so further, present embodiment also comprises step 123.
123, described second smart card obtains described random number, according to the internal authentication key in described second smart card described random number is encrypted, and forms first encrypted random number.
Described second smart card is back to described first smart card with described first encrypted random number.
124, described first smart card receives described first encrypted random number that second smart card sends, and according to the internal authentication key in described first smart card described encrypted random number is authenticated.
Initiate authentication by described first smart card in the present embodiment, the internal authentication key that second smart card basis is preset is to encrypting from the random number of first smart card.Further, can encrypt described random number by the distributed key of described internal authentication key.Random number after encrypting is back to first smart card, and the internal authentication key of internal authentication key symmetry is decrypted the encrypted random number that returns in the employing of first smart card and second smart card, finishes authentication.
Further, present embodiment also can be back to the terminal that is electrical connected with described first smart card to the authentication result of second smart card with first smart card, and concrete grammar is as follows:
125, second smart card is sent to the terminal that is electrical connected with described first smart card with described first encrypted random number by described first smart card.
126, described first smart card is encrypted according to the internal authentication key the described random number that generates, and the random number of this encryption also is sent to the terminal that is electrical connected with described first smart card.
127, the described random number that generates is encrypted the data that obtain is consistent for described first encrypted random number of terminal check that is electrical connected with described first smart card and described first smart card, thereby finish first smart card second smart card is carried out the authentication result feedback.
This feedback result be consistent according to step 121 to 124 authentication results that obtain.Certainly, the feedback of authentication result is not limited to described step 125 to 127 described methods, first smart card also can directly export authentication result to the terminal that is electrical connected with described first smart card.
Further, present embodiment adopts described session key that data are encrypted at described generation session key, forms before the enciphered data, and this method also can comprise the authenticating step of following second smart card to first smart card:
131, described second smart card generates another random number;
132, described first smart card obtains described another random number that described second smart card generates, and according to the external authentication key in described first smart card described another random number is encrypted, and forms second encrypted random number;
133, described first smart card sends described encrypted random number to described second smart card.
So that described second smart card adopts the external authentication key that is stored in described second smart card that described encrypted random number is authenticated.
134, described second smart card obtains described second encrypted random number, according to the external authentication key in described second smart card described second encrypted random number is authenticated.
Initiate authentication by described second smart card in the present embodiment, the external authentication key that first smart card basis is preset is to encrypting from the random number of second smart card.Further, can encrypt described random number by the distributed key of described external authentication key.Random number after encrypting is back to second smart card, and the external authentication key of outside authenticate key symmetry is decrypted the encrypted random number that returns in the employing of second smart card and first smart card, finishes authentication.
Further, present embodiment can also lock second smart card that sends or receive data, and be specially: described second smart card receives locking information, locks described second smart card according to described locking information, and described second smart card can not be operated.
More specifically, data transmission system step that second smart card is locked comprises as follows:
141, the authorisation device of data transmission system is obtained the mandate of described second smart card of locking.
142, described authorisation device generates locking information according to lock instruction.
143, described locking information is sent to described second smart card.
144, described second smart card receives described locking information, carries out lock instruction.
When described second smart card is lost or is stolen, the possibility that exists described second smart card illegally to be utilized, so the authorisation device by data transmission system sends lock instruction, according to lock instruction described second smart card is locked, and described second smart card can not be operated.
The embodiment of the invention provides data security to send and the method that receives, be the fail safe that further guarantees data transmission channel simultaneously, present embodiment adopts user cipher to verify to the legitimacy of second smart card, first smart card and second smart card are verified mutually, and before transmission, first smart card and second smart card are carried out the operations such as dynamic authentication of one-time pad.The embodiment of the invention has guaranteed the fail safe of data in transmission course by multiple guarantee.
Embodiment two
The embodiment of the invention two provides and has realized that the embodiment of the invention one data security sends and the equipment that receives.
Referring to Fig. 6, the equipment 1 that data security sends in the present embodiment, comprise: first smart card 2, be used to generate session key and storage enterprise-level key, adopt described session key that data are encrypted, form enciphered data, and adopt described enterprise-level key that described session key is encrypted, form encrypted session key, described enciphered data and described encrypted session key are write second smart card 3, send the data message that comprises described enciphered data and described encrypted session key to receiving terminal through described second smart card 3; Wherein, described second smart card 3 is for having the smart card of data-transformation facility.
Wherein, first smart card 2 and second smart card 3 can be in equipment, first smart card 2 can connect PC to be used, second smart card 3 can be installed in the portable terminal, first smart card 2 has transmission and receiving function, it sends data (for example passing through antenna) to second smart card 3, second smart card 3 also has and sends the data (for example passing through antenna) that receive first smart card 2 with receiving function, second smart card 3 receives data, and then the portable terminal that second smart card 3 is installed receives data, is sent to receiving terminal by mobile communications network.
Session key is the symmetric key between transmitting terminal and the receiving terminal, is used for the checking between transmitting terminal and the receiving terminal, and session key can be generated when having data to send by first smart card of transmitting terminal at every turn, and each session key that generates is all inequality.
Described first smart card also comprises the card reader that can be connected in terminal, and described terminal is electrical connected through card reader module and described first smart card, and described terminal is equipped with software module and can sends by this software module trigger data.The memory module of described first smart card is preserved the enterprise-level key, described enterprise-level key is to be used for session key is carried out encrypted secret key, write described first smart card when equipment is provided, in same data safe transmission system, all enterprise-level keys all are consistent.
Further, described second smart card can be the smart card that integrates contact mode of operation and contactless mode of operation, for example, described second smart card can be for placing the two interfaces Subscriber Identity Module in the portable terminal, the Subscriber Identity Module SIM (User Recognition, Subscriber Identity Module) that promptly has contact mode of operation and contactless mode of operation.When double-interface smart card receives data from first smart card, described second smart card works in contactless mode of operation, when double-interface smart card when receiving terminal sends data, described second smart card works in the contact mode of operation, and then the terminal that electrically contacts by described second smart card sends data to receiving terminal.
Corresponding with the equipment that described data security sends, equipment 4 referring to data security reception in Fig. 7 present embodiment, comprise: second smart card 6, be used to obtain the data message that transmitting terminal sends, wherein, described second smart card 6 is for having the smart card of data-transformation facility, and described data message comprises through the data of transmitting terminal session key with through the session key of enterprise-level secret key encryption; First smart card 5, be used to store the enterprise-level key, obtain the described data message that described second smart card 6 obtains, adopt the described data message of described enterprise-level secret key decryption, obtain session key through deciphering, adopt the described described data of session key deciphering, obtain data through the transmitting terminal session key through deciphering.
Need to prove that present embodiment data security transmitting apparatus and data security receiving equipment are only distinguished with the source end and the destination of transfer of data, they have the hardware configuration of symmetry, and it is divided into transmitting apparatus and receiving equipment at different transmission directions.Same first smart card or second smart card can also can be as the EM equipment module of receiving terminal as the EM equipment module of transmitting terminal.
Described first smart card and second smart card of present embodiment transmitting apparatus and receiving equipment have micro treatment module, memory module and communication module respectively; Wherein, described micro treatment module is carried out operations such as data encryption, deciphering, and described memory module store session key and enterprise-level cipher key related data, and other data, described communication module are used for and send and receive data.Described first smart card and described second smart card all have chip operating system in order to cooperate hardware module execution operation.
The embodiment of the invention can be applied to file transfer, file transfer source and transmission destination are respectively first smart card, first smart card is a smart card with large capacity, after the file that will transmit encrypted by first smart card, terminal transmission by second smart card is housed is to the terminal of receiving terminal, and the terminal of described receiving terminal is equipped with second smart card equally.Smart card with large capacity provides the environment of file security storage and encryption, and sets up the passage of file transfer by second smart card.
The data security that the embodiment of the invention provides sends and the equipment that receives, adopt session key that data are encrypted, further, by the enterprise-level key session key is encrypted, and the enterprise-level key is stored in first smart card device, safety by first smart card guarantee enterprise-level key will send to receiving terminal by second smart card through having data-transformation facility through encrypted session key and data, be ensured the safety of data in the process of transmitting by second smart card.Corresponding with the data security transmission, when Data Receiving, ensure the safety of data equally by smart card.By the passage of smart card realization transfer of data, smart card ensures data security, avoids third party's authenticating authority mechanism to the participation in the data safe transmission process, has reduced realization data security complexity for transmitting.
Further, when safety sends or receive data, described first smart card of present embodiment, also be used to generate dynamic password, described dynamic password is write described second smart card, obtain the dynamic password of described second smart card, and determine that described first smart card dynamic password that generates and the dynamic password that obtains from described second smart card are complementary; Wherein, described second smart card also is used to receive the described dynamic password that described first smart card sends.
Described second smart card reads the dynamic password from first smart card, dynamic password can be shown, the terminal that the dynamic password that second smart card is shown inputs to first smart card or is electrical connected with described first smart card, whether compare described first smart card dynamic password that generates and the dynamic password that obtains from described second smart card mates, if be complementary, then data can send and receive data by the transmission channel that described first smart card and described second smart card are formed, if be not complementary, can not transmit data between then described first smart card and described second smart card.Wherein, described dynamic password is an one-time pad.
Further, described second smart card also is used to obtain user cipher, and described second smart card is carried out initial authentication.
The number that when described user cipher is the equipment granting described second smart card is carried out identify label adopts described user cipher to login second smart card, utilizes described second smart card to receive or the transmission data to prevent the disabled user.
Further, described first smart card of present embodiment, also be used to store the internal authentication key and generate random number, send described random number to described second smart card and also receive, described first encrypted random number is authenticated according to described internal authentication key through first encrypted random number of described second smart card to described random number encryption formation; Wherein, described second smart card also is used to store the internal authentication key, obtains the described random number that described first smart card generates, and according to described internal authentication key described random number is encrypted, and forms described first encrypted random number.
Described first smart card is initiated authentication, and the internal authentication key that second smart card basis is preset is to encrypting from the random number of first smart card.Further, can encrypt described random number by the distributed key of described internal authentication key.Random number after encrypting is back to first smart card, and the internal authentication key of internal authentication key symmetry is decrypted the encrypted random number that returns in the employing of first smart card and second smart card, finishes authentication.Further, with the terminal that described first smart card is electrical connected, can feed back authentication result by its software module.
Further, described first smart card of present embodiment also is used to store the external authentication key, obtains another random number that described second smart card generates, and according to described external authentication key described another random number is encrypted, and forms described second encrypted random number; Several second smart cards, also be used to store the external authentication key and generate described another random number, send described another random number to described first smart card and also receive, described second encrypted random number is authenticated according to described external authentication key through second encrypted random number of described first smart card to described another random number encryption formation.
Described second smart card is initiated authentication, and the external authentication key that first smart card basis is preset is to encrypting from the random number of second smart card.Further, can encrypt described random number by the distributed key of described external authentication key.Random number after encrypting is back to second smart card, and the external authentication key of outside authenticate key symmetry is decrypted the encrypted random number that returns in the employing of second smart card and first smart card, finishes authentication.
Further, described second smart card of present embodiment also is used to receive locking information, locks described second smart card according to described locking information, and described second smart card can not be operated.
When described second smart card is lost or is stolen, the possibility that exists described second smart card illegally to be utilized, so the authorisation device by data transmission system sends lock instruction, according to lock instruction described second smart card is locked, and described second smart card can not be operated.
The embodiment of the invention provides data security to send and the equipment that receives, be the fail safe that further guarantees data transmission channel simultaneously, present embodiment adopts user cipher to verify to the legitimacy of second smart card, first smart card and second smart card are verified mutually, and before transmission, first smart card and second smart card are carried out the operations such as dynamic authentication of one-time pad.The embodiment of the invention has guaranteed the fail safe of data in transmission course by multiple guarantee.
Embodiment three
Based on embodiment two, provide a kind of data security system for transmitting 7 referring to Fig. 8 embodiment of the invention, comprising: the transmission channel that constitutes by transmitting terminal 1 and receiving terminal 4; Wherein,
Described transmitting terminal 1 comprises: first smart card 2 of transmitting terminal, be used to generate the enterprise-level key of session key and storage transmitting terminal, adopt described session key that data are encrypted, form enciphered data, and adopt the enterprise-level key of described transmitting terminal that described session key is encrypted, form encrypted session key, described enciphered data and described encrypted session key are write second smart card 3 of transmitting terminal, send the data message that comprises described enciphered data and described encrypted session key to receiving terminal through described second smart card 3; Wherein, second smart card 3 of described transmitting terminal is for having the smart card of data-transformation facility;
Described receiving terminal 4 comprises: second smart card 6 of receiving terminal, be used to obtain the described data message that transmitting terminal sends, and wherein, second smart card 6 of described receiving terminal is for having the smart card of data-transformation facility;
First smart card 5 of receiving terminal, be used to store the enterprise-level key of receiving terminal, obtain the data message of described second smart card 6 of receiving terminal from the transmitting terminal acquisition, adopt the described data message of enterprise-level secret key decryption of described receiving terminal, obtain session key through deciphering, adopt the described described data of session key deciphering, obtain data through the transmitting terminal session key through deciphering.
Present embodiment is based on embodiment's two, comprise that described embodiment two described safety send the equipment of data and the equipment that data security receives, present embodiment has the function and the architectural feature of described embodiment two smart cards, and concrete detailed description the in detail seen embodiment two, repeats no more herein.
The environment that embodiment of the invention data security system for transmitting, first smart card of transmitting terminal and receiving terminal and second smart card provide secret key safety storage and data security to encrypt, the composition data secure transmission tunnel.By the passage of smart card realization transfer of data, smart card ensures data security, avoids third party's authenticating authority mechanism to the participation in the data safe transmission process, has reduced realization data security complexity for transmitting
Through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by hardware, also can realize by the mode that software adds necessary general hardware platform.Based on such understanding, technical scheme of the present invention can embody with the form of software product, comprises that some instructions are used so that a computer equipment is carried out the above-mentioned method of each embodiment of the present invention.
It will be appreciated by those skilled in the art that accompanying drawing is the schematic diagram of a preferred embodiment, module in the accompanying drawing or flow process might not be that enforcement the present invention is necessary.
The invention described above embodiment sequence number is not represented the quality of embodiment just to description.
More than disclosed only be several specific embodiment of the present invention, still, the present invention is not limited thereto, any those skilled in the art can think variation all should fall into protection scope of the present invention.
Claims (17)
1. the method that data security sends is characterized in that, comprising:
Generate session key, adopt described session key that data are encrypted, form enciphered data;
Obtain the enterprise-level key in first smart card of transmitting terminal, adopt described enterprise-level key that described session key is encrypted, form encrypted session key;
Described enciphered data and described encrypted session key are write second smart card of described transmitting terminal, send the data message that comprises described enciphered data and described encrypted session key to receiving terminal through described second smart card, wherein, described second smart card is the smart card with data-transformation facility.
2. the method that sends according to the described data security of claim 1 is characterized in that, at described generation session key, adopts described session key that data are encrypted, and forms before the enciphered data, and this method comprises:
Generate dynamic password, described dynamic password is write described second smart card;
Obtain the dynamic password of described second smart card;
Determine that described first smart card dynamic password that generates and the dynamic password that obtains from described second smart card are complementary.
3. the method that sends according to the described data security of claim 1 is characterized in that, at described generation session key, adopts described session key that data are encrypted, and forms before the enciphered data, and this method also comprises:
Generate random number;
Send described random number to described second smart card, thereby make described second smart card adopt the internal authentication key that is stored in described second smart card that described random number is encrypted, form encrypted random number;
Receive the described encrypted random number that second smart card sends, described encrypted random number is authenticated according to the internal authentication key in described first smart card.
4. the method that sends according to the described data security of claim 1 is characterized in that, at described generation session key, adopts described session key that data are encrypted, and forms before the enciphered data, and this method also comprises:
Obtain the random number that described second smart card generates, described random number is encrypted, form encrypted random number according to the external authentication key in described first smart card;
Described encrypted random number is sent to described second smart card, so that described second smart card adopts the external authentication key that is stored in described second smart card that described encrypted random number is authenticated.
5. the method that sends according to each described data security in the claim 1 to 4 is characterized in that, at described generation session key, adopts described session key that data are encrypted, and forms before the enciphered data, and this method comprises:
Described second smart card obtains user cipher, and described second smart card is carried out initial authentication.
6. according to the method for the described data security transmission of claim 1, it is characterized in that this method also comprises:
Described second smart card receives locking information, locks described second smart card according to described locking information, and described second smart card can not be operated.
7. the method that sends according to the described data security of claim 1 is characterized in that described second smart card is specially the Subscriber Identity Module with contact mode of operation and contactless mode of operation.
8. the method that data security receives is characterized in that, comprising:
Obtain the data message that obtains from transmitting terminal from second smart card, wherein, described second smart card is the smart card with data-transformation facility, and described data message comprises through the data of transmitting terminal session key with through the session key of enterprise-level secret key encryption;
Obtain the enterprise-level key in receiving terminal first smart card, adopt the described data message of described enterprise-level secret key decryption, obtain session key through deciphering;
Adopt the described described data of session key deciphering, obtain data through the transmitting terminal session key through deciphering.
9. the equipment that data security sends is characterized in that, the equipment that described data security sends comprises first smart card and second smart card, wherein:
Described first smart card, be used to generate session key and storage enterprise-level key, adopt described session key that data are encrypted, form enciphered data, and adopt described enterprise-level key that described session key is encrypted, form encrypted session key, described enciphered data and described encrypted session key are write second smart card, send the data message that comprises described enciphered data and described encrypted session key to receiving terminal through described second smart card; Wherein,
Described second smart card is the smart card with data-transformation facility.
10. according to the equipment of the described data security transmission of claim 9, it is characterized in that:
Described first smart card, also be used to generate dynamic password, described dynamic password is write described second smart card, obtain the dynamic password of described second smart card, and determine that described first smart card dynamic password that generates and the dynamic password that obtains from described second smart card are complementary; Wherein,
Described second smart card also is used to receive the described dynamic password that described first smart card sends.
11. the equipment according to the data security of claim 9 sends is characterized in that:
Described first smart card, also be used to store the internal authentication key and generate random number, send described random number to described second smart card and also receive, described encrypted random number is authenticated according to described internal authentication key through the encrypted random number of described second smart card to described random number encryption formation; Wherein,
Described second smart card also is used to store the internal authentication key, obtains the described random number that described first smart card generates, and according to described internal authentication key described random number is encrypted, and forms described encrypted random number.
12. the equipment according to the data security of claim 9 sends is characterized in that:
Described first smart card also is used to store the external authentication key, obtains the random number that described second smart card generates, and according to described external authentication key described random number is encrypted, and forms encrypted random number;
Described second smart card, also be used to store the external authentication key and generate described random number, send described random number to described first smart card and also receive, described encrypted random number is authenticated according to described external authentication key through the described encrypted random number of described first smart card to described random number encryption formation.
13. the equipment according to each described data security in the claim 9 to 12 sends is characterized in that: described second smart card, also be used to obtain user cipher, described second smart card is carried out initial authentication.
14. the equipment according to the described data security of claim 9 sends is characterized in that:
Described second smart card also is used to receive locking information, locks described second smart card according to described locking information, and described second smart card can not be operated.
15. according to the equipment that the described data security of claim 9 sends, it is characterized in that: described second smart card is specially the Subscriber Identity Module with contact mode of operation and contactless mode of operation.
16. the equipment that data security receives is characterized in that, comprising:
Second smart card is used to obtain the data message that transmitting terminal sends, and wherein, described second smart card is the smart card with data-transformation facility, and described data message comprises through the data of transmitting terminal session key with through the session key of enterprise-level secret key encryption;
First smart card, be used to store the enterprise-level key, obtain the described data message that described second smart card obtains, adopt the described data message of described enterprise-level secret key decryption, obtain session key through deciphering, adopt the described described data of session key deciphering, obtain data through the transmitting terminal session key through deciphering.
17. a data security system for transmitting is characterized in that, comprising: the transmission channel that constitutes by transmitting terminal and receiving terminal; Wherein,
Described transmitting terminal comprises: first smart card of transmitting terminal, be used to generate the enterprise-level key of session key and storage transmitting terminal, adopt described session key that data are encrypted, form enciphered data, and adopt the enterprise-level key of described transmitting terminal that described session key is encrypted, form encrypted session key, described enciphered data and described encrypted session key are write second smart card of transmitting terminal, send the data message that comprises described enciphered data and described encrypted session key to receiving terminal through described second smart card; Wherein,
Second smart card of described transmitting terminal is the smart card with data-transformation facility;
Described receiving terminal comprises: second smart card of receiving terminal, be used to obtain the described data message that transmitting terminal sends, and wherein, second smart card of described receiving terminal is the smart card with data-transformation facility;
First smart card of receiving terminal, be used to store the enterprise-level key of receiving terminal, obtain the described data message of described second smart card of receiving terminal from the transmitting terminal acquisition, adopt the described data message of enterprise-level secret key decryption of described receiving terminal, obtain session key through deciphering, adopt the described described data of session key deciphering, obtain data through the transmitting terminal session key through deciphering.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010524057.3A CN101964805B (en) | 2010-10-28 | 2010-10-28 | Method, equipment and system for safely sending and receiving data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010524057.3A CN101964805B (en) | 2010-10-28 | 2010-10-28 | Method, equipment and system for safely sending and receiving data |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101964805A CN101964805A (en) | 2011-02-02 |
| CN101964805B true CN101964805B (en) | 2013-07-31 |
Family
ID=43517537
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010524057.3A Expired - Fee Related CN101964805B (en) | 2010-10-28 | 2010-10-28 | Method, equipment and system for safely sending and receiving data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101964805B (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102655643A (en) * | 2011-03-04 | 2012-09-05 | 希姆通信息技术(上海)有限公司 | Wireless data encryption method and wireless data decryption method |
| CN104283680A (en) * | 2013-07-05 | 2015-01-14 | 腾讯科技(深圳)有限公司 | Data transmission method, client side, server and system |
| CN105208028B (en) * | 2015-09-30 | 2019-03-15 | 北京金山安全软件有限公司 | Data transmission method and related device and equipment |
| CN107306261B (en) * | 2016-04-22 | 2021-09-07 | 中兴通讯股份有限公司 | Encryption communication method, device and system |
| CN109101803B (en) * | 2018-07-25 | 2023-06-23 | 腾讯科技(深圳)有限公司 | Biometric identification apparatus and method |
| CN109410394A (en) * | 2018-10-11 | 2019-03-01 | 深圳市捷恩斯威科技有限公司 | A kind of method for sending information and information transmitting system of intelligent door lock |
| CN111107038B (en) * | 2018-10-25 | 2022-07-29 | 山东量子科学技术研究院有限公司 | Encryption method, decryption method and device |
| CN111181894B (en) * | 2018-11-09 | 2023-06-06 | 北京天德科技有限公司 | Network communication method for enabling block chain nodes to efficiently communicate and safely |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101499142A (en) * | 2008-12-29 | 2009-08-05 | 北京握奇数据系统有限公司 | Double-interface smart card and method for processing application instruction |
| CN101521670A (en) * | 2009-03-30 | 2009-09-02 | 北京握奇数据系统有限公司 | Method and system for acquiring application data |
| CN101667240A (en) * | 2009-08-20 | 2010-03-10 | 北京握奇数据系统有限公司 | Intelligent card and card writing method, equipment and system thereof |
| CN101765105A (en) * | 2009-12-17 | 2010-06-30 | 北京握奇数据系统有限公司 | Method for realizing communication encryption as well as system and mobile terminal therefor |
-
2010
- 2010-10-28 CN CN201010524057.3A patent/CN101964805B/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101499142A (en) * | 2008-12-29 | 2009-08-05 | 北京握奇数据系统有限公司 | Double-interface smart card and method for processing application instruction |
| CN101521670A (en) * | 2009-03-30 | 2009-09-02 | 北京握奇数据系统有限公司 | Method and system for acquiring application data |
| CN101667240A (en) * | 2009-08-20 | 2010-03-10 | 北京握奇数据系统有限公司 | Intelligent card and card writing method, equipment and system thereof |
| CN101765105A (en) * | 2009-12-17 | 2010-06-30 | 北京握奇数据系统有限公司 | Method for realizing communication encryption as well as system and mobile terminal therefor |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101964805A (en) | 2011-02-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR102519990B1 (en) | Apparatus and method for authenticating | |
| CN101964805B (en) | Method, equipment and system for safely sending and receiving data | |
| CN103152366B (en) | Obtain the method for terminal authorization, terminal and server | |
| EP2424185B1 (en) | Method and device for challenge-response authentication | |
| US8402272B2 (en) | Master unit and slave unit | |
| CN107358441B (en) | Payment verification method and system, mobile device and security authentication device | |
| CN102572817B (en) | Method and intelligent memory card for realizing mobile communication confidentiality | |
| CN103532713B (en) | Sensor authentication and shared key production method and system and sensor | |
| CN101483654A (en) | Method and system for implementing authentication and data safe transmission | |
| EP1277299A1 (en) | Method for securing communications between a terminal and an additional user equipment | |
| US20150128243A1 (en) | Method of authenticating a device and encrypting data transmitted between the device and a server | |
| CN101409621B (en) | Multipart identification authentication method and system base on equipment | |
| US8230218B2 (en) | Mobile station authentication in tetra networks | |
| CN101789068B (en) | Card reader safety certification device and method | |
| CN103905388A (en) | Authentication method, authentication device, smart card, and server | |
| US20020018570A1 (en) | System and method for secure comparison of a common secret of communicating devices | |
| CN101895881A (en) | Method for realizing GBA secret key and pluggable equipment of terminal | |
| CN110519238B (en) | Internet of things security system and communication method based on cryptographic technology | |
| CN107888376B (en) | NFC authentication system based on quantum communication network | |
| CN107786978B (en) | NFC authentication system based on quantum encryption | |
| CN105554759A (en) | Authentication method and authentication system | |
| CN111263360A (en) | Wireless encryption device and method for protecting variable mechanical authentication password by adopting public key | |
| CN114244509A (en) | Method for carrying out SM2 one-time pad bidirectional authentication unlocking by using mobile terminal | |
| KR20040088137A (en) | Method for generating encoded transmission key and Mutual authentication method using the same | |
| CN111510294A (en) | Method for improving office system security by using secret key |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100015 Beijing city Chaoyang District Dongzhimen West eight Street No. 2 room Wanhong Yan Dong Business Garden Patentee after: BEIJING WATCHDATA Co.,Ltd. Address before: 100015 Beijing city Chaoyang District Dongzhimen West eight Street No. 2 room Wanhong Yan Dong Business Garden Patentee before: BEIJING WATCH DATA SYSTEM Co.,Ltd. |
|
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20130731 Termination date: 20211028 |