CN103973438B - communication channel dynamic encrypting method - Google Patents
communication channel dynamic encrypting method Download PDFInfo
- Publication number
- CN103973438B CN103973438B CN201410114900.9A CN201410114900A CN103973438B CN 103973438 B CN103973438 B CN 103973438B CN 201410114900 A CN201410114900 A CN 201410114900A CN 103973438 B CN103973438 B CN 103973438B
- Authority
- CN
- China
- Prior art keywords
- client
- service end
- encipherment scheme
- scheme
- time
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
A kind of to be used to realize the communication channel dynamic encrypting method between service end and client, methods described includes:Respectively secret key storehouse is established in service end and client;Client randomly chooses the communication connection that the first encipherment scheme is established between service end;Service end, which is decrypted and verifies client, establishes the authentication information transmitted during communication;Secret key storehouse of the service end checking than deciding whether more row client to the secret key storehouse version number of client;Service end is randomly assigned the second encipherment scheme and the authentication information at client Sign-On services end is encrypted;And service end is randomly assigned the 3rd encipherment scheme and communication data is encrypted.The data interaction each time of the communication channel dynamic encrypting method of the present invention is all encryption.Before service end distributes the 3rd encipherment scheme, it need to only be uploaded in channel and pass encipherment scheme rather than specific key;After service end distributes the 3rd encipherment scheme, encipherment scheme has been tied in both sides' session, need to only transmit the communication data after encryption.
Description
Technical field
The present invention relates to based on communication channel encryption technology, more particularly to a kind of communication channel dynamic encrypting method.
Background technology
Current networking products are all that service end is managed by operator based on the pattern with client-side/server-side, client
On the computer of user.The communication for exchanging the packet that places one's entire reliance upon of client and service end.Many networking products are all
The packet communicated between client and service end can be encrypted.Although can so packet be prevented to be stolen, due to visitor
AES in the end of family be it is fixed write it is dead, as long as therefore cracker analyze the fixed-encryption algorithm in client, so that it may
Cheated with pretending a side of client or service end transmission packet to the opposing party;Client and service end can also be located at
Middle node intercept the packet of communication, decryption reduction, forge change data, re-encrypt after send without being found.
Because service end and client can not all judge what whether packet sended over from true legal the opposing party, so, commonly
Encryption technology all can not fundamentally solve the data communication safety problem of networking products, this greatly affected network environment
Develop in a healthy way.
The content of the invention
In view of the foregoing, it is necessary to a kind of communication channel dynamic encrypting method is provided, network service can be effectively protected
Safety.
It is a kind of to be used to realize the communication channel dynamic encrypting method between service end and client, it is characterised in that described
Method includes:Respectively secret key storehouse is established in service end and client;Client randomly chooses the first encipherment scheme and establishes and service
Communication connection between end;Service end, which is decrypted and verifies client, establishes the authentication information transmitted during communication;Service end verifies ratio
The secret key storehouse of more row client is decided whether to the secret key storehouse version number of client;Service end is randomly assigned the second encipherment scheme pair
The authentication information at client Sign-On services end is encrypted;And service end is randomly assigned the 3rd encipherment scheme and communication data is entered
Row encryption.
As the further improvement of above-mentioned technical proposal, second encipherment scheme is asymmetrical encryption approach.
As the further improvement of above-mentioned technical proposal, the 3rd encipherment scheme is symmetric encryption scheme.
As the further improvement of above-mentioned technical proposal, symmetric encryption scheme includes compression scheme and serialisation scheme.
As the further improvement of above-mentioned technical proposal, the cipher key store of service end includes multiple versions, the key of client
Storehouse only has a version.
As the further improvement of above-mentioned technical proposal, the authentication information includes cipher key store version number, cipher key store is made a summary
And system time.
As the further improvement of above-mentioned technical proposal, when the system time includes the first system time and second system
Between.
As the further improvement of above-mentioned technical proposal, the first system time is the encryption of client random selection first
Scheme establishes the system time during communication connection between service end, and the second system time is checking renewal client
After the version of secret key storehouse, client asks the system time of the second encipherment scheme to service end.
As the further improvement of above-mentioned technical proposal, if the communication channel between client and service end disconnects again
Connection, client the first encipherment scheme of random selection re-establish the communication connection between service end.
As the further improvement of above-mentioned technical proposal, when service end presets overtime corresponding to the 3rd encipherment scheme
Between, the 3rd encipherment scheme and time-out time are tied to communication session by client simultaneously with service end, and service end is in time-out time
Later random free time point, is randomly assigned the 3rd encipherment scheme to client again.
Compared to prior art, communication channel dynamic encrypting method of the invention can not only be effectively protected network service
Safety, also have the following advantages that:1. service end has the cipher key store of all versions, client has the close of some version of oneself
Key storehouse, the coupling with keystore in jdk can be avoided;2. each communication channel is established, service end to each client with
Machine distributes a kind of different encipherment scheme, can reach different channels dynamic encryption effect;3. cipher key store rises according to version number
Level and safeguard, it is more convenient, autgmentability is strong, and use cryptographic Hash function, detecting client before establishing communication channel every time
Whether the data of cipher key store distort;4. the data interaction each time of service end and client are all encryptions, and only need to be in channel
Encipherment scheme rather than specific key are passed in upload, and user authentication information uses different encryption sides from communication data information in addition
Case is also safer;5. by setting the time-out time of encipherment scheme in channel, after encipherment scheme time-out, not true with the latter
Fixed idle time of channel point, encipherment scheme (including compression scheme, serialisation scheme are redistributed to client by service end
Deng), same channel dynamic encryption effect can be reached.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
There is the required accompanying drawing used in technology description to be briefly described, it should be apparent that, drawings in the following description are only this
The embodiment of invention, for those of ordinary skill in the art, on the premise of not paying creative work, can also basis
The accompanying drawing of offer obtains other accompanying drawings.
Fig. 1 is the flow chart of the better embodiment of communication channel dynamic encrypting method of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete
Site preparation describes, it is clear that described embodiment is only part of the embodiment of the present invention, rather than whole embodiments.It is based on
Embodiment in the present invention, those of ordinary skill in the art are obtained every other under the premise of creative work is not made
Embodiment, belong to the present invention.
As shown in figure 1, it is the flow chart of the better embodiment of communication channel dynamic encrypting method of the present invention.Methods described
Realize that service end and client establish reliable communication connection for the communications field.Methods described specifically comprises the following steps.
Step S01, establish secret key storehouse in service end and client respectively.Specifically, service end includes the more of all versions
Individual cipher key store, client only have the cipher key store of some version, avoid the coupling with keystore in jdk.
Step S02, client randomly choose the communication connection that the first encipherment scheme is established between service end.Specifically,
Client is established with service end and communicated to connect, and randomly choosing the first encipherment scheme from the secret key storehouse of client believes multiple certifications
The current the first system time of breath and client(Client randomly chooses the first encipherment scheme and established and leading between service end
Believe the system time of connection)Service end is transmitted to after encryption.In one embodiment, information is locally configured by loading(Service end IP,
Port), establish the TCP network connections with client and service end.After connection is established, client randomly chooses from local cipher key store
A kind of encipherment scheme(That is the first encipherment scheme), by the cipher key store version number of client, cipher key store summary, the first system time
(I.e. client and service end establish the present system time to communicate) etc. authentication information be encrypted, and together with the first encipherment scheme
Service end is transmitted to together.
Step S03, service end, which is decrypted and verifies client, establishes the authentication information transmitted during communication.Specifically, service end
The integrality and legitimacy that cipher key store is carried out to client are examined, when service end records the first system that client is sent simultaneously
Between, the time-consuming analysis on its rationality of verification process is done in the first system time subsequent step to be used.In one embodiment, service
Certification is believed by decryption scheme corresponding to cipher key store acquirement of the first encipherment scheme that client passes over from service end at end
Breath is decrypted.The version number in the secret key storehouse of the client sent by getting finds the corresponding cipher key store of service end,
And informative abstract is carried out to it, then the summary of service end and the summary of client, it is compared, prevents that client summary is close
Distort in code storehouse.
Step S04, verify the secret key storehouse version with new client.Specifically, service end checking compares the secret key of client
Storehouse version number decides whether the secret key storehouse of more row client, multiple authentication information certifications success laggard one of the service end to reception
Step demonstrate,proves the secret key storehouse version of client, and judges whether secret key storehouse and the authentication information of online updating client.If it find that
The cipher key store version number of service end is higher than the version number in the secret key storehouse of client, and service end triggering cipher key store updates, and online more
The secret key storehouse of new client.After renewal, client reacquires the authentication informations such as cipher key store summary, performs step S02 again and enters
Row integrity check.If server side authentication fails, client connection, releasing network resource are disconnected.If certification success and
It was found that the cipher key store version number of service end is same as the version number in the secret key storehouse of client, then subsequent step S041 is performed.
Whether step S041, deterministic process are time-consuming reasonable.Specifically, client sends the second encipherment scheme to service end and asked
Seek information(Including version number, second system time etc.), ask the second encipherment scheme.Service end is according to the first system received
The time difference of time and second system time therebetween carries out process and takes analysis on its rationality(Such as:Perform version repository renewal
Process, then process is time-consuming can be longer)If time-consuming perform step S05 in the reasonable scope, if it is time-consuming it is abnormal if
Re-execute step S02.
Step S05, service end are randomly assigned the second encipherment scheme(That is subscription authentication encipherment scheme)Clothes are logged in client
The authentication information at business end is encrypted.Specifically, after taking analysis on its rationality success, service end is randomly assigned second to client
Encipherment scheme is used to the authentication information at client Sign-On services end be encrypted;Client is using the second encipherment scheme to user
Send after the encryption of the authentication informations such as name, password and authenticated to service end, the encryption of service end distribution the 3rd is asked after authenticating successfully
Scheme (i.e. data transfer encipherment scheme).In better embodiment, second encipherment scheme typically uses asymmetric encryption side
Formula.3rd encipherment scheme typically uses symmetric cryptography mode, including contracting scheme or serialisation scheme.
Step S06, service end are randomly assigned the 3rd encipherment scheme and communication data are encrypted.Specifically, service end is given
Client is randomly assigned the 3rd encipherment scheme and is used to communication data be encrypted, and is set according to the 3rd encipherment scheme of distribution
3rd encipherment scheme and time-out time are tied to service end to the current of client by time-out time, client simultaneously with service end
Session is to transmit data.In one embodiment, after service end authenticates successfully, the 3rd encipherment scheme distributed to client is common
The encipherment scheme of information, typically use symmetric cryptography mode, including compression scheme and serialisation scheme.
Step S07, sets the 3rd encipherment scheme time-out time, and binding session carries out data transmission.Specifically, service end can
To set time-out time corresponding to the 3rd encipherment scheme, now client and service end simultaneously the 3rd encipherment scheme and it is overtime when
Between be tied to present communications session, and carry out data transmission.Judge whether time-out or the communication disruption that whether goes offline simultaneously.If side
Case time-out, then random free time point of the service end after time-out time, re-executes step S06 and is randomly assigned to client
3rd encipherment scheme.If the connection of the communication channel between client and service end, which goes offline, to be needed to reconnect, step is re-executed
Rapid S02, client re-establish and service end communication channel encipherment scheme.Otherwise, performed after waiting data transfer follow-up
Step S08.In alternate embodiments, the setting of the time-out time can omit.
Step S08, communication channel is disconnected, that is, disconnects the communication connection between client and service end.
The communication channel dynamic encrypting method of the present invention has the following advantages that:1. service end has the cipher key store of all versions,
Client has the cipher key store of some version of oneself, can avoid the coupling with keystore in jdk;2. each communication channel
When establishing, service end is randomly assigned a kind of different encipherment scheme to each client, can reach different channels dynamic encryption
Effect;It is more convenient, autgmentability is strong 3. cipher key store is done according to version number and upgrades and safeguard, and before establishing communication channel every time
Using cryptographic Hash function, whether the data in detecting client key storehouse distort;4. service end and the data each time of client are handed over
Mutually all be encryption, and only need to channel upload pass encipherment scheme rather than specific key, in addition user authentication information with
Communication data information is also safer using different encipherment schemes;5. by setting the time-out time of encipherment scheme in channel,
After encipherment scheme time-out, with the uncertain idle time of channel point of the latter, encryption is redistributed to client by service end
Scheme (including compression scheme, serialisation scheme etc.), can reach same channel dynamic encryption effect.
Embodiment of above is merely illustrative of the technical solution of the present invention and unrestricted, although the preferable embodiment party with reference to more than
The present invention is described in detail formula, it will be understood by those within the art that, can be to technical scheme
Modify or equivalent substitution should not all depart from the spirit and scope of technical solution of the present invention.
Claims (5)
1. communication channel dynamic encrypting method, it is characterised in that methods described includes:Established respectively in service end and client close
Spoon storehouse;Client randomly chooses the communication connection that the first encipherment scheme is established between service end;Service end is decrypted and verifies visitor
The authentication information transmitted during communication is established at family end, and authentication information includes cipher key store version number, cipher key store summary and system time;Institute
Stating system time includes the first system time and second system time;The first system time is client random selection first
Encipherment scheme establishes the system time during communication connection between service end, and the second system time is client to service
The system time of the second encipherment scheme of end request;The secret key storehouse version number that service end checking compares client decides whether renewal visitor
The secret key storehouse at family end;Service end is randomly assigned the second encipherment scheme and the authentication information at client Sign-On services end is encrypted;
And service end is randomly assigned the 3rd encipherment scheme and communication data is encrypted;Service end presets the 3rd encipherment scheme pair
3rd encipherment scheme and time-out time are tied to communication session by the time-out time answered, client simultaneously with service end, service end
Random free time point after time-out time, is randomly assigned the 3rd encipherment scheme to client again;3rd encryption
Scheme is symmetric encryption scheme.
2. communication channel dynamic encrypting method as claimed in claim 1, it is characterised in that:Second encipherment scheme is non-right
Claim encipherment scheme.
3. communication channel dynamic encrypting method as claimed in claim 1, it is characterised in that:The symmetric encryption scheme includes pressure
Contracting scheme and serialisation scheme.
4. communication channel dynamic encrypting method as claimed in claim 1, it is characterised in that:The cipher key store of service end includes multiple
Version, the cipher key store of client only have a version.
5. communication channel dynamic encrypting method as claimed in claim 1, further comprises:If between client and service end
Communication channel disconnect and reconnecting, client randomly chooses the first encipherment scheme and re-establishes communication link between service end
Connect.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410114900.9A CN103973438B (en) | 2014-03-25 | 2014-03-25 | communication channel dynamic encrypting method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410114900.9A CN103973438B (en) | 2014-03-25 | 2014-03-25 | communication channel dynamic encrypting method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN103973438A CN103973438A (en) | 2014-08-06 |
CN103973438B true CN103973438B (en) | 2017-11-17 |
Family
ID=51242514
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410114900.9A Active CN103973438B (en) | 2014-03-25 | 2014-03-25 | communication channel dynamic encrypting method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103973438B (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105791292B (en) * | 2016-03-03 | 2019-01-01 | 浪潮天元通信信息系统有限公司 | A kind of method of Dynamic Geographical Information encryption |
CN107317925B (en) * | 2017-06-20 | 2021-02-26 | 北京壹人壹本信息科技有限公司 | Mobile terminal |
CN109617886B (en) * | 2018-12-21 | 2021-07-27 | 广东宏大欣电子科技有限公司 | Client data encryption method and server data encryption method based on TCP communication |
CN112583766A (en) * | 2019-09-29 | 2021-03-30 | 富士施乐实业发展(中国)有限公司 | Remote interaction method, device and system for security information |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1909447A (en) * | 2005-08-03 | 2007-02-07 | 盛趣信息技术(上海)有限公司 | Method for network data communication by using dynamic encryption algorithm |
CN1972237A (en) * | 2006-12-06 | 2007-05-30 | 胡祥义 | VPN system based on dynamic encryption algorithm |
CN101431411A (en) * | 2007-11-09 | 2009-05-13 | 康佳集团股份有限公司 | Dynamic encryption method for network game data |
-
2014
- 2014-03-25 CN CN201410114900.9A patent/CN103973438B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1909447A (en) * | 2005-08-03 | 2007-02-07 | 盛趣信息技术(上海)有限公司 | Method for network data communication by using dynamic encryption algorithm |
CN1972237A (en) * | 2006-12-06 | 2007-05-30 | 胡祥义 | VPN system based on dynamic encryption algorithm |
CN101431411A (en) * | 2007-11-09 | 2009-05-13 | 康佳集团股份有限公司 | Dynamic encryption method for network game data |
Also Published As
Publication number | Publication date |
---|---|
CN103973438A (en) | 2014-08-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
KR101009330B1 (en) | Method, system and authentication centre for authenticating in end-to-end communications based on a mobile network | |
US9130935B2 (en) | System and method for providing access credentials | |
KR102134302B1 (en) | Wireless network access method and apparatus, and storage medium | |
CN101156352B (en) | Authentication method, system and authentication center based on mobile network P2P communication | |
CN113497778B (en) | Data transmission method and device | |
CN111756529B (en) | Quantum session key distribution method and system | |
WO2011140924A1 (en) | Method, device and system for authenticating gateway, node and server | |
CN106888092B (en) | Information processing method and device | |
CN111756528B (en) | Quantum session key distribution method, device and communication architecture | |
CN110808829A (en) | SSH authentication method based on key distribution center | |
CN104901940A (en) | 802.1X network access method based on combined public key cryptosystem (CPK) identity authentication | |
CN103973438B (en) | communication channel dynamic encrypting method | |
CN104243452B (en) | A kind of cloud computing access control method and system | |
JP4550759B2 (en) | Communication system and communication apparatus | |
CN107135228B (en) | Authentication system and authentication method based on central node | |
CN107181739B (en) | Data security interaction method and device | |
JPH10242957A (en) | User authentication method, system therefor and storage medium for user authentication | |
CN101094063B (en) | Security interaction method for the roam terminals to access soft switching network system | |
Hoeper et al. | Where EAP security claims fail | |
CN108932425B (en) | Offline identity authentication method, authentication system and authentication equipment | |
CN110719169A (en) | Method and device for transmitting router safety information | |
AU2022207206A1 (en) | System and method for key establishment | |
CN109922042B (en) | Method and system for managing sub-keys of lost equipment | |
CN115967583B (en) | Key management system and method based on alliance chain | |
CN114584393B (en) | Method for automatically selecting encryption protocol |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |