CN103457724A - Method and system for point-to-point data safe transmission - Google Patents

Method and system for point-to-point data safe transmission Download PDF

Info

Publication number
CN103457724A
CN103457724A CN2012101814120A CN201210181412A CN103457724A CN 103457724 A CN103457724 A CN 103457724A CN 2012101814120 A CN2012101814120 A CN 2012101814120A CN 201210181412 A CN201210181412 A CN 201210181412A CN 103457724 A CN103457724 A CN 103457724A
Authority
CN
China
Prior art keywords
target terminal
safe floor
terminal
safe
initiating terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2012101814120A
Other languages
Chinese (zh)
Other versions
CN103457724B (en
Inventor
郭帅
钟冬
伍燕
孔劼
蔡燕燕
张博
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN201210181412.0A priority Critical patent/CN103457724B/en
Publication of CN103457724A publication Critical patent/CN103457724A/en
Application granted granted Critical
Publication of CN103457724B publication Critical patent/CN103457724B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

The invention provides a method and system for point-to-point data safe transmission. A safe layer is arranged on an application layer of NFC to serve as a sub-layer of the application layer, and the safe layer is responsible for establishing safe connection between nodes of equal communication and conducting encryption data transmission and correctness verification. The method for point-to-point data safe transmission comprises the steps that a random secret key is generated after safe connection of a starting terminal and a target terminal is established; the safe layer of the starting terminal obtains a public key of a target terminal application program from a public key server; the safe layer of the starting terminal utilizes the public key of the target terminal application program to encrypt the random secret key and obtain a ciphertext; the safe layer of the starting terminal sends the ciphertext to a safe layer of the target terminal; the safe layer of the target terminal utilizes a private key of the application program to decode the ciphertext and obtain a random secret key; the safe layer of the target terminal sends a confirmation message of receiving the secret key to the safe layer of the starting terminal; after the safe layer of the starting terminal confirms that the safe layer of the target terminal already receives the secret key, the safe layer of the starting terminal sends a starting connection confirmation message to the starting terminal. The method for point-to-point data safe transmission is a safer NFC point-to-point communication method and can remove the potential safety hazards of an existing network.

Description

A kind of method and system that carries out the Point-to-Point Data safe transmission
Technical field
The present invention relates to near-field communication (Near Field Communication, NFC) technical field, particularly a kind of method and system that carries out the Point-to-Point Data safe transmission in NFC equipment.
Background technology
The NFC technology is by non-contact radio-frequency identification (Radio Frequency Identification at present, RFID) technology and point-to-point communication technological incorporation develop, work in the 13.56MHz frequency range in 0 to 20cm distance, transmission rate with 106kbit/s, 212kbit/s, 424kbit/s is carried out transfer of data, and can between different transmission rates, automatically switch.The NFC technology meets ISO18092, ISO21481, ECMA(340,352 and 356) and the ETSITS102 standard, also compatibility be take ISO14441A as basic inductive intelligent card architecture simultaneously.
NFC has defined three kinds of use patterns: mode card (Card Emulation Mode), point-to-point communication pattern (Peer-to-Peer Communication), read/write card device pattern (Reader/Write Mode).Wherein the point-to-point communication pattern is for realizing the exchanges data between the NFC terminal, by a plurality of linking of devices that possess the NFC function, by the link layer communications agreement, NFC-IP realizes the data point-to-point transmission, as thin as sharing download music, exchange picture or synchronizing address.Therefore by the point-to-point communication pattern of NFC, a plurality of equipment is as carried out wireless transmission, swap data between computer, palmtop PC (Personal Digital Assistant, PDA), digital camera, mobile phone.The protocol architecture of NFC point-to-point communication as shown in Figure 1.
Because the point-to-point communication pattern of NFC is to communicate between NFC equipment by wireless mode, exist monitored, the network security hidden danger such as deception, therefore need to provide a kind of safety data transmission method to the NFC point-to-point communication, wish that this safety data transmission method can make the assailant obtain the transfer of data content by the method for monitoring, in addition, also wish that this safety data transmission method can make the assailant be cheated data transmission procedure, and in the situation that communication channel be disturbed or make mistakes, in the situation that the least possible error data that recovers of expense.
Summary of the invention
In order to address the above problem, the invention provides a kind of method and system that carries out the Point-to-Point Data safe transmission in NFC equipment, safer NFC Point-to-point Communication Method can be provided, substantially solved above-mentioned network security hidden danger.
Method of carrying out the Point-to-Point Data safe transmission of the present invention, arrange the sublayer of safe floor as application layer in the application layer of near-field communication NFC, is responsible for setting up safety and connects between the node of peer-to-peer communications, and carry out encrypted data transmission and verification of correctness, comprising:
Initiating terminal, after being connected with target terminal foundation is safe, generates a random key RandomKey;
The safe floor 312 of initiating terminal obtains the PKI Public_Key_314 of target terminal applications program 314 from public key server; Wherein, the safe floor 312 of initiating terminal, according to the identifier Application_ID_314 of the application program 314 of target terminal, obtains the PKI Public_Key_314 of target terminal applications program 314 from public key server;
The safe floor 312 of initiating terminal is used the PKI Public_Key_314 encrypted random keys RandomKey of target terminal applications program, obtains ciphertext CText;
The safe floor 312 of initiating terminal is sent to described ciphertext CText the safe floor of target terminal;
The private key Private_Key_314 decrypting ciphertext CText of the safe floor 313 use application programs 314 of target terminal, obtain random key RandomKey;
The safe floor 313 of target terminal sends " receiving key confirmation " message to the safe floor 312 of initiating terminal;
The safe floor 312 of initiating terminal, after the safe floor 313 of confirming target terminal has been received key, sends " start to connect and confirm " message to the application program 311 of moving on initiating terminal.
Wherein, before carrying out the application layer security transfer of data, the initiating terminal and the target terminal that participate in transfer of data first will be registered to PKI separately on public key server.
Wherein, initiating terminal is set up safely and is connected and comprises the following steps: with target terminal
The safe floor 312 of initiating terminal will " be set up safe connection request ", and message is sent to the safe floor 313 of target terminal, the identifier Application_ID_311 and the Set_App_Sec that comprise the application program 311 of initiating terminal in this message, wherein Set_App_Sec means that initiating terminal 301 request sets up application layer security data connection response;
The safe floor 313 of target terminal sends to " beginning connection request " message the application program 314 of target terminal, comprises the identifier Application_ID_311 of the application program 311 of initiating terminal in this message;
The application program 314 of target terminal will " start to connect and confirm " message and send to the safe floor 313 of target terminal, comprise the identifier Application_ID_314 of application program 314 in this message;
The safe floor 313 of target terminal will " be set up safety and connect confirmation " message and be sent to the safe floor 312 of initiating terminal, the identifier Application_ID_314 and the Set_App_Sec_Response that comprise application program 314 in this message, wherein Set_App_Sec_Response means that target terminal confirms to set up application layer security data connection response.
Further, message that the safe floor 312 of initiating terminal will " be set up safe connection request " further comprises before being sent to the safe floor 313 of target terminal: the application program 311 of moving on initiating terminal sends and starts connection request message to the safe floor 312 on initiating terminal; Wherein, the identifier Application_ID_311 that comprises initiating terminal application program 311 in this message.
Further, after initiating terminal and target terminal are set up safety and be connected, while carrying out Security Data Transmission, comprise the following steps:
The file data that the application program of moving on initiating terminal sends wish sends to the safe floor of initiating terminal;
The safe floor of initiating terminal is divided into several blocks of files B by file data F i, the equal and opposite in direction of each blocks of files, used one-way Hash algorithm to calculate the hashed value H of each blocks of files subsequently i, to carry out verification of correctness;
The safe floor of initiating terminal is used random key RandomKey encrypt file piece B iwith hashed value H i, obtain ciphertext C (B i, H i);
The safe floor of initiating terminal is by ciphertext C (B i, H i) send to the safe floor of target terminal;
The safe floor of target terminal uses random key RandomKey to ciphertext C (B i, H i) deciphering, obtain blocks of files B iwith hashed value H i;
The safe floor of target terminal is used each blocks of files B of one-way Hash algorithm to obtaining icalculate hashed value H i', and with the hashed value H obtained icompare, if identical, blocks of files B itransmission is correct, otherwise mistake occurs in the explanation data transmission procedure; If without data transmission fault, the safe floor of target terminal is being confirmed each blocks of files B iafter all correctly receiving, by B ibe reassembled into original file data F, and send to the application program of moving on target terminal, so far complete the safety data transmission between initiating terminal and target terminal.
Further, when data transmission fault occurring, need to carry out the error in data processing, specifically comprise:
If the blocks of files B that the safe floor of target terminal obtains ican't pass through verification of correctness, abandon acquired blocks of files B i;
The safe floor of target terminal sends " misdata re-transmission " request to the safe floor of initiating terminal, comprises the index number BlockIndex of the blocks of files abandoned in message;
The safe floor of initiating terminal is according to the content of BlockIndex, by ciphertext C (B blockIndex, H blockIndex) resend the safe floor to target terminal.
System of carrying out the Point-to-Point Data safe transmission in NFC equipment of the present invention, comprise initiating terminal, target terminal and public key server, and wherein, initiating terminal, for after being connected with target terminal foundation is safe, generate a random key RandomKey; The safe floor 312 of initiating terminal obtains the PKI Public_Key_314 of target terminal applications program 314 from public key server, and uses described PKI Public_Key_314 encrypted random keys RandomKey, obtains ciphertext CText; Safe floor 312 by initiating terminal is sent to described ciphertext CText the safe floor of target terminal; And, after having received key for the safe floor 313 confirming target terminal, to the application program 311 of moving on initiating terminal, send " start to connect and confirm " message; Wherein, the safe floor 312 of initiating terminal, according to the identifier Application_ID_314 of the application program 314 of target terminal, obtains the PKI Public_Key_314 of target terminal applications program 314 from public key server; Target terminal, the private key Private_Key_314 decrypting ciphertext CText for the safe floor 313 use target terminal applications programs 314 by target terminal, obtain random key RandomKey; And send " receiving key confirmation " message to the safe floor 312 of initiating terminal.
Wherein, described initiating terminal, be further used for being sent to by its safe floor 312 message of will " setting up safe connection request " safe floor 313 of target terminal, the identifier Application_ID_311 and the Set_App_Sec that comprise the application program 311 of initiating terminal in this message, wherein Set_App_Sec means that initiating terminal 301 request sets up application layer security data connection response;
Described target terminal, be further used for by its safe floor 313, " beginning connection request " message being sent to the application program 314 of target terminal, comprises the identifier Application_ID_311 of the application program 311 of initiating terminal in this message; And, will " start to connect and confirm " message by its application program 314 and send to its safe floor 313, comprise the identifier Application_ID_314 of application program 314 in this message; And, to " set up safety and connect confirmation " message by its safe floor 313 and be sent to the safe floor 312 of initiating terminal, the identifier Application_ID_314 and the Set_App_Sec_Response that comprise application program 314 in this message, wherein Set_App_Sec_Response means that target terminal confirms to set up application layer security data connection response.
Further, after initiating terminal and target terminal are set up safety and are connected, while carrying out Security Data Transmission, described initiating terminal, the application program be further used for by moving on initiating terminal sends to the file data of wish transmission the safe floor of initiating terminal; And by the safe floor of initiating terminal, file data F is divided into to several blocks of files B i, the equal and opposite in direction of each blocks of files, used one-way Hash algorithm to calculate the hashed value H of each blocks of files subsequently i, to carry out verification of correctness; The safe floor of initiating terminal is used random key RandomKey encrypt file piece B iwith hashed value H i, obtain ciphertext C (B i, H i), and by ciphertext C (B i, H i) send to the safe floor of target terminal; Described target terminal, be further used for using random key RandomKey to ciphertext C (B by the safe floor of target terminal i, H i) deciphering, obtain blocks of files B iwith hashed value H i; The safe floor of target terminal is used each blocks of files B of one-way Hash algorithm to obtaining icalculate hashed value H i', and with the hashed value H obtained icompare, if identical, blocks of files B itransmission is correct, otherwise mistake occurs in the explanation data transmission procedure; If without data transmission fault, the safe floor of target terminal is being confirmed each blocks of files B iafter all correctly receiving, by B ibe reassembled into original file data F, and send to the application program of moving on target terminal, so far complete the safety data transmission between initiating terminal and target terminal.
In addition, when data transmission fault occurring, in the time of need to carrying out the error in data processing, described target terminal, be further used for the blocks of files B in the safe floor acquisition of target terminal ican't pass through verification of correctness, abandon acquired blocks of files B i, and send " misdata re-transmission " request to the safe floor of initiating terminal, comprise the index number BlockIndex of the blocks of files abandoned in message; Described initiating terminal, be further used for the content of the safe floor of initiating terminal according to BlockIndex, by ciphertext C (B blockIndex, H blockIndex) resend the safe floor to target terminal.
The invention has the beneficial effects as follows: according to the method and system that carries out the Point-to-Point Data safe transmission in NFC equipment of the present invention, start the application layer security transfer of data by exchanging safety request and security response between initiating terminal and target terminal, application layer at initiating terminal and target terminal is encrypted data and the check information of transmission, safer NFC Point-to-point Communication Method can be provided, substantially solve the potential safety hazard of existing network; In addition, by becoming data block to be transmitted Data Segmentation, and data block is carried out to the correctness verification, when mistake appears in transmission, take data block as unit carries out the misdata recovery, further improved the accuracy of transmission; And stop security request and stop security response finishing neatly the application layer security transfer of data by exchange between initiating terminal and target terminal.
The accompanying drawing explanation
The NFC point to point protocol structure that Fig. 1 is existing standard;
The NFC point to point protocol structure that Fig. 2 is the embodiment of the present invention;
The signal flow graph connected for NFC peer-to-peer communications application layer foundation safety that Fig. 3 is the embodiment of the present invention;
Fig. 4 be the embodiment of the present invention carry out the signal flow graph of safety data transmission for NFC peer-to-peer communications application layer;
Fig. 5 be the embodiment of the present invention carry out the signal flow graph of data mistake processing after transfer of data makes a mistake;
The signal flow graph that releasing safety connects after DTD that Fig. 6 is the embodiment of the present invention.
Embodiment
Below, describe the method and system that carries out the Point-to-Point Data safe transmission in NFC equipment of the present invention in detail with reference to accompanying drawing 2 ~ 6.
Fig. 2 is the NFC point to point protocol structure according to the embodiment of the present invention.As shown in Figure 2, RF layer 200 is the lowermost layer that meet (IEC) 18092 of International Organization for Standardization/International Electrotechnical Commission and 14443A, category-B standard and contact type intelligent card technology (Felica) protocol stack standard.RF layer 200 is corresponding with the physical layer of ISO/OSI reference model, is responsible for carrying out modulating/demodulating and the wireless transmission of data.The agreement of NFC link layer 210 is called as the NFC-IP protocol layer, is responsible for coding, sets transmission rate, defines frame format, the initialization scheme of RF layer interface and carry out the necessary data collision of initialization and control.In addition, the NFC-IP agreement has also defined transport layer protocol, comprises protocol activating and method for interchanging data.Application layer 220 is responsible for general program provides service to guarantee communication.Safe floor 230 is sublayers of application layer 220, is responsible for setting up safety and connects between the node of peer-to-peer communications, and carry out encrypted data transmission and verification of correctness.
Embodiment of the method
Fig. 3 has described safe floor 230 and has set up the process that safety connects.As shown in Figure 3, the process of setting up the safety connection in the present invention between node relates to 3 entities, is respectively the initiating terminal 301 of peer-to-peer communications, the target terminal 302 of peer-to-peer communications, and public key server 303.Wherein, initiating terminal 301 is initiated the NFC peer-to-peer communications, and target terminal 302 is recipients of peer-to-peer communications, and public key server 303 is the believable servers that provided by application issued person, for depositing the client public key information of using this application program.Application program 311 and safe floor 312 are positioned at the application layer of initiating terminal 301, and safe floor 313 and application program 314 are positioned at the application layer of target terminal 302.
Step 320, before some application-specific are carried out the application layer security transfer of data, at first the initiating terminal 301 that participates in transfer of data need to be registered to the PKI of oneself on public key server 303.Registration process is completed by the application program 311 of initiating terminal 301.The registration of PKI can be disposable, and registered public keys when terminal is carried out the application layer security transfer of data is for the first time used this PKI afterwards always; Can be also the PKI that periodic registration is different, to improve the fail safe of PKI.Public key server 303 is provided by believable third party, is generally the publisher of application program.
Step 321, target terminal 302 also needs the PKI of oneself is registered on public key server 303, and registration process is completed by the application program 314 of target terminal 302, and registration process is identical with step 320, and this step is not describing in detail.
Step 322, on initiating terminal 301, the application program 311 of operation sends " beginning connection request " message to safe floor 312, comprises the identifier Application_ID_311 of application program 311 in message.
Step 323, safe floor 312 on initiating terminal 301 will " be set up safe connection request ", and message is sent to the safe floor 313 of target terminal 302, comprise Application_ID_311 and Set_App_Sec in message, wherein, Set_App_Sec means that initiating terminal 301 request sets up application layer security data connection response.
Step 324, the safe floor 313 of target terminal 302 sends to " beginning connection request " message the application program 314 of target terminal 302, comprises Application_ID_311 in message.
Step 325, the application program 314 of target terminal 302 will " start to connect and confirm " message and send to the safe floor 313 of target terminal 302, comprise the identifier Application_ID_314 of application program 314 in message.
Step 326, the safe floor 313 of target terminal 302 will " be set up safety and connect confirmation " message and be sent to the safe floor 312 on initiating terminal 301, comprise Application_ID_314 and Set_App_Sec_Response in message, wherein Set_App_Sec_Response means that target terminal confirms to set up the application layer security data and connect.
Step 327, the safe floor 312 of initiating terminal 301, after receiving " set up safety and connect confirmation " message, generates a random key RandomKey.Key length depends on the symmetric encipherment algorithm used in follow-up ciphering process.
Step 328, the safe floor 312 of initiating terminal 301, according to Application_ID_314, obtains the PKI Public_Key_314 of application program 314 from public key server 303.
Step 329, the safe floor 312 of initiating terminal 301 is used Public_Key_314 to encrypt RandomKey, obtains ciphertext CText.
Step 330, the safe floor 312 on initiating terminal 301 is sent to CText the safe floor 313 of target terminal 302.
Step 331, the private key Private_Key_314 decrypting ciphertext CText of the safe floor 313 use application programs 314 of target terminal 302, obtain random key RandomKey.
Step 332, the safe floor 313 of target terminal 302 sends " receiving key confirmation " message to the safe floor 312 of initiating terminal 301.
Step 333, the safe floor 312 of initiating terminal 301, after the safe floor 313 of confirming target terminal 302 has been received key, sends " start to connect and confirm " message to the application program 311 of operation on initiating terminal 301, comprises Application_ID_314 in message.So far, initiating terminal 301 is connected and sets up with safety between target terminal 302, can start transfer of data.
Fig. 4 has described the process that initiating terminal 401 and target terminal 402 are encrypted transfer of data and verification of correctness.
Step 421, the file data that on initiating terminal 401, the application program 411 of operation sends wish sends to the safe floor 412 of initiating terminal 401.
Step 422, the safe floor 412 of initiating terminal 401 is divided into several blocks of files B by file data F i, the equal and opposite in direction of each blocks of files, be defaulted as 64KB (the blocks of files size that is positioned at the file data end may be less than 64KB), also can be changed according to the situation of file size.Use subsequently one-way Hash algorithm to calculate the hashed value H of each blocks of files i, to carry out verification of correctness.One-way Hash algorithm can select as required Message-Digest Algorithm 5 (Message-Digest Algorithm 5, MD5), translations SHA (Secure Hash Algorithm, SHA) etc.
Step 423, the safe floor 412 of initiating terminal 401 is used random key RandomKey encrypt file piece B iwith hashed value H i, obtain ciphertext C (B i, H i).
Step 424, the safe floor 412 of initiating terminal 401 is by ciphertext C (B i, H i) send to the safe floor 413 of target terminal 402.
Step 425, the safe floor 413 use random key RandomKey of target terminal 402 are to ciphertext C (B i, H i) deciphering, obtain blocks of files B iwith hashed value H i.
Step 426, the safe floor 413 of target terminal 402 is used each blocks of files B of one-way Hash algorithm to obtaining icalculate hashed value H i', and with the hashed value H obtained icompare, if identical, blocks of files B itransmission is correct, otherwise mistake occurs in the explanation data transmission procedure.
Step 427, if data transmission fault occurs in step 426, carry out the error in data processing, and concrete steps are referring to Fig. 5.
Step 428, if in step 426 without data transmission fault, the safe floor 413 of target terminal 402 is being confirmed each blocks of files B iafter all correctly receiving, by B ibe reassembled into original file data F, and send to the application program 414 of operation on target terminal 402.So far, the safety data transmission between initiating terminal 401 and target terminal 402 completes.
After Fig. 5 has described transfer of data and has made a mistake, the process of carrying out the error in data processing.
Step 521, if the blocks of files B that the safe floor of target terminal 502 512 obtains ican't pass through verification of correctness, abandon acquired blocks of files B i.
Step 522, the safe floor 512 of target terminal 502 sends " misdata re-transmission " request to the safe floor 511 of initiating terminal 501, comprises the index number BlockIndex of the blocks of files abandoned in message.
Step 523, the safe floor 511 of initiating terminal 501 is according to the content of BlockIndex, by ciphertext C (B blockIndex, H blockIndex) resend the safe floor 512 to target terminal 502.
After Fig. 6 has described DTD, remove the process that safety connects.
Step 621, the safe floor 612 of initiating terminal 601 sends " stopping safe connection request " message to the safe floor 613 of target terminal 602, comprises the identifier Application_ID_611 of application program 611 in message.
Step 622, the safe floor 613 of target terminal 602 sends " stop safety and connect confirmation " message to the safe floor 612 of initiating terminal 601, comprises the identifier Application_ID_611 of application program 614 in message.So far, the request that disconnects the safety connection is confirmed, and application layer security connects disconnection.
System embodiment:
System of carrying out the Point-to-Point Data safe transmission in NFC equipment of the present invention, comprise initiating terminal, target terminal and public key server, and wherein, initiating terminal, for after being connected with target terminal foundation is safe, generate a random key RandomKey; The safe floor 312 of initiating terminal obtains the PKI Public_Key_314 of target terminal applications program 314 from public key server, and uses described PKI Public_Key_314 encrypted random keys RandomKey, obtains ciphertext CText; Safe floor 312 by initiating terminal is sent to described ciphertext CText the safe floor of target terminal; And, after having received key for the safe floor 313 confirming target terminal, to the application program 311 of moving on initiating terminal, send " start to connect and confirm " message; Wherein, the safe floor 312 of initiating terminal, according to the identifier Application_ID_314 of the application program 314 of target terminal, obtains the PKI Public_Key_314 of target terminal applications program 314 from public key server;
Target terminal, the private key Private_Key_314 decrypting ciphertext CText for the safe floor 313 use target terminal applications programs 314 by target terminal, obtain random key RandomKey; And send " receiving key confirmation " message to the safe floor 312 of initiating terminal.
In addition, initiating terminal, be further used for being sent to by its safe floor 312 message of will " setting up safe connection request " safe floor 313 of target terminal, the identifier Application_ID_311 and the Set_App_Sec that comprise the application program 311 of initiating terminal in this message, wherein Set_App_Sec means that initiating terminal 301 request sets up application layer security data connection response;
Described target terminal, be further used for by its safe floor 313, " beginning connection request " message being sent to the application program 314 of target terminal, comprises the identifier Application_ID_311 of the application program 311 of initiating terminal in this message; And, will " start to connect and confirm " message by its application program 314 and send to its safe floor 313, comprise the identifier Application_ID_314 of application program 314 in this message; And, to " set up safety and connect confirmation " message by its safe floor 313 and be sent to the safe floor 312 of initiating terminal, the identifier Application_ID_314 and the Set_App_Sec_Response that comprise application program 314 in this message, wherein Set_App_Sec_Response means that target terminal confirms to set up application layer security data connection response.
In addition, after initiating terminal and target terminal are set up safety and are connected, while carrying out Security Data Transmission, initiating terminal, the application program be further used for by moving on initiating terminal sends to the file data of wish transmission the safe floor of initiating terminal; And by the safe floor of initiating terminal, file data F is divided into to several blocks of files B i, the equal and opposite in direction of each blocks of files, used one-way Hash algorithm to calculate the hashed value H of each blocks of files subsequently i, to carry out verification of correctness; The safe floor of initiating terminal is used random key RandomKey encrypt file piece B iwith hashed value H i, obtain ciphertext C (B i, H i), and by ciphertext C (B i, H i) send to the safe floor of target terminal.Target terminal, be further used for using random key RandomKey to ciphertext C (B by the safe floor of target terminal i, H i) deciphering, obtain blocks of files B iwith hashed value H i; The safe floor of target terminal is used each blocks of files B of one-way Hash algorithm to obtaining icalculate hashed value H i', and with the hashed value H obtained icompare, if identical, blocks of files B itransmission is correct, otherwise mistake occurs in the explanation data transmission procedure; If without data transmission fault, the safe floor of target terminal is being confirmed each blocks of files B iafter all correctly receiving, by B ibe reassembled into original file data F, and send to the application program of moving on target terminal, so far complete the safety data transmission between initiating terminal and target terminal.
When data transmission fault occurring, in the time of need to carrying out the error in data processing, target terminal, be further used for the blocks of files B in the safe floor acquisition of target terminal ican't pass through verification of correctness, abandon acquired blocks of files B i, and send " misdata re-transmission " request to the safe floor of initiating terminal, comprise the index number BlockIndex of the blocks of files abandoned in message; Initiating terminal, be further used for the content of the safe floor of initiating terminal according to BlockIndex, by ciphertext C (B blockIndex, H blockIndex) resend the safe floor to target terminal.
In sum, according to the method and system that carries out the Point-to-Point Data safe transmission in NFC equipment of the present invention, start the application layer security transfer of data by exchanging safety request and security response between initiating terminal and target terminal, application layer at initiating terminal and target terminal is encrypted data and the check information of transmission, safer NFC Point-to-point Communication Method can be provided, substantially solve the potential safety hazard of existing network; In addition, by becoming data block to be transmitted Data Segmentation, and data block is carried out to the correctness verification, when mistake appears in transmission, take data block as unit carries out the misdata recovery, further improved the accuracy of transmission; And stop security request and stop security response finishing neatly the application layer security transfer of data by exchange between initiating terminal and target terminal.
More than in order to make those of ordinary skills understand the present invention; and the detailed description that the present invention is carried out; but can expect; can also make other changes and modifications within not breaking away from the scope that claim of the present invention contains, these variations and revising all in protection scope of the present invention.

Claims (10)

1. a method of carrying out the Point-to-Point Data safe transmission, it is characterized in that, application layer at near-field communication NFC arranges the sublayer of safe floor as application layer, is responsible for setting up safety and connects between the node of peer-to-peer communications, and carry out encrypted data transmission and verification of correctness; Described method comprises:
Initiating terminal, after being connected with target terminal foundation is safe, generates a random key RandomKey;
The safe floor of initiating terminal (312) obtains the PKI Public_Key_314 of target terminal applications program (314) from public key server; Wherein, the safe floor of initiating terminal (312), according to the identifier Application_ID_314 of the application program (314) of target terminal, obtains the PKI Public_Key_314 of target terminal applications program 314 from public key server;
The safe floor of initiating terminal (312) is used the PKI Public_Key_314 encrypted random keys RandomKey of the application program (314) of target terminal, obtains ciphertext CText;
The safe floor of initiating terminal (312) is sent to described ciphertext CText the safe floor (313) of target terminal;
The private key Private_Key_314 decrypting ciphertext CText of application program (314) for the safe floor of target terminal (313), obtain random key RandomKey;
The safe floor of target terminal (313) sends " receiving key confirmation " message to the safe floor (312) of initiating terminal;
The safe floor of initiating terminal (312), after the safe floor (313) of confirming target terminal has been received key, sends " start to connect and confirm " message to the application program (311) of moving on initiating terminal; Initiating terminal and target terminal carry out transfer of data.
2. method of carrying out the Point-to-Point Data safe transmission as claimed in claim 1, is characterized in that, before carrying out the application layer security transfer of data, the initiating terminal and the target terminal that participate in transfer of data first will be registered to PKI separately on public key server.
3. method of carrying out the Point-to-Point Data safe transmission as claimed in claim 2, is characterized in that, initiating terminal is set up safely and is connected and comprises the following steps: with target terminal
The safe floor of initiating terminal (312) will " be set up safe connection request ", and message is sent to the safe floor (313) of target terminal, the identifier Application_ID_311 and the Set_App_Sec that comprise the application program (311) of initiating terminal in this message, wherein Set_App_Sec means that the initiating terminal request sets up application layer security data connection response;
The safe floor of target terminal (313) sends to " beginning connection request " message the application program (314) of target terminal, comprises the identifier Application_ID_311 of the application program (311) of initiating terminal in this message;
The application program of target terminal (314) will " start to connect and confirm " message and send to the safe floor (313) of target terminal, comprise the identifier Application_ID_314 of application program (314) in this message;
The safe floor of target terminal (313) will " be set up safety and connect confirmation " message and be sent to the safe floor (312) of initiating terminal, the identifier Application_ID_314 and the Set_App_Sec_Response that comprise application program (314) in this message, wherein Set_App_Sec_Response means that target terminal confirms to set up application layer security data connection response.
4. method of carrying out the Point-to-Point Data safe transmission as claimed in claim 3, is characterized in that,
The safe floor (313) that message that the safe floor of initiating terminal (312) will " be set up safe connection request " is sent to target terminal before, further comprises: the application program of moving on initiating terminal (311) sends and starts connection request message to the safe floor (312) on initiating terminal; Wherein, the identifier Application_ID_311 that comprises initiating terminal application program (311) in this message.
5. method of carrying out the Point-to-Point Data safe transmission as described as any one in claim 1 to 4, is characterized in that, after initiating terminal and target terminal are set up safety and be connected, while carrying out Security Data Transmission, comprises the following steps:
The file data that the application program of moving on initiating terminal sends wish sends to the safe floor of initiating terminal;
The safe floor of initiating terminal is divided into several blocks of files B by file data F i, the equal and opposite in direction of each blocks of files, used one-way Hash algorithm to calculate the hashed value H of each blocks of files subsequently i, to carry out verification of correctness;
The safe floor of initiating terminal is used random key RandomKey encrypt file piece B iwith hashed value H i, obtain ciphertext C (B i, H i);
The safe floor of initiating terminal is by ciphertext C (B i, H i) send to the safe floor of target terminal;
The safe floor of target terminal uses random key RandomKey to ciphertext C (B i, H i) deciphering, obtain blocks of files B iwith hashed value H i;
The safe floor of target terminal is used each blocks of files B of one-way Hash algorithm to obtaining icalculate hashed value H i', and with the hashed value H obtained icompare, if identical, blocks of files B itransmission is correct, otherwise mistake occurs in the explanation data transmission procedure; If without data transmission fault, the safe floor of target terminal is being confirmed each blocks of files B iafter all correctly receiving, by B ibe reassembled into original file data F, and send to the application program of moving on target terminal, so far complete the safety data transmission between initiating terminal and target terminal.
6. method of carrying out the Point-to-Point Data safe transmission as claimed in claim 5, is characterized in that,
