CN103957225A - Method and device for processing extended safety message - Google Patents

Method and device for processing extended safety message Download PDF

Info

Publication number
CN103957225A
CN103957225A CN201410223345.3A CN201410223345A CN103957225A CN 103957225 A CN103957225 A CN 103957225A CN 201410223345 A CN201410223345 A CN 201410223345A CN 103957225 A CN103957225 A CN 103957225A
Authority
CN
China
Prior art keywords
message
data
module
byte
length
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201410223345.3A
Other languages
Chinese (zh)
Other versions
CN103957225B (en
Inventor
陆舟
于华章
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Feitian Technologies Co Ltd
Original Assignee
Feitian Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Feitian Technologies Co Ltd filed Critical Feitian Technologies Co Ltd
Priority to CN201410223345.3A priority Critical patent/CN103957225B/en
Publication of CN103957225A publication Critical patent/CN103957225A/en
Application granted granted Critical
Publication of CN103957225B publication Critical patent/CN103957225B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Storage Device Security (AREA)

Abstract

The invention discloses a method and device for processing an extended safety message. The method comprises the steps that when the message of a data length value extended instruction in a plaintext authentication mode is received by the device, the following steps are executed, wherein firstly, a read address is updated and data of two bytes are obtained as a data length value; secondly, a first length is obtained according to the data length value, data of the first length are obtained from the start of a first address of the message, information authentication codes of the obtained data are operated, and therefore a first authentication value is obtained; information authentication codes of the message are obtained, whether the message passes authentication or not is judged according to the first authentication value and the information authentication codes, if yes, the message is updated according to the information authentication codes, the instruction is obtained, corresponding operation is executed according to the instruction, an operation result is returned, and the process is ended; if not, an error message is returned and the process is ended. According to the method, the safety message of the extended instruction can be analyzed and confidentiality and data integrity of data communication are guaranteed.

Description

A kind of method and device of processing expansion safe packet
Technical field
The present invention relates to information security field, relate in particular to a kind of method and device of processing expansion safe packet.
Background technology
Along with the development of ecommerce, people are more and more outstanding to realizing safely and reliably the requirement of network service and network authentication, and utilize the smart card of band COS (Chip Operating System, chip operating system) can realize and carry out safely data communication.The safe packet function of smart card can prevent that information from being intercepted, distort or give away secrets in network service.The safe packet function of smart card refers to that the operation (as reading and writing etc.) of application file in smart card has been set to safe packet form in the time of hair fastener, in the time this application file of smart card being carried out to these operations, all forms of the necessary safe packet that adopts band MAC (Message Authentication Code, message authentication code) or enciphered data territory of replying of the instruction that terminal sends and smart card.The object that uses safe packet to communicate is reliability, integrality and the certification to transmit leg that ensures institute's swap data between terminal and smart card; Wherein, data integrity and to the certification of transmit leg by realizing with MAC, the reliability of data is by being encrypted to be guaranteed to data field.In smart card communications process, APDU (ApplicationProtocolDataUnit, Application Protocol Data Unit) instruction is divided into short instruction and extended instruction, in prior art, only have and in the time that instruction is short instruction, use safe packet, extended instruction is not used safe packet, causes a large amount of transfer of data safe not.
Summary of the invention
The object of the invention is in order to overcome the deficiencies in the prior art, a kind of method and device of processing expansion safe packet is provided, can resolve the safe packet of short instruction and extended instruction, obtain instruction, ensure confidentiality and the data integrity of data communication.
A kind of method of processing expansion safe packet provided by the invention, comprising:
In the time that device is judged the message receiving and is the message of plaintext authentication mode of data length value extended instruction, carry out following steps:
Step S1: described device upgrades reading address, obtains the data of 2 bytes as data length value according to described reading address from described message; The initial value of described reading address is the first address of described message;
Step S2: described device obtains the first length according to described data length value, from the first address of described message, obtains the data of described the first length, and the data of described the first length getting are carried out to message authentication code computing, obtains the first authentication value;
Step S3: described device obtains message authentication code from described message, judges that according to described the first authentication value and described message authentication code described message, whether by certification, is to perform step S4, otherwise returns to error message, finishes;
Step S4: described device upgrades described message according to described message authentication code, obtains corresponding instruction, carries out corresponding operating, and return to operating result according to described instruction, finishes;
In the time that described device is judged the message receiving and is the message of ciphertext authentication mode of data length value extended instruction, carry out following steps:
Step S5: described device upgrades reading address, obtains the data of 2 bytes as data length value according to described reading address from described message; The initial value of described reading address is the first address of described message;
Step S6: described device obtains the first length according to described data length value, from the first address of described message, obtains the data of the first length, and the data of described the first length getting are carried out to message authentication code computing, obtains the first authentication value;
Step S7: described device obtains the message authentication code in described message, judges that according to described the first authentication value and described message authentication code described message, whether by certification, is to perform step S8, otherwise returns to error message, finishes;
Step S8: described device upgrades described message according to described message authentication code;
Step S9: described device upgrades described reading address obtains the data of data field according to the reading address after upgrading and described data length value from described message, and the data of the described data field getting are decrypted, and obtains clear data;
Step S10: described device upgrades described message according to described clear data, judges whether the message after upgrading is legal instruction, is to carry out corresponding operating according to described instruction, and returns to operating result, finishes; Otherwise return to error message, finish.
Described device obtains the first length according to described data length value and is specially: described data length value is added to 3 and obtain described the first length.
The described data to described the first length getting are carried out message authentication code computing, obtaining the first authentication value is specially: described device obtains the data of the 2nd byte of described message, the key setting in advance according to the data acquisition of described the 2nd byte getting, according to the described key getting, the data of described the first length getting are carried out to message authentication code computing, obtain the first authentication value;
Described step S9 is specially: described device upgrades described reading address, from described message, obtain the data of data field according to the reading address after upgrading and described data length value, according to the described key getting, the data of the described data field getting are decrypted, obtain clear data.
Described device upgrades described message according to described message authentication code and is specially: described device is removed the described message authentication code in described message, from subtracting 4, be described data length value by the Data Update of the 6th byte to the 7 bytes of described message by described data length value.
Described device upgrades described message according to described clear data, be specially: the data of the 1st byte to the 2 bytes that described device is described clear data by the Data Update of the 6th byte to the 7 bytes in described message are the data since the 3rd byte described clear data by the Data Update starting from described reading address.
Before described step S1, comprise: described device is decrypted the director data in memory block, obtains message, judges that whether described message is legal, be to perform step S1, otherwise return to error message, finish;
Before described step S5, comprise: described device is decrypted the director data in memory block, obtains message, judges that whether described message is legal, be to perform step S5, otherwise return to error message, finish.
Described device judges whether described message is legal and is specially: described device judges whether the length of described literary composition is less than the second length, be that described message is illegal, otherwise described message is legal.
Before described step S1 and step S5, comprise described device judges whether the message receiving is the message of data length value extended instruction, is specially:
Steps A 1: described device judges whether described message meets default form, is that described device has parsed corresponding instruction from described message, carries out corresponding operating, and return to operating result according to described instruction, finishes; Otherwise execution step A2;
Steps A 2: described device obtains the data of the 5th byte of described message, whether the data that judge described the 5th byte getting are 0, that described device is judged the message that described message is data length value extended instruction, otherwise described device to judge described message be not the message of data length value extended instruction.
After described step S1, comprise:
Described device obtains the first scope according to described data length value, judges that whether the data field of described message is correct according to the length of described the first scope and described message, is to perform step S2, otherwise returns to error message, finishes;
After described step S5, comprise:
Described device obtains the first scope according to described data length value, judges that whether the data field of described message is correct according to the length of described the first scope and described message, is to perform step S6, otherwise returns to error message, finishes.
Described device judges that according to the length of described the first scope and described message whether the data field of described message is correct, be specially: described device judges that the length of described message is whether in described the first scope, the data field that is described message is correct, otherwise the data field of described message is incorrect.
Before described step S1 and step S5, comprise that described device judges the safe packet mode of the message receiving, and is specially:
Step B1: described device obtains the data of the 1st byte of described message as the classification byte in a data of described message;
Step B2: described device judges the safe packet mode of described message according to described classification byte, if described classification byte be the first preset value described device judge the message that described message is clear-text way, if described classification byte be the second preset value described device judge the message that described message is plaintext authentication mode, if described classification byte be the 3rd preset value described device judge the message that described message is ciphertext authentication mode; Return to error message if described classification byte is other character strings, finish.
Before described step S1 and step S5, comprise that described device judges the safe packet mode of the message receiving, and is specially:
Step B1 ': described device obtains the data of the 2nd byte of described message as the command byte in a data of described message;
Step B2 ': described device judges according to described command byte whether the function of the instruction in described message is the first preset function, is that described device is judged the message that described message is ciphertext authentication mode, otherwise execution step B3 ';
Step B3 ': described device obtains the data of the 5th byte of described message, judges whether the data of described the 5th byte getting are 0, is to return to error message, finish, otherwise the described safe packet mode that obtains described message according to described command byte.
In the time that described device is judged the message receiving and is the message of clear-text way of data length value extended instruction, carry out following steps:
Step S11: described device upgrades reading address, the data of obtaining 2 bytes according to described reading address from described message are as data length value, obtain the first scope according to described data length value, whether the data field that judges described message according to the length of described the first scope and described message is correct, be from described message, to have parsed corresponding instruction, carry out corresponding operating and return to operating result according to described instruction, finish, otherwise return to error message, finish.
In the time that described device is judged the message receiving and is the message of clear-text way of non-data length value extended instruction, carry out following steps:
Step S12: described device upgrades reading address, the data of obtaining 1 byte according to described reading address from described message are as data length value, obtain the second scope according to described data length value, whether the data field that judges described message according to the length of described the second scope and described message is correct, be from described message, to have parsed corresponding instruction, carry out corresponding operating and return to operating result according to described instruction, finish, otherwise return to error message, finish.
In the time that described device is judged the message receiving and is the message of plaintext authentication mode of non-data length value extended instruction, carry out following steps:
Step S13-1: described device upgrades reading address, obtains the data of 1 byte as data length value according to described reading address from described message;
Step S13-2: described device obtains the second scope according to described data length value, judges that according to the length of described the second scope and described message whether the data field of described message is correct, is to perform step S13-3, otherwise returns to error message, finishes;
Step S13-3: described device obtains the 3rd length according to described data length value, from the first address of described message, obtains the data of the 3rd length, and the data of described the 3rd length getting are carried out to message authentication code computing, obtains the second authentication value;
Step S13-4: described device obtains the message authentication code in described message, judges that according to described the second authentication value and described message authentication code described message, whether by certification, is to perform step S13-5, otherwise returns to error message, finishes;
Step S13-5: described device upgrades described message according to described message authentication code, obtains corresponding instruction, carries out corresponding operating and returns to operating result according to described instruction, finishes.
In the time that described device receives the message of ciphertext authentication mode of non-data length value extended instruction, carry out following steps:
Step S14-1: described device upgrades reading address, obtains the data of 1 byte as data length value according to described reading address from described message;
Step S14-2: described device obtains the second scope according to described data length value, judges that according to the length of described the second scope and described message whether the data field of described message is correct, is to perform step S14-3, otherwise returns to error message, finishes;
Step S14-3: described device obtains the 3rd length according to described data length value, from the first address of described message, obtains the data of the 3rd length, and the data of described the 3rd length getting are carried out to message authentication code computing, obtains the second authentication value;
Step S14-4: described device obtains the message authentication code in described message, judges that according to described the second authentication value and described message authentication code described message, whether by certification, is to perform step S14-5, otherwise returns to error message, finishes;
Step S14-5: described device upgrades described message according to described message authentication code;
Step S14-6: described device upgrades described reading address obtains the data of data field from described message according to described reading address and described data length value, the data of the described data field getting are decrypted, and obtains clear data;
Step S14-7: described device upgrades described message according to described clear data, judges whether the message after upgrading is legal instruction, is to carry out corresponding operating according to described instruction, and returns to operating result, finishes; Otherwise return to error message, finish.
Described device obtains the 3rd length according to described data length value, is specially: described data length value is added to 1 and obtain described the 3rd length.
Described step S13-3 is specially: described device obtains the 3rd length according to described data length value, from the first address of described message, obtain the data of the 3rd length, obtain the data of the 2nd byte of described message, the key setting in advance according to the data acquisition of described the 2nd byte getting, according to the described key getting, the data of described the 3rd length getting are carried out to message authentication code computing, obtain the second authentication value.
Described step S14-3 is specially:
Described device obtains the 3rd length according to described data length value, from the first address of described message, obtain the data of the 3rd length, obtain the data of the 2nd byte of described message, the key setting in advance according to the data acquisition of described the 2nd byte getting, according to the described key getting, the data of described the 3rd length getting are carried out to message authentication code computing, obtain the second authentication value;
Described step S14-6 is specially: described device upgrades described reading address, from described message, obtain the data of data field according to described reading address and described data length value, according to the described key getting, the data of the described data field getting are decrypted, obtain clear data.
Described device upgrades described message according to described message authentication code and is specially: described device is removed the described message authentication code in described message, from subtracting 4, is described data length value by the Data Update of the 5th byte of described message by described data length value.
Described device upgrades described message according to described clear data, be specially: the data of the 1st byte that described device is described clear data by the Data Update of the 5th byte of described message are the data since the 2nd byte described clear data by the Data Update starting from described reading address.
A device of processing expansion safe packet, comprising:
Receiver module, the first update module, the first acquisition module, the first computing module, the second acquisition module, the first authentication module, the first judge module, the second update module, the 3rd acquisition module, the first deciphering module, the 3rd update module, the second judge module, processing module and return to module;
Described receiver module, for receiving message;
Described the first update module, while being the message of plaintext authentication mode of data length value extended instruction or the message of the ciphertext authentication mode of data length value extended instruction, upgrades reading address for the described message receiving when described receiver module; The initial value of described reading address is the first address of described message;
Described the first acquisition module, for upgrading the described reading address that obtains obtains 2 bytes data from described message as data length value according to described the first update module;
Described the first computing module, obtains the first length for the described data length value getting according to described the first acquisition module;
Described the second acquisition module, for from the first address of described message, obtains the data of described the first length;
Described the first authentication module, carries out message authentication code computing for the data of described the first length that described the second acquisition module is got, obtains the first authentication value;
Described the first judge module, for obtaining the message authentication code of described message, described the first authentication value obtaining according to described the first authentication module computing and described message authentication code judge that whether described message is by certification;
Described the second update module, in the time that described the first judge module is judged as YES, upgrades described message according to described message authentication code;
Described the 3rd acquisition module, for obtaining the data of data field from described message according to described reading address and described data length value;
Described the first deciphering module, is decrypted for the data of described data field that described the 3rd acquisition module is got, obtains clear data;
Described the 3rd update module, for obtaining, after described clear data, upgrading described message according to described clear data in described the first deciphering module deciphering;
Described the second judge module, for upgrading after described message in described the 3rd update module, judges whether the message after upgrading is legal instruction;
Described processing module, for after upgrading instruction that described message obtains and/or the second judge module according to described the second update module and being judged as YES, carries out corresponding operating according to described instruction;
The described module of returning for being judged as NO at described the first judge module and/or returning to error message when described the second judge module is judged as NO, is returned to operating result after described processing module is finished dealing with.
Described the first computing module obtains described the first length specifically for described data length value is added to 3.
Described the second acquisition module is also for obtaining the data of the 2nd byte of described message, the key setting in advance according to the data acquisition of described the 2nd byte getting;
The data of described the first length that described the first authentication module gets described the second acquisition module specifically for the described key getting according to described the second acquisition module are carried out message authentication code computing, obtain the first authentication value;
The data of the described data field that described the first deciphering module gets described the 3rd acquisition module specifically for the described key getting according to described the second acquisition module are decrypted, and obtain clear data.
Described the second update module is specifically in the time that described the first judge module is judged as YES, remove the described message authentication code in described message, from subtracting 4, be described data length value by the Data Update of the 6th byte to the 7 bytes of described message by described data length value.
Described the 3rd update module is specifically for obtaining after described clear data in described the first deciphering module deciphering, the data of the 1st byte to the 2 bytes that are described clear data by the Data Update of the 6th byte to the 7 bytes in described message are the data since the 3rd byte described clear data by the Data Update starting from described reading address.
Described device also comprises the second deciphering module and the 3rd judge module;
Described the second deciphering module, is decrypted for the director data to memory block, obtains message;
Described the 3rd judge module, whether legal for judging described message;
The described module of returning also for returning to error message in the time that described the 3rd judge module is judged as NO.
Whether described the 3rd judge module is less than the second length specifically for the length that judges described literary composition, be that described message is illegal, otherwise described message is legal.
Described device also comprises the 4th judge module and the 5th judge module;
Described the 4th judge module, for judging whether described message meets default form;
Described processing module, also in the time that described the 4th judge module is judged as YES, corresponding operating is carried out in the instruction obtaining according to parsing;
Described the 5th judge module, be used for the data of the 5th byte of obtaining described message, whether the data that judge described the 5th byte getting are 0, are that described message is the message of data length value extended instruction, otherwise described message is not the message of data length value extended instruction.
Described device also comprises the second computing module and the 6th judge module;
Described the second computing module, for obtaining the first scope according to described data length value;
Described the 6th judge module, whether correct for judge the data field of described message according to the length of described the first scope and described message;
The described module of returning also for returning to error message in the time that described the 6th judge module is judged as NO.
Whether described the 6th judge module in described the first scope, be that the data field of described message is correct, otherwise the data field of described message is incorrect specifically for the length that judges described message.
Described device also comprises the 4th acquisition module and the 7th judge module;
Described the 4th acquisition module, for the data of the 1st byte of obtaining described message as the classification byte of a data of described message;
Described the 7th judge module, for judge the safe packet mode of described message according to described classification byte, if described classification byte is the first preset value message that described message is clear-text way, if described classification byte be the second preset value described message be the message of plaintext authentication mode, if described classification byte be the 3rd preset value described message be the message of ciphertext authentication mode; Return to module described in and return to error message if described classification byte is other character strings.
Described device also comprises the 5th acquisition module, the 8th judge module and the 9th judge module;
Described the 5th acquisition module, for the data of the 2nd byte of obtaining described message as the command byte of a data of described message;
Whether described the 8th judge module, be the first preset function for the function of the instruction that judges described message according to described command byte, is that described message is the message of ciphertext authentication mode;
Described the 9th judge module, for obtain the data of described message in the time that described the 8th judge module is judged as NO, whether the data that judge described the 5th byte getting are 0, be to return to module described in to return to error message, otherwise obtain the safe packet mode of described message according to described command byte.
Described device also comprises the 6th acquisition module, the 3rd computing module and the tenth judge module;
Described the 6th acquisition module, in the time that described receiver module receives the message of clear-text way of non-data length value extended instruction or the message of the message of the plaintext authentication mode of non-data length value extended instruction or the ciphertext authentication mode of non-data length value extended instruction, for the data of obtaining 1 byte from described message according to described reading address as data length value;
Described the 3rd computing module, for obtaining the second scope according to described data length value;
Described the tenth judge module, whether correct for judge the data field of described message according to the length of described the second scope and described message;
The described module of returning also for returning to error message in the time that described the tenth judge module is judged as NO;
Described processing module is also carried out corresponding operating for the instruction obtaining according to parsing after being judged as YES at described the tenth judge module.
Described device also comprises the 4th computing module, the 7th acquisition module, the second authentication module and the 11 judge module;
Described the 4th computing module, when receive the message of plaintext authentication mode of non-data length value extended instruction or the message of the ciphertext authentication mode of non-data length value extended instruction when described receiver module, obtains the 3rd length according to described data length value;
Described the 7th acquisition module, for from the first address of described message, obtains the data of the 3rd length;
Described the second authentication module, carries out message authentication code computing for the data of described the 3rd length that described the 7th acquisition module is got, obtains the second authentication value;
Described the 11 judge module, for obtaining the message authentication code of described message, judges that according to described the second authentication value and described message authentication code whether described message is by certification;
The described module of returning also for returning to error message in the time that described the 11 judge module is judged as NO;
Described the second update module, also in the time that described the 11 judge module is judged as YES, is upgraded described message and is obtained corresponding instruction according to described message authentication code.
Described the 4th computing module obtains described the 3rd length specifically for described data length value being added to 1.
Described the 7th acquisition module is also for obtaining the data of the 2nd byte of described message, the key setting in advance according to the data acquisition of described the 2nd byte getting;
Described the second authentication module, the data of described the 3rd length described the 7th acquisition module being got specifically for the described key getting according to described the 7th acquisition module are carried out message authentication code computing, obtain the second authentication value.
Described the 7th acquisition module is also for obtaining the data of the 2nd byte of described message, the key setting in advance according to the data acquisition of described the 2nd byte getting;
The data of the described data field that described the first deciphering module also gets described the 3rd acquisition module for the described key getting according to described the 7th acquisition module are decrypted, and obtain clear data.
Described the second update module is when receiving the message of plaintext authentication mode of non-data length value extended instruction or the message of the ciphertext authentication mode of non-data length value extended instruction when described receiver module, remove the described message authentication code in described message, from subtracting 4, be described data length value by the Data Update of the 5th byte of described message by described data length value.
Described the 3rd update module is also when receiving the message of ciphertext authentication mode of non-data length value extended instruction when described receiver module, the data of the 1st byte that is described clear data by the Data Update of the 5th byte of described message are the data since the 2nd byte described clear data by the Data Update starting from described reading address.
The present invention compared with prior art, has the following advantages:
The present invention can resolve the safe packet of short instruction and extended instruction, obtains instruction, ensures confidentiality and the data integrity of data communication.
Brief description of the drawings
Fig. 1 is the flow chart of a kind of method of processing expansion safe packet that the embodiment of the present invention 2 provides;
Fig. 2 be in the embodiment of the present invention 2 step 103 to a kind of refinement flow chart of step 104;
Fig. 3 be in the embodiment of the present invention 2 step 103 to the another kind of refinement flow chart of step 104;
Fig. 4 is the refinement flow chart of step 109 in the embodiment of the present invention 2;
Fig. 5 is the flow chart of a kind of method of processing expansion safe packet that the embodiment of the present invention 3 provides;
Fig. 6 is the module map of a kind of device of processing expansion safe packet that the embodiment of the present invention 4 provides.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiment.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtaining under creative work prerequisite, belong to the scope of protection of the invention.
The message of APDU (ApplicationProtocolDataUnit, Application Protocol Data Unit) instruction comprises a data and main body of the packet; Data comprise classification byte, command byte and parameter, and main body of the packet comprises data length value, data field and response length value; Wherein, the length of a data is 4 bytes, and classification byte is for representing the safe packet mode of message, and command byte is for representing the instruction type of message; The length of the data length value representation data field in main body of the packet, the length of response length value representation response data.
The message of APDU instruction has three kinds of safe packet modes, is respectively clear-text way, plaintext authentication mode and ciphertext authentication mode; Particularly, the message transmitting in clear-text way is instruction plaintext, and message transmitting party is not processed instruction; In the message that plaintext authentication mode is transmitted, main body of the packet is plaintext, and the correct data of message transmitting party and main body of the packet carry out message authentication code calculating, obtain the message authentication value of 4 bytes, are placed on the last of data field using this message authentication value as a part for data field; In ciphertext authentication mode, first message transmitting party is encrypted the data in data field, then correct data and main body of the packet carry out message authentication code and calculate the message authentication value of 4 bytes, are placed on the last of data field using this message authentication value as a part for data field.
The message of APDU instruction is divided into the message of short instruction and the message of extended instruction, and wherein the message of extended instruction comprises the message of data length value extended instruction and the message of response length value extended instruction; Particularly, if the length of data field is greater than 255, and be less than 65535, the message of this instruction is the message of data length value extended instruction, data length value in the message of this instruction is 3 bytes, and wherein the 1st byte is fixed as the length of 0, the 2 byte and the 3rd byte representation data field; If the length of data field is greater than 0, and be less than or equal to 255, data length value is 1 byte, or, there is not data field, there is not data length value, the message of this instruction is the message of non-data length value extended instruction; If response length value is greater than 255, and be less than 65535, response length value is 3 bytes, and wherein the 1st byte is fixed as the length of 0, the 2 byte and the 3rd byte representation response data, and the message of this instruction is the message of response length value extended instruction; If response length value is greater than 0, and be less than or equal to 255, response length value is 1 byte, or does not have response length value, and the message of this instruction is the message of non-response length value extended instruction.If the message of an instruction is neither the message of data length value extended instruction, the also message of non-response length value extended instruction, the message that message of this instruction is short instruction.
Embodiment 1
Embodiments of the invention 1 provide a kind of method of processing expansion safe packet, comprising:
In the time that device is judged the message receiving and is the message of plaintext authentication mode of data length value extended instruction, carry out following steps:
Step S1: device upgrades reading address, obtains the data of 2 bytes as data length value according to reading address from message; The initial value of reading address is the first address of message;
Step S2: device obtains the first length according to data length value, from the first address of message, obtains the data of the first length, and the data of the first length getting are carried out to message authentication code computing, obtains the first authentication value;
Step S3: device obtains message authentication code from message, judges that according to the first authentication value and message authentication code message, whether by certification, is to perform step S4, otherwise returns to error message, finishes;
Step S4: device upgrades message according to message authentication code, obtains corresponding instruction, carries out corresponding operating according to this instruction, and returns to operating result, finishes;
In the time that device is judged the message receiving and is the message of ciphertext authentication mode of data length value extended instruction, carry out following steps:
Step S5: device upgrades reading address, obtains the data of 2 bytes as data length value according to reading address from message; The initial value of reading address is the first address of message;
Step S6: device obtains the first length according to data length value, from the first address of message, obtains the data of the first length, and the data of the first length getting are carried out to message authentication code computing, obtains the first authentication value;
Step S7: device obtains the message authentication code in message, judges that according to the first authentication value and message authentication code message, whether by certification, is to perform step S8, otherwise returns to error message, finishes;
Step S8: device upgrades message according to message authentication code;
Step S9: device upgrades reading address obtains the data of data field according to the reading address after upgrading and data length value from message, and the data of the data field getting are decrypted, and obtains clear data;
Step S10: device upgrades message according to clear data, judges whether the message after upgrading is legal instruction, is to carry out corresponding operating according to this instruction, and returns to operating result, finishes; Otherwise return to error message, finish.
Embodiment 2
Embodiments of the invention 2 provide a kind of method of processing expansion safe packet, as shown in Figure 1, comprising:
Device receives director data, after the instruction data storage receiving is in memory block, carries out following steps:
Step 100: device is decrypted the director data in memory block, obtains message;
Particularly, the director data that device receives is the data after encryption, so device need be decrypted and obtain message director data;
For example, director data is:
99D85CF318C402658CA12E67066DECBC1A7F95B400D9070C56E1493C06C7CC5A47AF3D85C3C035DE63488E615A17502E641BF9A63CEC2DE……;
Message after deciphering is:
8CF42206000154645F53E00D940932239BC0C36DD1740CF1D72E124E929CEAE28F819A61DA8EED3913097934FC2ABB110D39333537215BFCD……;
Step 101: device judges that whether message is legal, is to perform step 102, otherwise returns to error message, finishes;
Particularly, device judges whether the length of message is less than the second length, is to determine that this message is illegal, otherwise determines that this message is legal; Preferably, the second length is 5 bytes;
Step 102: device judge whether message meets default form, be success from message, parse instruction, carry out corresponding operating according to the instruction parsing, return to operating result, finish, otherwise perform step 103;
Particularly, the length that default form is message is 5 bytes, or the length of message is that 7 bytes and the 5th byte are 0x00; If the length of message is 5 bytes, the instruction in this message is without data field, and this instruction is non-response length value extended instruction, and the safe packet mode of message is clear-text way, has parsed instruction; If the length of message is that 7 bytes and the 5th byte are 0x00, the instruction in this message is without data field, and is response length value extended instruction, and the safe packet mode of message is clear-text way, has parsed instruction;
Step 103: device obtains a data and the data length value of message in message according to reading address, upgrade reading address according to the data getting and data length value, according to a data and data length value, message mode mark and data expansion mark are arranged;
Particularly, the first address that the initial value of reading address is message; If the safe packet mode of message is clear-text way, message mode mark is set to the first numerical value, if the safe packet mode of message is plaintext authentication mode, message mode mark is set to second value, if the safe packet mode of message is ciphertext authentication mode, message mode mark is set to third value; The initial condition of data expansion mark is for resetting, if the instruction in message is data length value extended instruction, by the set of data expansion mark;
For example, the data in the message getting are 8CF42206, and data length value is 0x000154, and message mode mark is set to third value, by the set of data expansion mark;
Step 104: device judges that according to the length of message and data length value whether the data field of message is correct, is to perform step 105, otherwise returns to error message, finishes;
Particularly, if the instruction in message is data length value extended instruction, whether the length that device judge message in the first scope, be to determine that the data field of message is correct, otherwise the data field of definite message is incorrect;
Wherein, the first scope be data length value add 7 and, data length value add 8 and, data length value add 10 and, if the length of message be these three with one of, the length of message is in the first scope, otherwise the length of message is not in the first scope;
Particularly, if the instruction in message is short instruction, whether the length that device judge message in the second scope, be to determine that the data field of message is correct, otherwise the data field of definite message is incorrect;
Wherein, the second scope be data length value add 5 and, data length value add 6 and, data length value add 8 and, if the length of message be these three with one of, the length of message is in the second scope, otherwise the length of message is not in the second scope;
Step 105: device judges whether to carry out message authentication code authentication according to message mode mark, is to perform step 106, otherwise success parses instruction from message, carries out corresponding operating according to the instruction parsing, and returns to operating result, finishes;
Particularly, if message mode is designated the first numerical value, the safe packet mode of message is clear-text way, does not need to carry out message authentication code authentication, has parsed instruction; If the message mode of message is designated second value or third value, need to proceed message authentication code authentication, execution step 106;
For example, in the present embodiment, message mode is designated third value, needs to continue message to carry out message authentication code authentication;
Step 106: device judges according to data expansion mark whether the instruction in message is data length value extended instruction, is to perform step 107, otherwise execution step 108;
Particularly, device judge that data expansions identifies whether set, is to determine that the instruction in message is data length value extended instruction, otherwise instruction in definite message is not data length value extended instruction;
Step 107: device, from a data of message, obtains the data of the first length are carried out message authentication code computing data as need, execution step 109;
Particularly, the first length is that data length value adds 3; In the present embodiment, device carries out message authentication code computing to the data except message authentication value and response length value in message;
Step 108: device, from a data of message, obtains the data of the 3rd length are carried out message authentication code computing data as need, execution step 109;
Particularly, the 3rd length is that data length value adds 1; In the present embodiment, device carries out message authentication code computing to the data except message authentication value and response length value in message;
Step 109: device obtains the data of the 2nd byte of message, the key setting in advance according to the data acquisition of the get the 2nd byte, the data of the need that get being carried out to message authentication code computing according to the key getting are carried out message authentication code authentication, obtain authentication value;
For example, the data of the 2nd byte of message are 0xF4, obtain the applicating maintenance key setting in advance;
Step 110: device obtains the message authentication value in message, the authentication value obtaining according to computing and the message authentication value getting judge that message, whether by message authentication code authentication, is to perform step 111, otherwise returns to error message, finish;
Particularly, device can be in message adds data length value from reading address and subtracts 4 position, obtains the data of 4 bytes as the message authentication value in message; The authentication value whether the message authentication value that device judgement gets obtains with computing is identical, is to determine that message passes through message authentication code authentication, otherwise determines that message is not by message authentication code authentication;
Step 111: device upgrades data length value and message according to the message authentication value in data expansion mark and message;
Particularly, device is removed the message authentication value in message, data length value is subtracted to 4 certainly, if data expansion identifies set, be data length value by the Data Update of the 6th byte to the 7 bytes of message, if data expansion identifies not set, is data length value by the Data Update of the 5th byte of message;
For example, the message authentication value in message is FA1F0987, and data length value is 0x000154; Data length value is deducted to the length of message authentication value, by data length value, from subtracting 4, data length value is updated to 0x0x000150, and the message after renewal is:
8CF42206000150645F53E00D940932239BC0C36DD1740CF1D72E124E929CEAE28F819A61DA8EED3913097934FC2ABB110D39333537215BFCD……;
Step 112: whether the data that device identifies in the data field that judges message according to message mode are ciphertexts, are to perform step 113, otherwise success parses instruction from message, carries out corresponding operating according to the instruction parsing, and returns to operating result, finishes;
Particularly, if message mode is designated second value, in message, the data in data field are expressly, have parsed instruction; If message mode is designated third value, the data in data field are ciphertext;
Step 113: device obtains the data of data field according to reading address and data length value, according to the key getting, the data of the data field getting are decrypted, and obtains clear data;
Particularly, device is from reading position, and in message, obtaining length is that the data of data length value are as the data of the data field getting;
For example, the instruction in message is data length value extended instruction, and the data of the data field getting are from the 8th byte of this message, and the data of the data field getting are:
645F53E00D940932239BC0C36DD1740CF1D72E124E929CEAE28F819A61DA8EED3913097934FC2ABB110D39333537215BFCD……;
Particularly, the clear data that deciphering obtains comprises length of the plaintext and clear content;
For example, clear data is:
014C9900450401000100E9820200ED8F651F795E988FBE03FA6B4BE9 4331B52AA2862178C08851FDAE2E39B80E Wherein, length of the plaintext is 014C;
Step 114: device upgrades message according to data expansion mark and clear data, judges whether the message after upgrading is legal instruction, is to carry out corresponding operating according to this instruction, returns to operating result, finishes; Otherwise return to error message, finish;
Particularly, if data expansion identifies set, be the length of the plaintext in clear data by the Data Update of the 6th byte to the 7 bytes of message, be the data since the 4th byte clear data by the Data Update starting from reading address; If data expansion identifies not set, is the length of the plaintext in clear data by the Data Update of the 5th byte of message, is the data since the 2nd byte clear data by the Data Update starting from reading address;
For example, data expansion identifies set, is 014C by the Data Update of the 6th byte to the 7 bytes of message, and the message after renewal is:
8CF42A0600014C9900450401000100E9820200ED8F651F795E988FBE03FA6B4BE94331B52AA2862178C08851FDAE2E39B80E……。
Particularly, step 103 and step 104 as shown in Figure 2, comprising:
Step 103-1: the data that device obtains 1 byte according to reading address, as the classification byte in a data of message, are upgraded reading address;
Particularly, device adds 4 by reading address;
Step 103-2: device judges safe packet mode according to the classification byte in a data of message, if clear-text way performs step 103-3, if plaintext authentication mode performs step 103-4, if ciphertext authentication mode performs step 103-5; If other return to error message, finish;
Particularly, if the classification byte in a data is the first preset value, determine that safe packet mode is clear-text way; If the classification byte in a data is the second preset value, determine that safe packet mode is plaintext authentication mode; If the classification byte in a data is the 3rd preset value, determine that safe packet mode is ciphertext authentication mode; If the classification byte in a data is other character strings, return to error message, finish; Preferably, the first preset value is 0x00 or 0x80, and the second preset value is 0x84, and the 3rd preset value is 0x8C;
For example, the data in message are 8CF42206, and classification byte is 8C, and the safe packet mode of message is ciphertext authentication mode, and message comprises a data, main body of the packet and message authentication value;
Step 103-3: device message mode mark is set to the first numerical value, execution step 103-6;
Particularly, in the present embodiment, the first numerical value is 0x00; The initial value of message mode mark is 0x00;
Step 103-4: device message mode mark is set to second value, execution step 103-6;
Particularly, in the present embodiment, second value is 0x40;
Step 103-5: device message mode mark is set to third value, execution step 103-6;
Particularly, in the present embodiment, third value is 0xC0;
Step 103-6: device obtains the data of 1 byte according to reading address, judge according to the data of get 1 byte whether the instruction in message is data length value extended instruction, to upgrade reading address, obtain the data of 2 bytes according to reading address as data length value, execution step 103-8, otherwise using the data that get as data length value, execution step 103-7;
Particularly, device judges whether the data of 1 byte getting are 0, is to determine that the instruction in message is data length value extended instruction, otherwise determines that the instruction in message is short instruction; Renewal reading address is specially reading address is added to 1;
Step 103-7: device obtains the second scope according to data length value, judges that according to the length of the second scope and message whether data field is correct, is to upgrade reading address, execution step 104, otherwise return to error message, finish;
Particularly, the second scope is that data length value adds 5, data length value add 6 and data length value add 8, whether the length that device judge message in the second scope, be to determine that the data field of message is correct, otherwise the data field of definite message is incorrect; Renewal reading address is specially reading address is added to 1;
Step 103-8: device obtains the first scope according to data length value, judges that according to the length of the first scope and message whether data field is correct, is to upgrade reading address, execution step 103-9, otherwise return to error message, finish;
Particularly, the first scope is that data length value adds 7, data length value add 8 and data length value add 10, whether the length that device judge message in the first scope, be to determine that the data field of message is correct, otherwise the data field of definite message is incorrect; Renewal reading address is specially reading address is added to 2;
Step 103-9: device is by the set of data expansion mark, execution step 105;
Particularly, data expansion mark initial condition is for resetting;
In addition, as shown in Figure 3, step 103 and step 104 can also be:
Step 103-1 ': device upgrades reading address, obtains the data of 1 byte as the command byte in a data according to reading address;
Particularly, upgrade reading address for reading address is added to 1;
Step 103-2 ': device judges according to the command byte in a data of message whether the function of the instruction in message is the first preset function, is to perform step 103-5 ', otherwise execution step 103-3 ';
Particularly, device judges whether the data in the command byte in a data are the first preset data, are to represent that the function of this instruction is the first preset function, otherwise represent that the function of this instruction is not the first preset function;
For example, the first preset function is importing secret key pair, and the first preset data is 0xF4, and the data in message are 8CF42206, and the function of the instruction in message is importing secret key pair;
Step 103-3 ': device upgrades reading address, obtains the data of 1 byte according to reading address, judge whether the data of 1 byte getting are 0, is to return to error message, finish, otherwise execution step 103-4 ';
Particularly, renewal reading address is specially reading address is added to 3, if the function of the instruction in message is not the first preset function, does not need usage data length value extended instruction; Now, if the data that get are 0, the message mistake of this instruction;
Step 103-4 ': device, using the data that get as data length value, arranges message mode mark according to the command byte in a data, execution step 103-8 ';
Particularly, if the command byte in a data be the second preset data message mode mark be set to the first preset value, if the command byte in a data be the 3rd preset data message mode mark be set to the second preset value;
For example, if the command byte in the data in message is F0, the function of instruction is to append key, and message mode mark is set to second value; If the command byte in the data in message is B0 or D6, the function of instruction is read/write file, and message mode mark is set to the first numerical value;
Step 103-5 ': device message mode mark is set to third value, upgrades reading address;
Particularly, reading address is added to 1;
Step 103-6 ': the data that device obtains 2 bytes according to reading address from message are as parameter, whether the operand that judges the instruction in message according to parameter is the first operand, to perform step 103-7 ', otherwise renewal reading address, obtain the data of 1 byte according to reading address as data length value, execution step 103-8 ';
Particularly, if parameter is 2A06 or 2206, the operand of this instruction is the first operand, otherwise the operand of this instruction is not the first operand; Upgrade reading address for reading address is added to 2;
Preferably, the first operand is RSA key pair, if the operand of instruction is the first operand, this instruction is to import RSA key to instruction, otherwise this instruction is for importing SM2 key to instruction;
For example, the message of the instruction of importing SM2 key to PKI is:
8CF41B03546E6CE26C6F92877BDAAA8713A3233B253D08F8D72E3FAB E0F2208A120D3B270E3ECB32BEBC3198DC370E901F6B10D583DF3846 A36DCA988346EA16252FFB8ADB7AE31AC819E5F65C2413F06D6CDC77 EBA17AEA47; Wherein, a data is 84F41B03, and parameter is 1B03;
The message that imports the instruction of SM2 key to private key is:
8CF413032C80CD75C1EFB266F93134977AEAF2550F7C4DAA45525DA6 B70D2CF5E59441C6E6AC14FDF9A739F0330B4222F5; Wherein a data is 84F41303, and parameter is 1303;
Step 103-7 ': device upgrades reading address, obtain the data of 1 byte according to reading address, judge according to the data that get whether the instruction in this message is data length value extended instruction, to perform step 103-9 ', otherwise using the data that get as data length value, execution step 103-8 ';
Particularly, upgrade reading address for reading address is added to 2, device judges whether the data that get are 0, is to determine that the instruction in message is data length value extended instruction, otherwise determines that the instruction in message is short instruction;
In the present embodiment, the instruction importing in the message that 2048 byte RSA keys are right is data length value extended instruction, and the data in message in first byte of main body of the packet are 0; Import in the message that 1024 byte RSA keys are right, importing 1024 byte RSA keys is short instruction to the instruction of PKI, and the data in message in first byte of main body of the packet are not 0; Importing 1024 byte RSA keys is data length value extended instruction to the instruction of private key, and the data in message in first byte of main body of the packet are 0;
For example, the message of the instruction of 2048 byte RSA keys of importing to PKI is:
8CF42A06000114FD0B07CEE2D03FBCD1FD7D2B03883F5D33B25462C5 7068F8E982AEF67E11759E3373703CA36151AD805AE8283A48BE3EC Wherein a data is 84F42A06, and parameter is 2A06; Data in first byte of main body of the packet are 00;
The message that imports the instruction of 2048 byte RSA keys to private key is:
8CF4220600029456D3F26B9E46B5EA1C0048EC4443C2E1DFC6E7313E 549314020B3CFFE16EC2B4AEB31EDB07B9B342F98C3490BA1D8C Wherein a data is 84F42206, and parameter is 2206; Data in first byte of main body of the packet are 00;
The message that imports the instruction of 1024 byte RSA keys to PKI is:
8CF42A0694D571440BEB0CF7228ABEE219F9E309A921048143289D68 E670EEA4894EBB9BD7FAE24801E0456CBB849B88D0EB1A1EDF8B4C06 EBFC680977D369132486C2ABF1AD4663EB9D96315DB3DB550306558E 6AAC4F5B6A9FBB0BC22DF18A3F5C9C72C4322AD711CD01FC5D601489 B6D9886FC6339F76CAB628A74599FD32E3535695EF48BAFE100D9FD0 5A71F3346C964119D554FC6C23; Wherein a data is 84F42A06, and parameter is 2A06; Data in first byte of main body of the packet are 94;
The literary composition that imports the instruction of 1024 byte RSA keys to private key is:
8CF42206000154645F53E00D940932239BC0C36DD1740CF1D72E124E 929CEAE28F819A61DA8EED3913097934FC2ABB110D39333537215BFC D Wherein a data is 84F42206, and parameter is 2206; Data in first byte of main body of the packet are 00;
Step 103-8 ': device obtains the second scope according to data length value, judges that according to the length of the second scope and message whether data field is correct, is to upgrade reading address, execution step 105, otherwise return to error message, finish;
Particularly, the second scope is that data length value adds 5, data length value add 6 and data length value add 8, whether the length that device judge message in the second scope, be to determine that the data field of message is correct, otherwise the data field of definite message is incorrect; Renewal reading address is specially reading address and adds 1;
Step 103-9 ': device upgrades reading address, obtains the data of 2 bytes as data length value according to reading address from message;
Particularly, upgrade reading address for reading address is added to 1;
Step 103-10 ': device obtains the first scope according to data length value, judges that according to the length of the first scope and message whether data field is correct, is to upgrade reading address, execution step 103-11 ', otherwise return to error message, finish;
Particularly, the first scope be data length value add 7 and, data length value add 8 and, data length value add 10 and, whether the length that device judge message in the first scope, be to determine that the data field of message is correct, otherwise the data field of definite message is incorrect; Renewal reading address is specially reading address is added to 2;
Step 103-11 ': device is by the set of data expansion mark, execution step 105;
Particularly, data expansion mark initial condition is for resetting;
Particularly, the data that in step 109, device carries out message authentication code computing according to the key getting to the need that get are carried out message authentication code authentication, obtain authentication value, as shown in Figure 4, comprising:
Step 109-1: device judges whether to carry out according to generating identification the operation that generates random number, is to perform step 109-2, otherwise returns to error message, finishes;
Particularly, device, in the time receiving the order that generates random number, is carried out the operation that generates random number, stores the random number generating, and returns to the random number of generation, by generating identification set; The initial condition of generating identification is for resetting; Step 109-1 is specially: device judge whether set of generating identification, is to determine to carry out the operation that generates random number, otherwise definite operation of not carrying out generation random number;
Step 109-2: the data that device carries out message authentication code computing to the need that get are packed;
Particularly, the data that device carries out message authentication code computing at the need that get are finally supplemented the data 0x80 of 1 byte, if the data length after supplementing is 8 integral multiple, complete packing; If the data length after supplementing is not 8 integral multiple, after 0x80, supplement 0x00; The quantity of supplementing 0x00 is (8-(need carry out the data length of message authentication code MAC computing) %8) individual byte;
Step 109-3: device obtains the random number of storage, the initial value using the random number of storage as message authentication code computing, carries out message authentication code computing according to the key getting to the data after packing, and obtains authentication value;
Step 109-4: device is deleted the random number of storage, resets generating identification, execution step 110;
A kind of method of processing expansion safe packet providing in the present embodiment, can resolve the safe packet of the safe packet of short instruction and extended instruction, ensures confidentiality and the data integrity of data communication.
Embodiment 3
Embodiments of the invention 3 provide a kind of method of processing expansion safe packet, as shown in Figure 5, comprising:
Device receives director data, after the instruction data storage receiving is in memory block, carries out following steps:
Step 200: device is decrypted the director data in memory block, obtains message;
Particularly, the director data that device receives is the data after encryption, so device need be decrypted and obtain message director data;
Step 201: device judges that whether message is legal, is to perform step 202, otherwise returns to error message, finishes;
Particularly, device judges whether the length of message is less than the second length, is to determine that this message is illegal, otherwise determines that this message is legal; Preferably, the second length is 5 bytes;
Step 202: device judge whether message meets default form, be success from message, parse instruction, carry out corresponding operating according to the instruction parsing, return to operating result, finish, otherwise perform step 203;
Particularly, the length that default form is message is 5 bytes, or the length of message is that 7 bytes and the 5th byte are 0x00; If the length of message is 5 bytes, the instruction in this message is without data field, and non-response length value extended instruction, and the safe packet mode of message is clear-text way, has parsed instruction; If the length of message is that 7 bytes and the 5th byte are 0x00, the instruction in this message is without data field, and is response length value extended instruction, and the safe packet mode of message is clear-text way, has parsed instruction;
Step 203: device obtains a data in message according to reading address, judge safe packet mode, if clear-text way performs step 204 according to a data; If plaintext authentication mode performs step 208, if ciphertext authentication mode performs step 216; If other return to error message, finish;
Particularly, the first address that the initial value of reading address is message; Device obtains 1 byte in message data according to reading address are as the classification byte in a data, and device judges safe packet mode according to the classification byte getting, and for example, if classification byte is 0x00 or 0x80, safe packet mode is clear-text way; If classification byte is 0x84, safe packet mode is plaintext authentication mode; If classification byte is 0x8C, safe packet mode is ciphertext authentication mode; If classification byte, for other values, is returned to error message, finish;
For example, message is:
8CF42A0694D571440BEB0CF7228ABEE219F9E309A921048143289D68 E670EEA4894EBB9BD7FAE24801E0456CBB849B88D0EB1A1EDF8B4C06 EBFC680977D369132486C2ABF1AD4663EB9D96315DB3DB550306558E 6AAC4F5B6A9FBB0BC22DF18A3F5C9C72C4322AD711CD01FC5D601489 B6D9886FC6339F76CAB628A74599FD32E3535695EF48BAFE100D9FD0 5A71F3346C964119D554FC6C23; Wherein, a data is 8CF42A06, and classification byte is 8C, and the safe packet mode of message is ciphertext authentication mode;
And for example, message is:
8CF42A06000114FD0B07CEE2D03FBCD1FD7D2B03883F5D33B25462C5 7068F8E982AEF67E11759E3373703CA36151AD805AE8283A48BE3EC Wherein, a data is 8CF42A06, and classification byte is 8C, and the safe packet mode of message is ciphertext authentication mode;
Step 204: device upgrades reading address, from message, obtain the data of 1 byte according to reading address, judge according to the data of get 1 byte whether the instruction in message is data length value extended instruction, to perform step 206, otherwise using the data of 1 byte getting as data length value, execution step 205;
Particularly, upgrade reading address for reading address is added to 4; Device judges whether the data of 1 byte getting are 0, is to determine that the instruction in message is extended instruction, otherwise determines that the instruction in message is not data length value extended instruction;
Step 205: device obtains the second scope according to data length value, judge that according to the length of the second scope and message whether data field is correct, successfully from message, to parse instruction, carry out corresponding operating according to the instruction parsing, return to operating result, finish, otherwise return to error message, finish;
Particularly, the second scope be data length value add 5 and, data length value add 6 and, data length value add 8 and, whether the length that device judge message in the second scope, be to determine that the data field of message is correct, otherwise the data field of definite message is incorrect;
Step 206: device upgrades reading address, obtains the data of 2 bytes as data length value according to reading address;
Particularly, upgrade reading address for reading address is added to 1;
Step 207: device obtains the first scope according to data length value, judge that according to the length of the first scope and message whether data field is correct, successfully from message, to parse instruction, carry out corresponding operating according to the instruction parsing, return to operating result, finish, otherwise return to error message, finish;
Particularly, the first scope be data length value add 7 and, data length value add 8 and, data length value add 10 and, whether the length that device judge message in the first scope, be to determine that the data field of message is correct, otherwise the data field of definite message is incorrect;
Step 208: device upgrades reading address, obtain the data of 1 byte according to reading address, judge according to the data of get 1 byte whether the instruction in message is data length value extended instruction, to perform step 212, otherwise using the data of 1 byte getting as data length value, execution step 209;
Particularly, upgrade reading address for reading address is added to 4; Device judges whether the data that get are 0, is to determine that the instruction in message is data length value extended instruction, otherwise determines that the instruction in message is not the expansion of data length value;
Step 209: device obtains the second scope according to data length value, judges that according to the length of the second scope and message whether data field is correct, is to perform step 210, otherwise returns to error message, finishes;
Particularly, the second scope be data length value add 5 and, data length value add 6 and, data length value add 8 and, whether the length that device judge message in the second scope, be to determine that the data field of message is correct, otherwise the data field of definite message is incorrect;
Step 210: install from the beginning data and start, in message, obtain the data of the 3rd length, obtain the data of the 2nd byte of message, the key setting in advance according to the data acquisition of the get the 2nd byte, according to the key getting, the data of the 3rd length getting are carried out to message authentication code calculating, obtain the second authentication value;
Particularly, the 3rd length is that data length value adds 1;
Step 211: device obtains the message authentication value in message, judge that according to the second authentication value and the message authentication value getting whether message is by message authentication code authentication, to upgrade message according to the message authentication value in message, obtain instruction, carry out corresponding operating according to instruction, return to operating result, finish, otherwise return to error message, finish;
Particularly, upgrade message according to message authentication value in message, obtain instruction and be: device is removed the message authentication value in message, from subtracting 4, is data length value by the Data Update of the 5th byte of message by data length value;
Step 212: device upgrades reading address, obtains the data of 2 bytes as data length value according to reading address from message;
Particularly, upgrade reading address for reading address is added to 1;
Step 213: device obtains the first scope according to data length value, judges that according to the length of the first scope and message whether data field is correct, is to perform step 214, otherwise returns to error message, finishes;
Particularly, the first scope be data length value add 7 and, data length value add 8 and, data length value add 10 and, whether the length that device judge message in the first scope, be to determine that the data field of message is correct, otherwise the data field of definite message is incorrect;
Step 214: install from the beginning data and start, from message, obtain the data of the first length, obtain the data of the 2nd byte of message, the key setting in advance according to the data acquisition of the get the 2nd byte, according to the key getting, the data of the first length getting are carried out to message authentication code calculating, obtain the first authentication value;
Particularly, the first length is that data length value adds 3;
Step 215: device obtains the message authentication value in message, judge that according to the first authentication value and the message authentication value getting whether message is by message authentication code authentication, to install according to the message authentication value in message to upgrade message, obtain instruction, carry out corresponding operating according to instruction, return to operating result, finish, otherwise return to error message, finish;
Particularly, device upgrades message according to the message authentication value in message and is: device is removed the message authentication value in message, from subtracting 4, is data length value by the Data Update of the 6th byte to the 7 bytes of message by data length value;
Step 216: device upgrades reading address, from message, obtain the data of 1 byte according to reading address, judge according to the data of get 1 byte whether the instruction in message is data length value extended instruction, to perform step 223, otherwise using the data of 1 byte getting as data length value, execution step 217;
Particularly, upgrade reading address for reading address is added to 4; Device judges whether the data that get are 0, is to determine that the instruction in message is data length value extended instruction, otherwise determines that the instruction in message is not data length value extended instruction;
Step 217: device obtains the second scope according to data length value, judges that according to the length of the second scope and message whether data field is correct, is to perform step 218, otherwise returns to error message, finishes;
Particularly, the second scope be data length value add 5 and, data length value add 6 and, data length value add 8 and, whether the length that device judge message in the second scope, be to determine that the data field of message is correct, otherwise the data field of definite message is incorrect;
Step 218: install from the beginning data and start, from message, obtain the data of the 3rd length, obtain the data of the 2nd byte of message, the key setting in advance according to the data acquisition of the get the 2nd byte, according to the key getting, the data of the 3rd length getting are carried out to message authentication code calculating, obtain the second authentication value;
Particularly, the 3rd length is that data length value adds 1;
For example, message is:
8CF42A0694D571440BEB0CF7228ABEE219F9E309A921048143289D68 E670EEA4894EBB9BD7FAE24801E0456CBB849B88D0EB1A1EDF8B4C06 EBFC680977D369132486C2ABF1AD4663EB9D96315DB3DB550306558E 6AAC4F5B6A9FBB0BC22DF18A3F5C9C72C4322AD711CD01FC5D601489 B6D9886FC6339F76CAB628A74599FD32E3535695EF48BAFE100D9FD0 5A71F3346C964119D554FC6C23; The 3rd length is that 0x94 adds 1, i.e. 0x95;
Step 219: device obtains the message authentication value in message, judges that according to the second authentication value and the message authentication value getting message, whether by message authentication code authentication, is to perform step 220, otherwise returns to error message, finishes;
Step 220: device upgrades message according to the message authentication value in message;
Particularly, device is removed the message authentication value in message, from subtracting 4, is data length value by the Data Update of the 5th byte of message by data length value;
For example, message is updated to:
8CF42A0690D571440BEB0CF7228ABEE219F9E309A921048143289D68E670EEA4894EBB9BD7FAE24801E0456CBB849B88D0EB1A1EDF8B4C06EBFC680977D369132486C2ABF1AD4663EB9D96315DB3DB550306558E6AAC4F5B6A9FBB0BC22DF18A3F5C9C72C4322AD711CD01FC5D601489B6D9886FC6339F76CAB628A74599FD32E3535695EF48BAFE100D9FD05A71F3346C964119D5
Step 221: device upgrades reading address is obtained the data of data field from message according to reading address and data length value, according to the key getting, the data of the data field getting are decrypted, and obtains clear data;
Particularly, device is from reading position, and obtaining length is that the data of data length value are as the data of the data field getting; The clear data that deciphering obtains comprises length of the plaintext and clear content;
For example, clear data is:
8C99004504010001004E820080FB110DD5B89F09F95F683A64408A8A CDAD5CA6CE32CEF158A71C4E820F39134DBCA76FA2029A992B4237E9 6BD4A959A033E2857B2F740FED8E77060FC7418885F41BF74AA9ED95 AE1079E26410B4FF7DE12EAA5635C8C8EDE60E7CC95880EB588E51F8 0C47276B62D2E2EB6CEB4C105FE3E8DA2AED2C0FDD30F978FE150CEC B6800000; Wherein, length of the plaintext is 0x8C;
Step 222: device upgrades message according to clear data, judges whether the message after upgrading is legal instruction, is to carry out corresponding operating according to this instruction, returns to operating result, finishes; Otherwise return to error message, finish;
Particularly, device is the length of the plaintext in clear data by the Data Update of the 5th byte of message, is the data since the 2nd byte clear data by the Data Update starting from reading address;
For example, the message after renewal is:
8CF42A068C99004504010001004E820080FB110DD5B89F09F95F683A64408A8ACDAD5CA6CE32CEF158A71C4E820F39134DBCA76FA2029A992B4237E96BD4A959A033E2857B2F740FED8E77060FC7418885F41BF74AA9ED95AE1079E26410B4FF7DE12EAA5635C8C8EDE60E7CC95880EB588E51F80C47276B62D2E2EB6CEB4C105FE3E8DA2AED2C0FDD30F978FE150CECB6;
Step 223: device upgrades reading address, obtains the data of 2 bytes as data length value according to reading address from message;
Particularly, upgrade reading address for reading address is added to 1;
Step 224: device obtains the first scope according to data length value, judges that according to the length of the first scope and message whether data field is correct, is to perform step 225, otherwise returns to error message, finishes;
Particularly, the first scope be data length value add 7 and, data length value add 8 and, data length value add 10 and, whether the length that device judge message in the first scope, be to determine that the data field of message is correct, otherwise the data field of definite message is incorrect;
Step 225: install from the beginning data and start, in message, obtain the data of the first length, obtain the data of the 2nd byte of message, the key setting in advance according to the data acquisition of the get the 2nd byte, according to the key getting, the data of the first length getting are carried out to message authentication code calculating, obtain the first authentication value;
Particularly, the first length is that data length value adds 3;
For example, message is:
8CF42A06000114FD0B07CEE2D03FBCD1FD7D2B03883F5D33B25462C5 7068F8E982AEF67E11759E3373703CA36151AD805AE8283A48BE3EC The first length is that 0x0114 adds 3, i.e. 0x0117;
Step 226: device obtains the message authentication value in message, judges that according to the first authentication value and the message authentication value getting message, whether by message authentication code authentication, is to perform step 227, otherwise returns to error message, finishes;
Step 227: device upgrades message according to the message authentication value in message;
Particularly, device is removed the message authentication value in message, from subtracting 4, is data length value by the Data Update of the 6th byte to the 7 bytes of message by data length value;
For example, message is updated to:
84F42A06000110FD0B07CEE2D03FBCD1FD7D2B03883F5D33B25462C57068F8E982AEF67E11759E3373703CA36151AD805AE8283A48BE3EC……;
Step 228: device upgrades reading address is obtained the data of data field from message according to reading address and data length value, according to the key getting, the data of the data field getting are decrypted, and obtains clear data;
Particularly, device is from reading position, and from message, obtaining length is that the data of data length value are as the data of the data field getting; The clear data that deciphering obtains comprises length of the plaintext and clear content;
For example, clear data is:
010C99004504010001004E820100BFFBCA2237EB8097025D287BED7C E2A697C40B7905C519DF9D1C930803FF50E9835A2827516434251B37 8E6F Wherein, length of the plaintext is 0x010C;
Step 229: device upgrades message according to clear data, judges whether the message after upgrading is legal instruction, is to carry out corresponding operating according to this instruction, returns to operating result, finishes; Otherwise return to error message, finish;
Particularly, device is the length of the plaintext in clear data by the Data Update of the 6th byte to the 7 bytes of message, is the data since the 2nd byte clear data by the Data Update starting from reading address;
For example, the message after renewal is:
8CF42A0600010C99004504010001004E820100BFFBCA2237EB8097025D287BED7CE2A697C40B7905C519DF9D1C930803FF50E9835A2827516434251B378E6F……;
The one providing in the present embodiment is processed expansion safe packet method, can resolve the safe packet of short instruction and extended instruction, obtains instruction, ensures confidentiality and the data integrity of data communication.
Embodiment 4
Embodiments of the invention 4 provide a kind of device of processing expansion safe packet, as shown in Figure 6, comprising: receiver module 401, the first update module 402, the first acquisition module 403, the first computing module 404, the second acquisition module 405, the first authentication module 406, the first judge module 407, the second update module 408, the 3rd acquisition module 409, the first deciphering module 410, the 3rd update module 411, the second judge module 412, processing module 413 and return to module 414;
Receiver module 401, for receiving message;
The first update module 402, while being the message of plaintext authentication mode of data length value extended instruction or the message of the ciphertext authentication mode of data length value extended instruction, upgrades reading address for the message receiving when receiver module 401; The initial value of reading address is the first address of message;
The first acquisition module 403, for upgrading the reading address obtaining obtains 2 bytes data from message as data length value according to the first update module 402;
The first computing module 404, obtains the first length for the data length value getting according to the first acquisition module 403;
The second acquisition module 405 for from the first address of message, obtains length and is the data of the first length that the first computing module 404 calculates from message;
The first authentication module 406, carries out message authentication code computing for the data of the first length that the second acquisition module 405 is got, obtains the first authentication value;
The first judge module 407, for obtaining the message authentication code of message, the first authentication value obtaining according to the first authentication module 406 computings and message authentication code judge that whether message is by certification;
The second update module 408, in the time that the first judge module 407 is judged as YES, upgrades message according to message authentication code;
The 3rd acquisition module 409, for obtaining the data of data field from message according to data length value;
The first deciphering module 410, is decrypted for the data of data field that the 3rd acquisition module 409 is got, obtains clear data;
The 3rd update module 411, for obtaining after described clear data at the first deciphering module 410, upgrades message according to clear data;
The second judge module 412, for upgrading after described message in the 3rd update module 411, judges whether the message after upgrading is legal instruction;
Processing module 413, for after upgrading instruction that message obtains and/or the second judge module according to the second update module 408 and being judged as YES, carries out corresponding operating according to this instruction;
Return to module 414, for being judged as NO at the first judge module 407 and/or returning to error message when described the second judge module is judged as NO, after processing module 413 is finished dealing with, return to operating result.
The first computing module 404 obtains the first length specifically for data length value is added to 3.
The second acquisition module 405 is also for obtaining the data of the 2nd byte of message, the key setting in advance according to the data acquisition of the get the 2nd byte;
The data of the first length that the first authentication module 406 gets the second acquisition module 405 specifically for the key getting according to the second acquisition module 405 are carried out message authentication code computing, obtain the first authentication value;
The data of the data field that the first deciphering module 410 gets the 3rd acquisition module 409 specifically for the key getting according to the second acquisition module 405 are decrypted, and obtain clear data.
The second update module 408, specifically in the time that the first judge module 407 is judged as YES, is removed the message authentication code in message, from subtracting 4, is data length value by the Data Update of the 6th byte to the 7 bytes of message by data length value.
The 3rd update module 411 is specifically for obtaining after described clear data at the first deciphering module 410, the data of the 1st byte to the 2 bytes that are clear data by the Data Update of the 6th byte to the 7 bytes in message are the data since the 3rd byte clear data by the Data Update starting from reading address.
Device also comprises the second deciphering module and the 3rd judge module;
The second deciphering module, is decrypted for the director data to memory block, obtains message;
The 3rd judge module, whether legal for judging message;
Return to module 414 also for return to error message in the time that the 3rd judge module is judged as NO.
The 3rd judge module, specifically for judging whether civilian length is less than the second length, be that message is illegal, otherwise message is legal.
Device also comprises the 4th judge module and the 5th judge module;
The 4th judge module, for judging whether message meets default form;
Processing module 413, also in the time that the 4th judge module is judged as YES, corresponding operating is carried out in the instruction obtaining according to parsing;
The 5th judge module, for obtaining the data of the 5th byte of message, judges whether the data of the 5th byte getting are 0, be that message is the message of data length value extended instruction, otherwise message is not the message of data length value extended instruction.
Device also comprises the second computing module and the 6th judge module;
The second computing module, for obtaining the first scope according to data length value;
The 6th judge module, whether correct for judge the data field of message according to the length of the first scope and message;
Return to module 414 also for return to error message in the time that the 6th judge module is judged as NO.
Whether the 6th judge module in the first scope, be that the data field of message is correct, otherwise the data field of message is incorrect specifically for the length that judges message.
Device also comprises the 4th acquisition module and the 7th judge module;
The 4th acquisition module, for the data of the 1st byte of obtaining message as the classification byte of a data of message;
The 7th judge module, for judge the safe packet mode of message according to classification byte, if classification byte is the first preset value message that message is clear-text way, if classification byte be the second preset value message be the message of plaintext authentication mode, if classification byte be the 3rd preset value message be the message of ciphertext authentication mode; Return to module and return to error message if classification byte is other character strings.
Device also comprises the 5th acquisition module, the 8th judge module and the 9th judge module;
The 5th acquisition module, for the data of the 2nd byte of obtaining message as the command byte of a data of message;
Whether the 8th judge module, be the first preset function for the function of the instruction that judges message according to command byte, is that message is the message of ciphertext authentication mode;
The 9th judge module, for obtain the data of the 5th byte of message in the time that the 8th judge module is judged as NO, whether the data that judge the 5th byte getting are 0, are to return to module to return to error message, otherwise obtain the safe packet mode of message according to command byte.
Device also comprises the 6th acquisition module, the 3rd computing module and the tenth judge module;
The 6th acquisition module, in the time that receiver module receives the message of clear-text way of non-data length value extended instruction or the message of the message of the plaintext authentication mode of non-data length value extended instruction or the ciphertext authentication mode of non-data length value extended instruction, for the data of obtaining 1 byte from message according to reading address as data length value;
The 3rd computing module, for obtaining the second scope according to data length value;
The tenth judge module, whether correct for judge the data field of message according to the length of the second scope and message;
Return to module 414 also for return to error message in the time that the tenth judge module is judged as NO;
Processing module 413 is also carried out corresponding operating for the instruction obtaining according to parsing after being judged as YES at the tenth judge module.
Device also comprises the 4th computing module, the 7th acquisition module, the second authentication module and the 11 judge module;
The 4th computing module, when receive the message of plaintext authentication mode of non-data length value extended instruction or the message of the ciphertext authentication mode of non-data length value extended instruction when receiver module, obtains the 3rd length according to data length value;
The 7th acquisition module, for from the first address of message, obtains the data of the 3rd length;
The second authentication module, carries out message authentication code computing for the data of the 3rd length that the 7th acquisition module is got, obtains the second authentication value;
The 11 judge module, for obtaining the message authentication code of message, judges that according to the second authentication value and message authentication code whether message is by certification;
Return to module 414 also for return to error message in the time that the 11 judge module is judged as NO;
The second update module 408, also in the time that the 11 judge module is judged as YES, is upgraded message and obtains corresponding instruction according to message authentication code.
The 4th computing module obtains the 3rd length specifically for data length value being added to 1.
The 7th acquisition module is also for obtaining the data of the 2nd byte of message, the key setting in advance according to the data acquisition of the get the 2nd byte;
The second authentication module, the data of the 3rd length the 7th acquisition module being got specifically for the key getting according to the 7th acquisition module are carried out message authentication code computing, obtain the second authentication value.
The 7th acquisition module is also for obtaining the data of the 2nd byte of message, the key setting in advance according to the data acquisition of the get the 2nd byte;
The data of the data field that the first deciphering module 410 also gets the 3rd acquisition module 409 for the key getting according to the 7th acquisition module are decrypted, and obtain clear data.
The second update module 408 is when receiving the message of plaintext authentication mode of non-data length value extended instruction or the message of the ciphertext authentication mode of non-data length value extended instruction when receiver module 401, remove the message authentication code in message, from subtracting 4, be data length value by the Data Update of the 5th byte of message by data length value.
The 3rd update module 411 is also when receiving the message of ciphertext authentication mode of non-data length value extended instruction when receiver module 401, the data of the 1st byte that is clear data by the Data Update of the 5th byte of message are the data since the 2nd byte clear data by the Data Update starting from reading address.
The above; only for preferably embodiment of the present invention, but protection scope of the present invention is not limited to this, is anyly familiar with those skilled in the art in technical scope disclosed by the invention; the variation that can expect easily or replacement, within all should being encompassed in protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of claim.

Claims (40)

1. a method of processing expansion safe packet, is characterized in that, described method comprises:
In the time that device is judged the message receiving and is the message of plaintext authentication mode of data length value extended instruction, carry out following steps:
Step S1: described device upgrades reading address, obtains the data of 2 bytes as data length value according to described reading address from described message; The initial value of described reading address is the first address of described message;
Step S2: described device obtains the first length according to described data length value, from the first address of described message, obtains the data of described the first length, and the data of described the first length getting are carried out to message authentication code computing, obtains the first authentication value;
Step S3: described device obtains message authentication code from described message, judges that according to described the first authentication value and described message authentication code described message, whether by certification, is to perform step S4, otherwise returns to error message, finishes;
Step S4: described device upgrades described message according to described message authentication code, obtains corresponding instruction, carries out corresponding operating, and return to operating result according to described instruction, finishes;
In the time that described device is judged the message receiving and is the message of ciphertext authentication mode of data length value extended instruction, carry out following steps:
Step S5: described device upgrades reading address, obtains the data of 2 bytes as data length value according to described reading address from described message; The initial value of described reading address is the first address of described message;
Step S6: described device obtains the first length according to described data length value, from the first address of described message, obtains the data of the first length, and the data of described the first length getting are carried out to message authentication code computing, obtains the first authentication value;
Step S7: described device obtains the message authentication code in described message, judges that according to described the first authentication value and described message authentication code described message, whether by certification, is to perform step S8, otherwise returns to error message, finishes;
Step S8: described device upgrades described message according to described message authentication code;
Step S9: described device upgrades described reading address obtains the data of data field according to the reading address after upgrading and described data length value from described message, and the data of the described data field getting are decrypted, and obtains clear data;
Step S10: described device upgrades described message according to described clear data, judges whether the message after upgrading is legal instruction, is to carry out corresponding operating according to described instruction, and returns to operating result, finishes; Otherwise return to error message, finish.
2. method according to claim 1, is characterized in that, described device obtains the first length according to described data length value and is specially: described data length value is added to 3 and obtain described the first length.
3. method according to claim 1, it is characterized in that, the described data to described the first length getting are carried out message authentication code computing, obtaining the first authentication value is specially: described device obtains the data of the 2nd byte of described message, the key setting in advance according to the data acquisition of described the 2nd byte getting, according to the described key getting, the data of described the first length getting are carried out to message authentication code computing, obtain the first authentication value;
Described step S9 is specially: described device upgrades described reading address, from described message, obtain the data of data field according to the reading address after upgrading and described data length value, according to the described key getting, the data of the described data field getting are decrypted, obtain clear data.
4. method according to claim 1, it is characterized in that, described device upgrades described message according to described message authentication code and is specially: described device is removed the described message authentication code in described message, from subtracting 4, be described data length value by the Data Update of the 6th byte to the 7 bytes of described message by described data length value.
5. method according to claim 1, it is characterized in that, described device upgrades described message according to described clear data, be specially: the data of the 1st byte to the 2 bytes that described device is described clear data by the Data Update of the 6th byte to the 7 bytes in described message are the data since the 3rd byte described clear data by the Data Update starting from described reading address.
6. method according to claim 1, is characterized in that, comprises: described device is decrypted the director data in memory block before described step S1, obtaining message, judge that whether described message is legal, is to perform step S1, otherwise return to error message, finish;
Before described step S5, comprise: described device is decrypted the director data in memory block, obtains message, judges that whether described message is legal, be to perform step S5, otherwise return to error message, finish.
7. method according to claim 6, is characterized in that, described device judges whether described message is legal and is specially: described device judges whether the length of described literary composition is less than the second length, be that described message is illegal, otherwise described message is legal.
8. method according to claim 1, is characterized in that, before described step S1 and step S5, comprises described device judges whether the message receiving is the message of data length value extended instruction, is specially:
Steps A 1: described device judges whether described message meets default form, is that described device has parsed corresponding instruction from described message, carries out corresponding operating, and return to operating result according to described instruction, finishes; Otherwise execution step A2;
Steps A 2: described device obtains the data of the 5th byte of described message, whether the data that judge described the 5th byte getting are 0, that described device is judged the message that described message is data length value extended instruction, otherwise described device to judge described message be not the message of data length value extended instruction.
9. method according to claim 1, is characterized in that, after described step S1, comprises:
Described device obtains the first scope according to described data length value, judges that whether the data field of described message is correct according to the length of described the first scope and described message, is to perform step S2, otherwise returns to error message, finishes;
After described step S5, comprise:
Described device obtains the first scope according to described data length value, judges that whether the data field of described message is correct according to the length of described the first scope and described message, is to perform step S6, otherwise returns to error message, finishes.
10. method according to claim 9, it is characterized in that, described device judges that according to the length of described the first scope and described message whether the data field of described message is correct, be specially: described device judges that the length of described message is whether in described the first scope, the data field that is described message is correct, otherwise the data field of described message is incorrect.
11. method according to claim 1, is characterized in that, comprises that described device judges the safe packet mode of the message receiving, and is specially before described step S1 and step S5:
Step B1: described device obtains the data of the 1st byte of described message as the classification byte in a data of described message;
Step B2: described device judges the safe packet mode of described message according to described classification byte, if described classification byte be the first preset value described device judge the message that described message is clear-text way, if described classification byte be the second preset value described device judge the message that described message is plaintext authentication mode, if described classification byte be the 3rd preset value described device judge the message that described message is ciphertext authentication mode; Return to error message if described classification byte is other character strings, finish.
12. method according to claim 1, is characterized in that, comprises that described device judges the safe packet mode of the message receiving, and is specially before described step S1 and step S5:
Step B1 ': described device obtains the data of the 2nd byte of described message as the command byte in a data of described message;
Step B2 ': described device judges according to described command byte whether the function of the instruction in described message is the first preset function, is that described device is judged the message that described message is ciphertext authentication mode, otherwise execution step B3 ';
Step B3 ': described device obtains the data of the 5th byte of described message, judges whether the data of described the 5th byte getting are 0, is to return to error message, finish, otherwise the described safe packet mode that obtains described message according to described command byte.
13. method according to claim 1, is characterized in that, in the time that described device is judged the message receiving and is the message of clear-text way of data length value extended instruction, carries out following steps:
Step S11: described device upgrades reading address, the data of obtaining 2 bytes according to described reading address from described message are as data length value, obtain the first scope according to described data length value, whether the data field that judges described message according to the length of described the first scope and described message is correct, be from described message, to have parsed corresponding instruction, carry out corresponding operating and return to operating result according to described instruction, finish, otherwise return to error message, finish.
14. method according to claim 1, is characterized in that, in the time that described device is judged the message receiving and is the message of clear-text way of non-data length value extended instruction, carries out following steps:
Step S12: described device upgrades reading address, the data of obtaining 1 byte according to described reading address from described message are as data length value, obtain the second scope according to described data length value, whether the data field that judges described message according to the length of described the second scope and described message is correct, be from described message, to have parsed corresponding instruction, carry out corresponding operating and return to operating result according to described instruction, finish, otherwise return to error message, finish.
15. methods according to claim 1, is characterized in that, in the time that described device is judged the message receiving and is the message of plaintext authentication mode of non-data length value extended instruction, carry out following steps:
Step S13-1: described device upgrades reading address, obtains the data of 1 byte as data length value according to described reading address from described message;
Step S13-2: described device obtains the second scope according to described data length value, judges that according to the length of described the second scope and described message whether the data field of described message is correct, is to perform step S13-3, otherwise returns to error message, finishes;
Step S13-3: described device obtains the 3rd length according to described data length value, from the first address of described message, obtains the data of the 3rd length, and the data of described the 3rd length getting are carried out to message authentication code computing, obtains the second authentication value;
Step S13-4: described device obtains the message authentication code in described message, judges that according to described the second authentication value and described message authentication code described message, whether by certification, is to perform step S13-5, otherwise returns to error message, finishes;
Step S13-5: described device upgrades described message according to described message authentication code, obtains corresponding instruction, carries out corresponding operating and returns to operating result according to described instruction, finishes.
16. method according to claim 1, is characterized in that, in the time that described device receives the message of ciphertext authentication mode of non-data length value extended instruction, carries out following steps:
Step S14-1: described device upgrades reading address, obtains the data of 1 byte as data length value according to described reading address from described message;
Step S14-2: described device obtains the second scope according to described data length value, judges that according to the length of described the second scope and described message whether the data field of described message is correct, is to perform step S14-3, otherwise returns to error message, finishes;
Step S14-3: described device obtains the 3rd length according to described data length value, from the first address of described message, obtains the data of the 3rd length, and the data of described the 3rd length getting are carried out to message authentication code computing, obtains the second authentication value;
Step S14-4: described device obtains the message authentication code in described message, judges that according to described the second authentication value and described message authentication code described message, whether by certification, is to perform step S14-5, otherwise returns to error message, finishes;
Step S14-5: described device upgrades described message according to described message authentication code;
Step S14-6: described device upgrades described reading address obtains the data of data field from described message according to described reading address and described data length value, the data of the described data field getting are decrypted, and obtains clear data;
Step S14-7: described device upgrades described message according to described clear data, judges whether the message after upgrading is legal instruction, is to carry out corresponding operating according to described instruction, and returns to operating result, finishes; Otherwise return to error message, finish.
17. according to the method described in claim 15 or 16, it is characterized in that, described device obtains the 3rd length according to described data length value, is specially: described data length value is added to 1 and obtain described the 3rd length.
18. methods according to claim 15, it is characterized in that, described step S13-3 is specially: described device obtains the 3rd length according to described data length value, from the first address of described message, obtain the data of the 3rd length, obtain the data of the 2nd byte of described message, the key setting in advance according to the data acquisition of described the 2nd byte getting, according to the described key getting, the data of described the 3rd length getting are carried out to message authentication code computing, obtain the second authentication value.
19. methods according to claim 16, is characterized in that, described step S14-3 is specially:
Described device obtains the 3rd length according to described data length value, from the first address of described message, obtain the data of the 3rd length, obtain the data of the 2nd byte of described message, the key setting in advance according to the data acquisition of described the 2nd byte getting, according to the described key getting, the data of described the 3rd length getting are carried out to message authentication code computing, obtain the second authentication value;
Described step S14-6 is specially: described device upgrades described reading address, from described message, obtain the data of data field according to described reading address and described data length value, according to the described key getting, the data of the described data field getting are decrypted, obtain clear data.
20. according to the method described in claim 15 or 16, it is characterized in that, described device upgrades described message according to described message authentication code and is specially: described device is removed the described message authentication code in described message, from subtracting 4, be described data length value by the Data Update of the 5th byte of described message by described data length value.
21. methods according to claim 16, it is characterized in that, described device upgrades described message according to described clear data, be specially: the data of the 1st byte that described device is described clear data by the Data Update of the 5th byte of described message are the data since the 2nd byte described clear data by the Data Update starting from described reading address.
Process the device of expansion safe packet for 22. 1 kinds, it is characterized in that, described device comprises: receiver module, the first update module, the first acquisition module, the first computing module, the second acquisition module, the first authentication module, the first judge module, the second update module, the 3rd acquisition module, the first deciphering module, the 3rd update module, the second judge module, processing module and return to module;
Described receiver module, for receiving message;
Described the first update module, while being the message of plaintext authentication mode of data length value extended instruction or the message of the ciphertext authentication mode of data length value extended instruction, upgrades reading address for the described message receiving when described receiver module; The initial value of described reading address is the first address of described message;
Described the first acquisition module, for upgrading the described reading address that obtains obtains 2 bytes data from described message as data length value according to described the first update module;
Described the first computing module, obtains the first length for the described data length value getting according to described the first acquisition module;
Described the second acquisition module, for from the first address of described message, obtains the data of described the first length;
Described the first authentication module, carries out message authentication code computing for the data of described the first length that described the second acquisition module is got, obtains the first authentication value;
Described the first judge module, for obtaining the message authentication code of described message, described the first authentication value obtaining according to described the first authentication module computing and described message authentication code judge that whether described message is by certification;
Described the second update module, in the time that described the first judge module is judged as YES, upgrades described message according to described message authentication code;
Described the 3rd acquisition module, for obtaining the data of data field from described message according to described reading address and described data length value;
Described the first deciphering module, is decrypted for the data of described data field that described the 3rd acquisition module is got, obtains clear data;
Described the 3rd update module, for obtaining, after described clear data, upgrading described message according to described clear data in described the first deciphering module deciphering;
Described the second judge module, for upgrading after described message in described the 3rd update module, judges whether the message after upgrading is legal instruction;
Described processing module, for after upgrading instruction that described message obtains and/or described the second judge module according to described the second update module and being judged as YES, carries out corresponding operating according to described instruction;
The described module of returning for being judged as NO at described the first judge module and/or returning to error message when described the second judge module is judged as NO, is returned to operating result after described processing module is finished dealing with.
23. device according to claim 22, is characterized in that, described the first computing module obtains described the first length specifically for described data length value is added to 3.
24. device according to claim 22, is characterized in that, described the second acquisition module is also for obtaining the data of the 2nd byte of described message, the key setting in advance according to the data acquisition of described the 2nd byte getting;
The data of described the first length that described the first authentication module gets described the second acquisition module specifically for the described key getting according to described the second acquisition module are carried out message authentication code computing, obtain the first authentication value;
The data of the described data field that described the first deciphering module gets described the 3rd acquisition module specifically for the described key getting according to described the second acquisition module are decrypted, and obtain clear data.
25. devices according to claim 22, it is characterized in that, described the second update module is specifically in the time that described the first judge module is judged as YES, remove the described message authentication code in described message, from subtracting 4, be described data length value by the Data Update of the 6th byte to the 7 bytes of described message by described data length value.
26. devices according to claim 22, it is characterized in that, described the 3rd update module is specifically for obtaining after described clear data in described the first deciphering module deciphering, the data of the 1st byte to the 2 bytes that are described clear data by the Data Update of the 6th byte to the 7 bytes in described message are the data since the 3rd byte described clear data by the Data Update starting from described reading address.
27. device according to claim 22, is characterized in that, described device also comprises the second deciphering module and the 3rd judge module;
Described the second deciphering module, is decrypted for the director data to memory block, obtains message;
Described the 3rd judge module, whether legal for judging described message;
The described module of returning also for returning to error message in the time that described the 3rd judge module is judged as NO.
28. devices according to claim 27, is characterized in that, whether described the 3rd judge module is less than the second length specifically for the length that judges described literary composition, be that described message is illegal, otherwise described message is legal.
29. device according to claim 22, is characterized in that, described device also comprises the 4th judge module and the 5th judge module;
Described the 4th judge module, for judging whether described message meets default form;
Described processing module, also in the time that described the 4th judge module is judged as YES, corresponding operating is carried out in the instruction obtaining according to parsing;
Described the 5th judge module, be used for the data of the 5th byte of obtaining described message, whether the data that judge described the 5th byte getting are 0, are that described message is the message of data length value extended instruction, otherwise described message is not the message of data length value extended instruction.
30. device according to claim 22, is characterized in that, described device also comprises the second computing module and the 6th judge module;
Described the second computing module, for obtaining the first scope according to described data length value;
Described the 6th judge module, whether correct for judge the data field of described message according to the length of described the first scope and described message;
The described module of returning also for returning to error message in the time that described the 6th judge module is judged as NO.
31. device according to claim 30, is characterized in that, whether described the 6th judge module in described the first scope, be that the data field of described message is correct, otherwise the data field of described message is incorrect specifically for the length that judges described message.
32. device according to claim 22, is characterized in that, described device also comprises the 4th acquisition module and the 7th judge module;
Described the 4th acquisition module, for the data of the 1st byte of obtaining described message as the classification byte of a data of described message;
Described the 7th judge module, for judge the safe packet mode of described message according to described classification byte, if described classification byte is the first preset value message that described message is clear-text way, if described classification byte be the second preset value described message be the message of plaintext authentication mode, if described classification byte be the 3rd preset value described message be the message of ciphertext authentication mode; Return to module described in and return to error message if described classification byte is other character strings.
33. devices according to claim 22, is characterized in that, described device also comprises the 5th acquisition module, the 8th judge module and the 9th judge module;
Described the 5th acquisition module, for the data of the 2nd byte of obtaining described message as the command byte of a data of described message;
Whether described the 8th judge module, be the first preset function for the function of the instruction that judges described message according to described command byte, is that described message is the message of ciphertext authentication mode;
Described the 9th judge module, for obtain the data of described message in the time that described the 8th judge module is judged as NO, whether the data that judge described the 5th byte getting are 0, be to return to module described in to return to error message, otherwise obtain the safe packet mode of described message according to described command byte.
34. devices according to claim 22, is characterized in that, described device also comprises the 6th acquisition module, the 3rd computing module and the tenth judge module;
Described the 6th acquisition module, in the time that described receiver module receives the message of clear-text way of non-data length value extended instruction or the message of the message of the plaintext authentication mode of non-data length value extended instruction or the ciphertext authentication mode of non-data length value extended instruction, for the data of obtaining 1 byte from described message according to described reading address as data length value;
Described the 3rd computing module, for obtaining the second scope according to described data length value;
Described the tenth judge module, whether correct for judge the data field of described message according to the length of described the second scope and described message;
The described module of returning also for returning to error message in the time that described the tenth judge module is judged as NO;
Described processing module is also carried out corresponding operating for the instruction obtaining according to parsing after being judged as YES at described the tenth judge module.
35. device according to claim 22, is characterized in that, described device also comprises the 4th computing module, the 7th acquisition module, the second authentication module and the 11 judge module;
Described the 4th computing module, when receive the message of plaintext authentication mode of non-data length value extended instruction or the message of the ciphertext authentication mode of non-data length value extended instruction when described receiver module, obtains the 3rd length according to described data length value;
Described the 7th acquisition module, for from the first address of described message, obtains the data of the 3rd length;
Described the second authentication module, carries out message authentication code computing for the data of described the 3rd length that described the 7th acquisition module is got, obtains the second authentication value;
Described the 11 judge module, for obtaining the message authentication code of described message, judges that according to described the second authentication value and described message authentication code whether described message is by certification;
The described module of returning also for returning to error message in the time that described the 11 judge module is judged as NO;
Described the second update module, also in the time that described the 11 judge module is judged as YES, is upgraded described message and is obtained corresponding instruction according to described message authentication code.
36. device according to claim 35, is characterized in that, described the 4th computing module obtains described the 3rd length specifically for described data length value being added to 1.
37. device according to claim 35, is characterized in that, described the 7th acquisition module is also for obtaining the data of the 2nd byte of described message, the key setting in advance according to the data acquisition of described the 2nd byte getting;
Described the second authentication module, the data of described the 3rd length described the 7th acquisition module being got specifically for the described key getting according to described the 7th acquisition module are carried out message authentication code computing, obtain the second authentication value.
38. device according to claim 35, is characterized in that, described the 7th acquisition module is also for obtaining the data of the 2nd byte of described message, the key setting in advance according to the data acquisition of described the 2nd byte getting;
The data of the described data field that described the first deciphering module also gets described the 3rd acquisition module for the described key getting according to described the 7th acquisition module are decrypted, and obtain clear data.
39. devices according to claim 35, it is characterized in that, described the second update module is when receiving the message of plaintext authentication mode of non-data length value extended instruction or the message of the ciphertext authentication mode of non-data length value extended instruction when described receiver module, remove the described message authentication code in described message, from subtracting 4, be described data length value by the Data Update of the 5th byte of described message by described data length value.
40. devices according to claim 35, it is characterized in that, described the 3rd update module is also when receiving the message of ciphertext authentication mode of non-data length value extended instruction when described receiver module, the data of the 1st byte that is described clear data by the Data Update of the 5th byte of described message are the data since the 2nd byte described clear data by the Data Update starting from described reading address.
CN201410223345.3A 2014-05-26 2014-05-26 A kind of method and device for processing extension safe packet Active CN103957225B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410223345.3A CN103957225B (en) 2014-05-26 2014-05-26 A kind of method and device for processing extension safe packet

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410223345.3A CN103957225B (en) 2014-05-26 2014-05-26 A kind of method and device for processing extension safe packet

Publications (2)

Publication Number Publication Date
CN103957225A true CN103957225A (en) 2014-07-30
CN103957225B CN103957225B (en) 2017-03-29

Family

ID=51334451

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410223345.3A Active CN103957225B (en) 2014-05-26 2014-05-26 A kind of method and device for processing extension safe packet

Country Status (1)

Country Link
CN (1) CN103957225B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1859291A (en) * 2005-12-13 2006-11-08 华为技术有限公司 Method for safety packaging network message
CN102761557A (en) * 2012-07-31 2012-10-31 飞天诚信科技股份有限公司 Terminal device authentication method and device
CN102946315A (en) * 2012-11-19 2013-02-27 成都卫士通信息产业股份有限公司 Method and system for constructing MAC (Media Access Control) code by utilizing packet mode
US8615081B2 (en) * 2011-06-01 2013-12-24 International Business Machines Corporation Secure key creation

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1859291A (en) * 2005-12-13 2006-11-08 华为技术有限公司 Method for safety packaging network message
US8615081B2 (en) * 2011-06-01 2013-12-24 International Business Machines Corporation Secure key creation
CN102761557A (en) * 2012-07-31 2012-10-31 飞天诚信科技股份有限公司 Terminal device authentication method and device
CN102946315A (en) * 2012-11-19 2013-02-27 成都卫士通信息产业股份有限公司 Method and system for constructing MAC (Media Access Control) code by utilizing packet mode

Also Published As

Publication number Publication date
CN103957225B (en) 2017-03-29

Similar Documents

Publication Publication Date Title
TWI551074B (en) Communication system and method for near field communication
CN101344906B (en) Sectional type remote updating method
CN109560931B (en) Equipment remote upgrading method based on certificate-free system
CN105939515B (en) Car-mounted terminal virtual SIM card information update system and method
CN103248495B (en) A kind of method, server, client and system applying interior paying
KR102453705B1 (en) Operation Method of Payment Device for Selectively Enabling Payment Function According to Validity of Host
CN112799706A (en) Vehicle upgrade package processing method and device
US10685095B2 (en) Processing equipment and remote management system
CN109831775B (en) Processor, baseband chip and SIM card information transmission method
EP3531322A1 (en) Method and apparatus for verifying update of diagnostic connector of diagnostic device and diagnostic connector
CN103458400A (en) Key management method for voice encryption communication system
CN102523095A (en) User digital certificate remote update method with intelligent card protection function
CN105721154B (en) Encryption protection method based on Android platform communication interface
US20230171100A1 (en) Personalization of a secure element
CN106656993B (en) Dynamic verification code verification method and device
CN106020868B (en) A kind of smart card firmware update and system
CN107016275A (en) A kind of USB security configurations method
CN112751702A (en) Data configuration device for configuring data processing entities
CN104284333A (en) Mobile terminal personal data encryption backing-up, recovering and synchronizing controlling method and device
CN109451504A (en) Internet of Things mould group method for authenticating and system
CN101808100B (en) Method and system for solving replay of remote update of information safety device
CN105376619B (en) A kind of set-top box and the means of communication with smart card
CN111093190B (en) Method, device, system, electronic equipment and storage medium for writing key data
CN102012978B (en) Method and system for safely upgrading ISO (International Standard Code) file
CN103841552A (en) Method and system for carrying out aerial card writing through mobile terminal and card reader

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant