CN104424446A - Safety verification and transmission method and system - Google Patents

Safety verification and transmission method and system Download PDF

Info

Publication number
CN104424446A
CN104424446A CN201310367733.4A CN201310367733A CN104424446A CN 104424446 A CN104424446 A CN 104424446A CN 201310367733 A CN201310367733 A CN 201310367733A CN 104424446 A CN104424446 A CN 104424446A
Authority
CN
China
Prior art keywords
symmetric key
response data
data
key
raw data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201310367733.4A
Other languages
Chinese (zh)
Inventor
王辉
周欣
马虹
申绯斐
曹子新
杨辉
苑朋朋
樊静静
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
SINO-FOREIGN BUILDING INFORMTION Co Ltd
Original Assignee
SINO-FOREIGN BUILDING INFORMTION Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by SINO-FOREIGN BUILDING INFORMTION Co Ltd filed Critical SINO-FOREIGN BUILDING INFORMTION Co Ltd
Priority to CN201310367733.4A priority Critical patent/CN104424446A/en
Publication of CN104424446A publication Critical patent/CN104424446A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Abstract

The invention provides a safety verification and transmission method and system. The method includes the steps of encrypting original data to be transmitted with a symmetric key to generate the original data encrypted with the symmetric key; performing digital signing on the original data encrypted with the symmetric key with a private key of an asymmetric key and sending out the original data encrypted with the symmetric key, a digital signature and a digital certificate; receiving the original data encrypted with the symmetric key, the digital signature and the digital certificate and verifying the digital signature with a public key of the asymmetric key in the digital certificate; decrypting the original data encrypted with the symmetric key with the symmetric key to obtain original data after the verification is passed. According to the safety verification and transmission method, firstly the data to be transmitted is encrypted with the symmetric key to ensure the safety of the original data, and then digital signing is performed on the data encrypted with the symmetric key with the private key of the asymmetric key to ensure the safety of the data in transmission.

Description

The method and system of a kind of safety certification and transmission
Technical field
The present invention relates to information security field, particularly relate to the method and system of a kind of safety certification and transmission.
Background technology
Along with the fast development of smart card techniques, the application of smart card is very extensive.Smart card is as the material carrier involved the interests of the state and the people, and its security relationship is to the property safety of the people.Therefore, for ensuring information security further, need to improve prior art mode.
In the prior art, symmetric key technique encryption method is mainly used to the encryption of data.In symmetric cryptosystem, data transmission side's general's plaintext after special cryptographic algorithm process, is become ciphertext and is sent together with encryption key.After destination receives ciphertext, the key identical with ciphering process and algorithm is used to be decrypted ciphertext.In symmetric key technique, the key of use only has one, transmits and the both sides that collect mail use these double secret key data to encrypt and decrypt.
Can find out according to foregoing description, once symmetric key is broken, the foundation of a whole set of security system will not exist.In order to ensure the safety of key, for avoiding the Key Exposure because network attack etc. may cause, the general and public network of the cipher machine in symmetric key technique is isolated, and is positioned in Intranet or LAN (Local Area Network).
Summary of the invention
Embodiments provide the method and system of a kind of safety certification and transmission, cipher machine can be solved and be placed on Verify Your Identity questions in common network and secret key safety problem.
On the one hand, embodiments provide a kind of method of safety certification and transmission, described method comprises:
The raw data symmetric key that will send is encrypted, generates the raw data after symmetric key encryption;
Private key in raw data unsymmetrical key after described symmetric key encryption is carried out digital signature, the raw data after symmetric key encryption, digital signature and digital certificate are sent;
Receive the raw data after described symmetric key encryption, digital signature and digital certificate, by the public key verifications digital signature in the unsymmetrical key in described digital certificate;
After checking, the raw data symmetric key after described symmetric key encryption is decrypted, obtains raw data.
Further, before the described raw data symmetric key sent needs is encrypted, comprise further:
Obtain CPU card safety certification identification code, and CPU card safety certification identification code is verified;
Described CPU card safety certification identification code comprises after verifying further:
If CPU card safety certification identification code is by checking, open command transparent transmission function, obtain the data of CPU card as described raw data;
If CPU card safety certification identification code is not by checking, shielding CPU card.
Further, the data of described acquisition CPU card, as before described raw data, comprise further:
To CPU card transmit operation instruction, CPU card sends described raw data according to operational order.
Further, after described acquisition raw data, also comprise:
Process is carried out to raw data and generates response data, response data symmetric key is encrypted, generate the response data after symmetric key encryption;
Private key in unsymmetrical key in response data digital certificate after symmetric key encryption is carried out digital signature, the digital signature of the response data after symmetric key encryption, response data and digital certificate are sent;
Receive the response data after described symmetric key encryption, the digital signature of response data and digital certificate, by the public key verifications digital signature in the unsymmetrical key in described digital certificate;
After checking, the response data symmetric key after symmetric key encryption is decrypted, obtains response data.
Further, described response data symmetric key is encrypted before, also comprise:
Be encrypted the need of to response data according to following condition judgment:
When needs are by symmetric key derivation or when in a disguised form realizing key derivation, need to be encrypted described response data;
When not needing symmetric key is derived or in a disguised form realizes key derivation, do not need to be encrypted described response data.
On the other hand, embodiments provide the system of a kind of safety certification and transmission, it is characterized in that, described system comprises:
First symmetrical encryption module, for being encrypted the raw data symmetric key that will send, exports the raw data after symmetric key encryption;
First Digital Signature module, for carrying out digital signature by the private key in the raw data unsymmetrical key after the symmetric key encryption of described first symmetrical encryption module output;
First sending module, for sending the raw data after symmetric key encryption, digital signature and digital certificate;
First receiver module, for receiving raw data, digital signature and digital certificate after described symmetric key encryption;
First authentication module, for by the public key verifications digital signature in the unsymmetrical key in described digital certificate, after being verified, resolves the raw data after obtaining symmetric key encryption;
First symmetrical deciphering module, for being decrypted by the raw data symmetric key after described symmetric key encryption, obtains raw data.
Further, described system comprises further:
Identification code acquisition module, for described before described first symmetrical encryption module is encrypted the raw data symmetric key sent, obtains CPU card safety certification identification code;
CPU card authentication module, verifies for the CPU card safety certification identification code obtained described acquisition module, exports the result;
Raw data acquisition module, during for being by checking when the result of described CPU card authentication module to CPU card safety certification identification code, open command transparent transmission function, obtain the data of CPU card as described raw data, when the result of described CPU card authentication module to CPU card safety certification identification code is not by checking, shielding CPU card.
Further, described system comprises further:
Operational order sending module, for CPU card transmit operation instruction.
Further, described system also comprises:
Processing module, for carrying out process output response data to raw data;
Second symmetrical encryption module, is encrypted for the response data symmetric key described processing module exported, and exports the response data after symmetric key encryption;
Second Digital Signature module, for carrying out digital signature by the private key in the unsymmetrical key in the response data digital certificate after the symmetric key encryption of described second symmetrical encryption module output;
Second sending module, for sending the digital signature of the response data after described symmetric key encryption, response data and digital certificate;
Second receiver module, for receiving response data, the digital signature of response data and the digital certificate after symmetric key encryption that described second sending module sends;
Second authentication module, for by the public key verifications digital signature in the unsymmetrical key in described digital certificate, after being verified, resolves the raw data after obtaining symmetric key encryption;
Second symmetrical deciphering module, for being decrypted by the response data symmetric key after described symmetric key encryption, obtains response data.
Further, described system also comprises:
Judge module, for before being encrypted by response data symmetric key, is encrypted the need of to response data according to following condition judgment:
When needs are by symmetric key derivation or when in a disguised form realizing key derivation, need to be encrypted described response data;
When not needing symmetric key is derived or in a disguised form realizes key derivation, do not need to be encrypted described response data.
The embodiment of the present invention proposes the method and system of a kind of safety certification and transmission, in ciphering process, have employed digital authentication technology, uses unsymmetrical key technology and symmetric key technique double layer encryption.Wherein, first to the data acquisition symmetric key encryption that will send, guarantee the safety of raw data, then, carry out digital signature to the private key in the data acquisition unsymmetrical key after symmetric key encryption, ensure the safety of data in communication link.When data are transmitted in public network, enciphered data is attacked, be encrypted because transmission data have employed unsymmetrical key, ensure that enciphered data can safe transmitting in public network.
Accompanying drawing explanation
Fig. 1 is the method flow diagram of a kind of safety certification of providing of the embodiment of the present invention and transmission;
Fig. 2 is that in the method for a kind of safety certification of providing of the embodiment of the present invention and transmission, response data needs process flow diagram when encrypting;
Fig. 3 is the process flow diagram of Data Encryption Transmission in city one-card system in the embodiment of the present invention;
Fig. 4 is the system schematic of a kind of safety certification of providing of the embodiment of the present invention and transmission;
Fig. 5 is the system schematic of a kind of safety certification of providing of the embodiment of the present invention and transmission;
Fig. 6 is the system schematic of a kind of safety certification of providing of the embodiment of the present invention and transmission.
Embodiment
In order to make the object of the embodiment of the present invention, technical scheme and advantage clearly, below in conjunction with the accompanying drawing in the embodiment of the present invention, technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.
Along with more and more higher to the requirement of data security, also there is higher requirement to encryption technology.In prior art, the main symmetric cryptosystem that adopts is encrypted data, and in this encryption method, to transmit and the both sides that collect mail use same key to encrypt and decrypt, once after Key Exposure, the safety of data will be subject to serious threat.
Therefore, embodiments provide a kind of method of safety certification and transmission, enciphered data can be made to transmit in public network, and can ensure the safety of data, see Fig. 1, the method comprises:
Step 101: be encrypted the raw data symmetric key that will send, generates the raw data after symmetric key encryption;
Step 102: the private key in the raw data unsymmetrical key after symmetric key encryption is carried out digital signature, the raw data after symmetric key encryption, digital signature and digital certificate are sent;
Step 103: receive raw data, digital signature and the digital certificate after symmetric key encryption, by the public key verifications digital signature in the unsymmetrical key in digital certificate;
Step 104: after checking, be decrypted by the raw data symmetric key after symmetric key encryption, obtains raw data.
Visible, in the method for a kind of safety certification that the embodiment of the present invention proposes and transmission, in ciphering process, have employed digital authentication technology, use unsymmetrical key technology and symmetric key technique double layer encryption.Wherein, first to the data acquisition symmetric key encryption that will send, guarantee the safety of raw data, then, carry out digital signature to the private key in the data acquisition unsymmetrical key after symmetric key encryption, ensure the safety of data in communication link.When data are transmitted in public network, enciphered data is attacked, be encrypted because transmission data have employed unsymmetrical key, ensure that the security of data.
In order to improve the security of data further, before the raw data symmetric key that will send is encrypted, the security of Data Source also to be guaranteed, to providing the CPU card of data whether to be that standard C PU card identifies.By obtaining CPU card safety certification identification code, and CPU card safety certification identification code is verified, if CPU card safety certification identification code is by checking, open command transparent transmission function, obtain the data of CPU card as described raw data, if CPU card safety certification identification code is not by checking, shielding CPU card.When obtaining by the data of CPU card of checking as raw data, first to CPU card transmit operation instruction, CPU card sends raw data according to operational order.
After obtaining raw data, raw data is processed, and returns response data.To judge whether to need to be encrypted response data before returning response data: when not needing symmetric key is derived or in a disguised form realizes key derivation, not being encrypted response data, directly sending response data; When needs are by symmetric key derivation or when in a disguised form realizing key derivation, to be encrypted response data.
When response data needs to be encrypted, see Fig. 2, concrete steps are as follows:
Step 201: process is carried out to raw data and generates response data, response data symmetric key is encrypted, generate the response data after symmetric key encryption;
Step 202: the private key in the unsymmetrical key in the response data digital certificate after symmetric key encryption is carried out digital signature, the digital signature of the response data after symmetric key encryption, response data and digital certificate are sent;
Step 203: receive the response data after described symmetric key encryption, the digital signature of response data and digital certificate, by the public key verifications digital signature in the unsymmetrical key in described digital certificate;
Step 204: after checking, be decrypted by the response data symmetric key after symmetric key encryption, obtains response data.
The implementation procedure of the embodiment of the present invention is described below in detail with the Data Encryption Transmission process in city one-card system.
City one-card system mainly comprises three parts:
1, read-write terminal
Read-write terminal needs to load corresponding digital certificate, except realizing CPU card command operating function, also bears the correlation function of authentication and secure communication.
Wherein, embedded collection RF (Radio Frequency in read-write terminal, radio frequency) and SAM (Security Account Manager, secured account numbers manager) function Special safety chip, by the unified adapter safe handling of safety chip and RF communication, after chip internal is disposed and receives data, RF is directly transferred to forward, improve by the difficulty of attacking, also accelerate processing speed.In addition, Special safety chip externally provides unified calling interface, expands the type selecting scope of product.
2, business platform
Business platform is the operating platform of system, and is the bridge that foreground is connected with backstage.
3, background system
Background system provides cipher key application service for business platform, and realizes the correlation function of authentication and secure communication.
Wherein, background system mainly comprises three ingredients:
A, CA/RA (Certification Authority/Registration Authority, authentication center/registration approving authority): be mainly used in providing digital certificate legitimate verification service in unsymmetrical key technology;
B, CA (Certification Authority, authentication center) function cipher machine: be mainly used in providing cipher key application service in symmetric key technique;
C, middleware: the gateway being background system, be mainly used in externally providing unified business service interface, and realize the handing-over of CA/RA and CA function cipher machine.
Before CPU card is operated, electrification reset to be carried out: business platform sends the instruction of CPU card electrification reset to read-write terminal to CPU card, read-write terminal performs instruction, carries out electrification reset, reset successfully and successful for CPU card electrification reset information is issued business platform CPU card.After electrification reset success, read-write terminal starts to operate CPU card.
See Fig. 3, in city one-card system, the step of Data Encryption Transmission is as follows:
Step 301: read-write terminal obtains CPU card safety certification identification code, and verifies CPU card safety certification identification code;
Particularly, if CPU card safety certification identification code is by checking, open command transparent transmission function, obtains the data of CPU card as described raw data;
If CPU card safety certification identification code is not by checking, shielding CPU card.
Step 302:CPU card is through safety certification after identification code verification, business platform call instruction transparent transmission function, perform plain/cipher text CPU card operational order, read-write terminal is to CPU card transmit operation instruction, and CPU card sends raw data to read-write terminal according to operational order;
Step 303: read-write terminal receives the raw data of CPU card transmission and is encrypted raw data symmetric cryptography, generates the raw data after symmetric key encryption;
Step 304: the private key in the raw data unsymmetrical key after symmetric key encryption is carried out digital signature by read-write terminal, and the raw data after symmetric key encryption, digital signature and digital certificate are sent to business platform;
Particularly, read-write terminal is after the raw data receiving CPU card transmission, and digital signature is carried out to data in inside, and raw data and digital signature result return to business platform the most at last;
Step 305: after business platform receives raw data, digital signature and the digital certificate after the symmetric key encryption of read-write terminal transmission, sends to background system by raw data, digital signature and digital certificate after process request, symmetric key encryption;
Step 306: raw data, digital signature and digital certificate after the process request that background system reception business platform sends, symmetric key encryption, carries out certifying digital signature by the PKI in the unsymmetrical key in CA/RA digital certificate to the raw data after digital signature;
Step 307: the raw data symmetric key after certifying digital signature is decrypted by CA function cipher machine by background system, obtains raw data;
Step 308: background system processes raw data according to process request, generates response data, judges whether to need to be encrypted response data;
Particularly, when business platform needs derived by symmetric key or in a disguised form realize key derivation, response data is encrypted, sends the response data after encryption;
When business platform does not need derived by symmetric key or in a disguised form realize key derivation, response data is not encrypted, directly sends response data.
Step 309: when needs are encrypted response data, response data symmetric key is encrypted by CA function cipher machine by background system, generates the response data after symmetric key encryption;
Step 310: the response data after symmetric key encryption is carried out digital signature by the private key in the unsymmetrical key in CA/RA digital certificate by background system, sends the digital signature of the response data after symmetric key encryption, response data and digital certificate;
Step 311: the response data after the symmetric key encryption that business platform reception background system sends, the digital signature of response data and digital certificate, verifies signature with the PKI in unsymmetrical key, obtains the response data after symmetric key encryption;
Step 312: the response data symmetric key after symmetric key encryption is decrypted by business platform, obtains response data.
Wherein, business platform calls according to response data determination read-write terminal transparent transmission function plain/cipher text, and read-write terminal, according to the difference of instruction form, when instruction sends, has distinguished two kinds of patterns:
Pattern one, expressly forwarding
Direct transmission.The safety chip of read-write terminal, according to behind order format acquisition director data territory, directly transfers to RF to forward.
Pattern two, ciphertext forward
Forward after being deciphered by digital certificate.The safety chip of read-write terminal is according to order format, and after obtaining director data territory, inside is first deciphered with the private key of digital certificate, then transfers to RF to forward.
In addition, in background system, externally provided the interface service of standard by middleware, business platform, without the need to being concerned about the related content of background system, only need send request to middleware according to interface requirement.
Also proposed the system of a kind of safety certification and transmission in one embodiment of the invention, see Fig. 4, this system comprises:
First symmetrical encryption module 401, for being encrypted the raw data symmetric key that will send, exports the raw data after symmetric key encryption;
First Digital Signature module 402, for carrying out digital signature by the private key in the raw data unsymmetrical key after the symmetric key encryption of described first symmetrical encryption module output;
First sending module 403, for sending the raw data after symmetric key encryption, digital signature and digital certificate;
First receiver module 404, for receiving raw data, digital signature and digital certificate after described symmetric key encryption;
First authentication module 405, for by the public key verifications digital signature in the unsymmetrical key in described digital certificate;
First symmetrical deciphering module 406, for being decrypted by the raw data symmetric key after described symmetric key encryption, obtains raw data.
In order to improve the security of data further, before the raw data symmetric key sent is encrypted, also will guarantee the security of Data Source, whether the module added below is that standard C PU card identifies, see Fig. 5 to providing the CPU card of data:
Identification code acquisition module 501, for described before described first symmetrical encryption module is encrypted the raw data symmetric key sent, obtains CPU card safety certification identification code;
CPU card authentication module 502, verifies for the CPU card safety certification identification code obtained described acquisition module, exports the result;
Raw data acquisition module 502, during for being by checking when the result of described CPU card authentication module to CPU card safety certification identification code, open command transparent transmission function, obtain the data of CPU card as described raw data, when the result of described CPU card authentication module to CPU card safety certification identification code is not by checking, shielding CPU card.
When obtaining by the data of CPU card of checking as raw data, first to CPU card transmit operation instruction, CPU card sends raw data according to operational order, and then adds operational order sending module 503, for CPU card transmit operation instruction.
See Fig. 6, after obtaining raw data, raw data is processed, and returns response data.Processing module 601, for carrying out process output response data to raw data.In order to judge that the response data returned is the need of encryption, add judge module 602, for before response data symmetric key is encrypted, be encrypted the need of to response data according to following condition judgment: when not needing symmetric key is derived or in a disguised form realizes key derivation, response data is not encrypted, directly sends response data; When needs are by symmetric key derivation or when in a disguised form realizing key derivation, to be encrypted response data.
For the response data needing encryption, complete by module below:
Second symmetrical encryption module 603, is encrypted for the response data symmetric key described processing module exported, and exports the response data after symmetric key encryption;
Second Digital Signature module 604, for carrying out digital signature by the private key in the unsymmetrical key in the response data digital certificate after the symmetric key encryption of described second symmetrical encryption module output;
Second sending module 605, for sending the digital signature of the response data after described symmetric key encryption, response data and digital certificate;
Second receiver module 606, for receiving response data, the digital signature of response data and the digital certificate after symmetric key encryption that described second sending module sends;
Second authentication module 607, for by the public key verifications digital signature in the unsymmetrical key in digital certificate;
Second symmetrical deciphering module 608, for being decrypted by the response data symmetric key after symmetric key encryption, obtains response data.
Visible, the embodiment of the present invention has following beneficial effect:
In the method for 1, a kind of safety certification of proposing of the embodiment of the present invention and transmission, in ciphering process, have employed digital authentication technology, use unsymmetrical key technology and symmetric key technique double layer encryption.Wherein, first to the data acquisition symmetric key encryption that will send, guarantee the safety of raw data, then, carry out digital signature to the private key in the data acquisition unsymmetrical key after symmetric key encryption, ensure the safety of data in communication link.When data are transmitted in public network, attack enciphered data, be encrypted because transmission data have employed unsymmetrical key, PKI and private key are different, ensure that enciphered data can safe transmitting in public network.
In the method for 2, a kind of safety certification of providing of the embodiment of the present invention and transmission, adopt unsymmetrical key technology and symmetric key technique double layer encryption, can not only compatible existing application, employ the security mechanism meeting national security requirement more in advance, add the security of data.
In the method for 3, a kind of safety certification of providing of the embodiment of the present invention and transmission, obtain CPU card data before, whether be that standard card is verified to CPU card, by not by checking CPU card shielding with system outside, ensure that the legitimacy of CPU card, and then improve the security of data.
In the method for 4, a kind of safety certification of providing of the embodiment of the present invention and transmission, the unified standard calling interface of product, Special safety chip in the read-write terminal of front end and the special cipher machine of background system, externally provide unified calling interface, no longer distinguishes producer and model.Calling of product is unified and specification, expands the type selecting scope to product.
It should be noted that, in this article, the relational terms of such as first and second and so on is only used for an entity or operation to separate with another entity or operational zone, and not necessarily requires or imply the relation that there is any this reality between these entities or operation or sequentially.And, term " comprises ", " comprising " or its any other variant are intended to contain comprising of nonexcludability, thus make to comprise the process of a series of key element, method, article or equipment and not only comprise those key elements, but also comprise other key elements clearly do not listed, or also comprise by the intrinsic key element of this process, method, article or equipment.When not more restrictions, the key element limited by statement " comprising ... ", and be not precluded within process, method, article or the equipment comprising described key element and also there is other same factor.
One of ordinary skill in the art will appreciate that: all or part of step realizing said method embodiment can have been come by the hardware that programmed instruction is relevant, aforesaid program can be stored in the storage medium of embodied on computer readable, this program, when performing, performs the step comprising said method embodiment; And aforesaid storage medium comprises: ROM, RAM, magnetic disc or CD etc. various can be program code stored medium in.
Finally it should be noted that: the foregoing is only preferred embodiment of the present invention, only for illustration of technical scheme of the present invention, be not intended to limit protection scope of the present invention.All any amendments done within the spirit and principles in the present invention, equivalent replacement, improvement etc., be all included in protection scope of the present invention.

Claims (10)

1. a method for safety certification and transmission, is characterized in that, described method comprises:
The raw data symmetric key that will send is encrypted, generates the raw data after symmetric key encryption;
Private key in raw data unsymmetrical key after described symmetric key encryption is carried out digital signature, the raw data after symmetric key encryption, digital signature and digital certificate are sent;
Receive the raw data after described symmetric key encryption, digital signature and digital certificate, by the public key verifications digital signature in the unsymmetrical key in described digital certificate;
After checking, the raw data symmetric key after described symmetric key encryption is decrypted, obtains raw data.
2. method according to claim 1, is characterized in that, before the described raw data symmetric key to sending is encrypted, comprises further:
Obtain CPU card safety certification identification code, and CPU card safety certification identification code is verified;
Described CPU card safety certification identification code comprises after verifying further:
If CPU card safety certification identification code is by checking, open command transparent transmission function, obtain the data of CPU card as described raw data;
If CPU card safety certification identification code is not by checking, shielding CPU card.
3. method according to claim 2, is characterized in that, the data of described acquisition CPU card, as before described raw data, comprise further:
To CPU card transmit operation instruction, CPU card sends described raw data according to operational order.
4. method according to claim 1, is characterized in that, after described acquisition raw data, also comprises:
Process is carried out to raw data and generates response data, response data symmetric key is encrypted, generate the response data after symmetric key encryption;
Private key in unsymmetrical key in response data digital certificate after symmetric key encryption is carried out digital signature, the digital signature of the response data after symmetric key encryption, response data and digital certificate are sent;
Receive the response data after described symmetric key encryption, the digital signature of response data and digital certificate, by the public key verifications digital signature in the unsymmetrical key in described digital certificate;
After checking, the response data symmetric key after symmetric key encryption is decrypted, obtains response data.
5. method according to claim 4, is characterized in that, described response data symmetric key is encrypted before, also comprise:
Be encrypted the need of to response data according to following condition judgment:
When needs are by symmetric key derivation or when in a disguised form realizing key derivation, need to be encrypted described response data;
When not needing symmetric key is derived or in a disguised form realizes key derivation, do not need to be encrypted described response data.
6. a system for safety certification and transmission, is characterized in that, described system comprises:
First symmetrical encryption module, for being encrypted the raw data symmetric key that will send, exports the raw data after symmetric key encryption;
First Digital Signature module, for carrying out digital signature by the private key in the raw data unsymmetrical key after the symmetric key encryption of described first symmetrical encryption module output;
First sending module, for sending the raw data after symmetric key encryption, digital signature and digital certificate;
First receiver module, for receiving raw data, digital signature and digital certificate after described symmetric key encryption;
First authentication module, for by the public key verifications digital signature in the unsymmetrical key in described digital certificate;
First symmetrical deciphering module, for being decrypted by the raw data symmetric key after described symmetric key encryption, obtains raw data.
7. system according to claim 6, is characterized in that, described system comprises further:
Identification code acquisition module, for described before described first symmetrical encryption module is encrypted the raw data symmetric key sent, obtains CPU card safety certification identification code;
CPU card authentication module, verifies for the CPU card safety certification identification code obtained described acquisition module, exports the result;
Raw data acquisition module, during for being by checking when the result of described CPU card authentication module to CPU card safety certification identification code, open command transparent transmission function, obtain the data of CPU card as described raw data, when the result of described CPU card authentication module to CPU card safety certification identification code is not by checking, shielding CPU card.
8. system according to claim 6, is characterized in that, described system comprises further:
Operational order sending module, for CPU card transmit operation instruction.
9. system according to claim 6, is characterized in that, described system also comprises:
Processing module, for carrying out process output response data to raw data;
Second symmetrical encryption module, is encrypted for the response data symmetric key described processing module exported, and exports the response data after symmetric key encryption;
Second Digital Signature module, for carrying out digital signature by the private key in the unsymmetrical key in the response data digital certificate after the symmetric key encryption of described second symmetrical encryption module output;
Second sending module, for sending the digital signature of the response data after described symmetric key encryption, response data and digital certificate;
Second receiver module, for receiving response data, the digital signature of response data and the digital certificate after symmetric key encryption that described second sending module sends;
Second authentication module, for by the public key verifications digital signature in the unsymmetrical key in described digital certificate, if by checking, resolves the response data after obtaining symmetric key encryption;
Second symmetrical deciphering module, for being decrypted by the response data symmetric key after described symmetric key encryption, obtains response data.
10. system according to claim 9, is characterized in that, described system also comprises:
Judge module, for before being encrypted by response data symmetric key, is encrypted the need of to response data according to following condition judgment:
When needs are by symmetric key derivation or when in a disguised form realizing key derivation, need to be encrypted described response data;
When not needing symmetric key is derived or in a disguised form realizes key derivation, do not need to be encrypted described response data.
CN201310367733.4A 2013-08-21 2013-08-21 Safety verification and transmission method and system Pending CN104424446A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310367733.4A CN104424446A (en) 2013-08-21 2013-08-21 Safety verification and transmission method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310367733.4A CN104424446A (en) 2013-08-21 2013-08-21 Safety verification and transmission method and system

Publications (1)

Publication Number Publication Date
CN104424446A true CN104424446A (en) 2015-03-18

Family

ID=52973370

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310367733.4A Pending CN104424446A (en) 2013-08-21 2013-08-21 Safety verification and transmission method and system

Country Status (1)

Country Link
CN (1) CN104424446A (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104836664A (en) * 2015-03-27 2015-08-12 腾讯科技(深圳)有限公司 Method for executing business processing, device for executing business processing and system for executing business processing
CN105530100A (en) * 2016-01-12 2016-04-27 东南大学 VoLTE secure communication method
CN105847005A (en) * 2016-03-14 2016-08-10 美的集团股份有限公司 Encryption device and method
CN106453362A (en) * 2016-11-02 2017-02-22 中车株洲电力机车研究所有限公司 Data transmission method and apparatus of vehicle-mounted device
CN106712964A (en) * 2016-12-27 2017-05-24 广州智慧城市发展研究院 Application verification method and application verification system based on Java card
CN106778086A (en) * 2016-11-28 2017-05-31 北京小米移动软件有限公司 theme packet processing method and device
CN107294726A (en) * 2016-04-12 2017-10-24 阿里巴巴集团控股有限公司 The export importing of virtual encryption equipment data and processing method, device and system
CN108696360A (en) * 2018-04-16 2018-10-23 北京虎符信息技术有限公司 A kind of CA certificate distribution method and system based on CPK keys
CN109802825A (en) * 2017-11-17 2019-05-24 深圳市金证科技股份有限公司 A kind of data encryption, the method for decryption, system and terminal device
CN110198295A (en) * 2018-04-18 2019-09-03 腾讯科技(深圳)有限公司 Safety certifying method and device and storage medium
CN110430044A (en) * 2019-07-10 2019-11-08 南京工业大学 A kind of double layer encryption method based on ElGamal encryption
CN110650113A (en) * 2018-04-24 2020-01-03 物联智慧股份有限公司 Data encryption and decryption method and system, networking device and data encryption and decryption method thereof

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104836664A (en) * 2015-03-27 2015-08-12 腾讯科技(深圳)有限公司 Method for executing business processing, device for executing business processing and system for executing business processing
CN104836664B (en) * 2015-03-27 2019-05-14 腾讯科技(深圳)有限公司 A kind of methods, devices and systems executing business processing
CN105530100A (en) * 2016-01-12 2016-04-27 东南大学 VoLTE secure communication method
CN105847005A (en) * 2016-03-14 2016-08-10 美的集团股份有限公司 Encryption device and method
CN105847005B (en) * 2016-03-14 2020-04-17 美的集团股份有限公司 Encryption device and method
CN107294726A (en) * 2016-04-12 2017-10-24 阿里巴巴集团控股有限公司 The export importing of virtual encryption equipment data and processing method, device and system
CN106453362A (en) * 2016-11-02 2017-02-22 中车株洲电力机车研究所有限公司 Data transmission method and apparatus of vehicle-mounted device
CN106778086A (en) * 2016-11-28 2017-05-31 北京小米移动软件有限公司 theme packet processing method and device
CN106778086B (en) * 2016-11-28 2019-11-29 北京小米移动软件有限公司 Theme packet processing method and device
CN106712964A (en) * 2016-12-27 2017-05-24 广州智慧城市发展研究院 Application verification method and application verification system based on Java card
CN109802825A (en) * 2017-11-17 2019-05-24 深圳市金证科技股份有限公司 A kind of data encryption, the method for decryption, system and terminal device
CN108696360A (en) * 2018-04-16 2018-10-23 北京虎符信息技术有限公司 A kind of CA certificate distribution method and system based on CPK keys
CN110198295A (en) * 2018-04-18 2019-09-03 腾讯科技(深圳)有限公司 Safety certifying method and device and storage medium
CN110650113A (en) * 2018-04-24 2020-01-03 物联智慧股份有限公司 Data encryption and decryption method and system, networking device and data encryption and decryption method thereof
CN110430044A (en) * 2019-07-10 2019-11-08 南京工业大学 A kind of double layer encryption method based on ElGamal encryption

Similar Documents

Publication Publication Date Title
CN104424446A (en) Safety verification and transmission method and system
CN109309565B (en) Security authentication method and device
CN101720071B (en) Short message two-stage encryption transmission and secure storage method based on safety SIM card
CN105553951A (en) Data transmission method and data transmission device
CN103595721A (en) Safe sharing method, sharing device and sharing system for files of network disk
CN103546289B (en) USB (universal serial bus) Key based secure data transmission method and system
CN104253694A (en) Encrypting method for network data transmission
CN102664898A (en) Fingerprint identification-based encrypted transmission method, fingerprint identification-based encrypted transmission device and fingerprint identification-based encrypted transmission system
CN104468126B (en) A kind of safe communication system and method
CN104901935A (en) Bilateral authentication and data interaction security protection method based on CPK (Combined Public Key Cryptosystem)
CN108323230B (en) Method for transmitting key, receiving terminal and distributing terminal
CN101789866B (en) High-reliability safety isolation and information exchange method
CN104144413A (en) Approval method and system based on mobile terminal
CN104322003A (en) Cryptographic authentication and identification method using real-time encryption
CN102024123A (en) Method and device for importing mirror image of virtual machine in cloud calculation
CN103297230B (en) Information encipher-decipher method, Apparatus and system
CN104270242A (en) Encryption and decryption device used for network data encryption transmission
CN101296083A (en) Enciphered data transmission method and system
WO2015158172A1 (en) User identity identification card
CN104901803A (en) Data interaction safety protection method based on CPK identity authentication technology
CN103905388A (en) Authentication method, authentication device, smart card, and server
CN106789024A (en) A kind of remote de-locking method, device and system
WO2015109958A1 (en) Data processing method based on negotiation key, and mobile phone
CN104200154A (en) Identity based installation package signing method and identity based installation package signing device
US20200351100A1 (en) Cryptographic method for verifying data

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20150318