When data transmission fault occurring, need to carry out the error in data processing, specifically comprise:
If the blocks of files B that the safe floor of target terminal obtains ican't pass through verification of correctness, abandon acquired blocks of files B i;
The safe floor of target terminal sends " misdata re-transmission " request to the safe floor of initiating terminal, comprises the index number BlockIndex of the blocks of files abandoned in message;
The safe floor of initiating terminal is according to the content of BlockIndex, by ciphertext C (B blockIndex, H blockIndex) resend the safe floor to target terminal.
7. a system that realizes the described method of claim 1, is characterized in that, comprises initiating terminal, target terminal and public key server, wherein,
Initiating terminal, for after being connected with target terminal foundation is safe, generate a random key RandomKey; The safe floor of initiating terminal (312) obtains the PKI Public_Key_314 of target terminal applications program (314) from public key server, and uses described PKI Public_Key_314 encrypted random keys RandomKey, obtains ciphertext CText; Safe floor (312) by initiating terminal is sent to described ciphertext CText the safe floor of target terminal; And, after having received key for the safe floor (313) confirming target terminal, to the application program (311) of moving on initiating terminal, send " start to connect and confirm " message; Wherein, the safe floor of initiating terminal (312), according to the identifier Application_ID_314 of the application program (314) of target terminal, obtains the PKI Public_Key_314 of target terminal applications program (314) from public key server;
Target terminal, the private key Private_Key_314 decrypting ciphertext CText for the safe floor by target terminal (313) by target terminal applications program (314), obtain random key RandomKey; And send " receiving key confirmation " message to the safe floor (312) of initiating terminal.
8. system as claimed in claim 7, it is characterized in that, described initiating terminal, be further used for being sent to by its safe floor (312) message of will " setting up safe connection request " safe floor (313) of target terminal, the identifier Application_ID_311 and the Set_App_Sec that comprise the application program (311) of initiating terminal in this message, wherein Set_App_Sec means that initiating terminal (301) request sets up application layer security data connection response;
Described target terminal, be further used for by its safe floor (313), " beginning connection request " message being sent to the application program (314) of target terminal, comprise the identifier Application_ID_311 of the application program (311) of initiating terminal in this message; And, will " start to connect and confirm " message by its application program (314) and send to its safe floor (313), comprise the identifier Application_ID_314 of application program (314) in this message; And, to " set up safety and connect confirmation " message by its safe floor (313) and be sent to the safe floor (312) of initiating terminal, the identifier Application_ID_314 and the Set_App_Sec_Response that comprise application program (314) in this message, wherein Set_App_Sec_Response means that target terminal confirms to set up application layer security data connection response.
9. system as claimed in claim 8, is characterized in that, after initiating terminal and target terminal are set up safety and are connected, and while carrying out Security Data Transmission,
Described initiating terminal, the application program be further used for by moving on initiating terminal sends to the file data of wish transmission the safe floor of initiating terminal; And by the safe floor of initiating terminal, file data F is divided into to several blocks of files B i, the equal and opposite in direction of each blocks of files, used one-way Hash algorithm to calculate the hashed value H of each blocks of files subsequently i, to carry out verification of correctness; The safe floor of initiating terminal is used random key RandomKey encrypt file piece B iwith hashed value H i, obtain ciphertext C (B i, H i), and by ciphertext C (B i, H i) send to the safe floor of target terminal;
Described target terminal, be further used for using random key RandomKey to ciphertext C (B by the safe floor of target terminal i, H i) deciphering, obtain blocks of files B iwith hashed value H i; The safe floor of target terminal is used each blocks of files B of one-way Hash algorithm to obtaining icalculate hashed value H i', and with the hashed value H obtained icompare, if identical, blocks of files B itransmission is correct, otherwise mistake occurs in the explanation data transmission procedure; If without data transmission fault, the safe floor of target terminal is being confirmed each blocks of files B iafter all correctly receiving, by B ibe reassembled into original file data F, and send to the application program of moving on target terminal, so far complete the safety data transmission between initiating terminal and target terminal.
10. system as claimed in claim 8, is characterized in that, when data transmission fault occurring, and in the time of need to carrying out the error in data processing,
Described target terminal, be further used for the blocks of files B in the safe floor acquisition of target terminal ican't pass through verification of correctness, abandon acquired blocks of files B i, and send " misdata re-transmission " request to the safe floor of initiating terminal, comprise the index number BlockIndex of the blocks of files abandoned in message;
Described initiating terminal, be further used for the content of the safe floor of initiating terminal according to BlockIndex, by ciphertext C (B blockIndex, H blockIndex) resend the safe floor to target terminal.
CN201210181412.0A 2012-06-05 2012-06-05 Method and system for point-to-point data safe transmission Active CN103457724B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210181412.0A CN103457724B (en) 2012-06-05 2012-06-05 Method and system for point-to-point data safe transmission

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210181412.0A CN103457724B (en) 2012-06-05 2012-06-05 Method and system for point-to-point data safe transmission

Publications (2)

Publication Number Publication Date
CN103457724A true CN103457724A (en) 2013-12-18
CN103457724B CN103457724B (en) 2017-02-08

Family

ID=49739720

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210181412.0A Active CN103457724B (en) 2012-06-05 2012-06-05 Method and system for point-to-point data safe transmission

Country Status (1)

Country Link
CN (1) CN103457724B (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103985042A (en) * 2014-06-04 2014-08-13 孙国华 Digital information encryption and decryption method based on NFC mobile phone and IC card
CN104219054A (en) * 2014-09-04 2014-12-17 天津大学 NFC (near field communication)-based point-to-point data transmission method
CN104301334A (en) * 2014-11-06 2015-01-21 捷开通讯科技(上海)有限公司 Matched checking system and method for high-bandwidth digital content protection technology
CN105988422A (en) * 2015-01-27 2016-10-05 上海海马汽车研发有限公司 Remote driving control system and method for vehicles
CN107094036A (en) * 2017-04-24 2017-08-25 深圳市科漫达智能管理科技有限公司 A kind of cipher key processing method and Bluetooth terminal based on bluetooth communication
CN108173866A (en) * 2017-12-29 2018-06-15 苏州麦迪斯顿医疗科技股份有限公司 Integrated approach, device, equipment and the storage medium of pectoralgia center certification data
CN108390858A (en) * 2018-01-16 2018-08-10 山东浪潮商用系统有限公司 A method of based on tax sensitive data secure exchange
CN110535641A (en) * 2019-08-27 2019-12-03 中国神华能源股份有限公司神朔铁路分公司 Key management method and device, computer equipment and storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101146125A (en) * 2006-09-11 2008-03-19 三星电子株式会社 Peer-to-peer communication method for near field communication
CN102325167A (en) * 2011-07-21 2012-01-18 杭州微元科技有限公司 Verifying method for network file transmission

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101146125A (en) * 2006-09-11 2008-03-19 三星电子株式会社 Peer-to-peer communication method for near field communication
CN102325167A (en) * 2011-07-21 2012-01-18 杭州微元科技有限公司 Verifying method for network file transmission

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
帅青红: "《电子商务安全与PKI技术》", 31 December 2001 *
梅挺: "《计算机网络安全》", 31 January 2011 *

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103985042A (en) * 2014-06-04 2014-08-13 孙国华 Digital information encryption and decryption method based on NFC mobile phone and IC card
CN104219054A (en) * 2014-09-04 2014-12-17 天津大学 NFC (near field communication)-based point-to-point data transmission method
CN104219054B (en) * 2014-09-04 2017-09-15 天津大学 A kind of Point-to-Point Data Transmission method based on NFC
CN104301334A (en) * 2014-11-06 2015-01-21 捷开通讯科技(上海)有限公司 Matched checking system and method for high-bandwidth digital content protection technology
CN105988422A (en) * 2015-01-27 2016-10-05 上海海马汽车研发有限公司 Remote driving control system and method for vehicles
CN105988422B (en) * 2015-01-27 2019-05-21 上海海马汽车研发有限公司 A kind of long-range Ride Control System and method of vehicle
CN107094036A (en) * 2017-04-24 2017-08-25 深圳市科漫达智能管理科技有限公司 A kind of cipher key processing method and Bluetooth terminal based on bluetooth communication
CN108173866A (en) * 2017-12-29 2018-06-15 苏州麦迪斯顿医疗科技股份有限公司 Integrated approach, device, equipment and the storage medium of pectoralgia center certification data
CN108390858A (en) * 2018-01-16 2018-08-10 山东浪潮商用系统有限公司 A method of based on tax sensitive data secure exchange
CN110535641A (en) * 2019-08-27 2019-12-03 中国神华能源股份有限公司神朔铁路分公司 Key management method and device, computer equipment and storage medium
CN110535641B (en) * 2019-08-27 2022-06-10 中国神华能源股份有限公司神朔铁路分公司 Key management method and apparatus, computer device, and storage medium

Also Published As

Publication number Publication date
CN103457724B (en) 2017-02-08

Similar Documents

Publication Publication Date Title
CN103457724A (en) Method and system for point-to-point data safe transmission
US8515073B2 (en) Method and system for secure communication in near field communication network
CN101521883B (en) Method and system for renewing and using digital certificate
CN101534505B (en) Communication device and communication method
CN1694454B (en) Communication method and system between a terminal and at least a communication device
JP6092415B2 (en) Fingerprint authentication system and fingerprint authentication method based on NFC
CN108259164B (en) Identity authentication method and equipment of Internet of things equipment
CN105069864A (en) Door lock control secure communication scheme based on NFC (near field communication) function of smart phone
CN101771973B (en) Data short message processing method, data short message processing equipment and data short message processing system
CN101707772A (en) Identification method based on NFC and system
CN101916459B (en) Safe electronic ticket method
CN102916869A (en) Instant messaging method and system
CN110932854B (en) Block chain key distribution system and method for Internet of things
US20160328714A1 (en) Method and apparatus for authenticating payment related information in mobile communication system
CN104270244A (en) NFC encryption method and system
CN103886661A (en) Entrance guard management method and system
WO2011147183A1 (en) Radio frequency identification system, reader-writer and data transmission method
CN103916848A (en) Data backup and recovery method and system for mobile terminal
EP3128696B1 (en) Entity authentication method and device
CN108430092A (en) Obtain, provide method, equipment and the medium of wireless access point access information
CN108206738B (en) Quantum key output method and system
CN110212991B (en) Quantum wireless network communication system
Baek et al. Secure and lightweight authentication protocol for NFC tag based services
CN102833243B (en) A kind of communication means utilizing finger print information
EP2779682A2 (en) Method for acquiring access rights to a product or a service and system for implementing this method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant