CN106788989A - A kind of method and apparatus for setting up safe encryption channel - Google Patents

A kind of method and apparatus for setting up safe encryption channel Download PDF

Info

Publication number
CN106788989A
CN106788989A CN201611086497.9A CN201611086497A CN106788989A CN 106788989 A CN106788989 A CN 106788989A CN 201611086497 A CN201611086497 A CN 201611086497A CN 106788989 A CN106788989 A CN 106788989A
Authority
CN
China
Prior art keywords
key
equipment
mark
sent
communication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201611086497.9A
Other languages
Chinese (zh)
Other versions
CN106788989B (en
Inventor
梁彦彬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201611086497.9A priority Critical patent/CN106788989B/en
Publication of CN106788989A publication Critical patent/CN106788989A/en
Application granted granted Critical
Publication of CN106788989B publication Critical patent/CN106788989B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0847Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving identity based encryption [IBE] schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)
  • Computer And Data Communications (AREA)

Abstract

This application discloses a kind of method and apparatus for setting up safe encryption channel, to resist man-in-the-middle attack, and the necessity of ca authentication is reduced, the method is that the first equipment sets up the first communication port with the second equipment;First equipment generates first key and the first mark, and the first mark and first key are uniquely corresponded to;The first key is split as N number of part;X part of the first key and the described first mark are sent to the second equipment by first communication port, and the remainder of the described first mark and the first key is sent to the second equipment by other communication ports, X is the positive integer less than N, so, the problem of man-in-the-middle attack can be prevented effectively from, the security of cipher key delivery is substantially improved, and reduces the necessity of ca authentication, it is to avoid the troublesome operation of ca authentication.

Description

A kind of method and apparatus for setting up safe encryption channel
Technical field
The application is related to communication technical field, more particularly to a kind of method and apparatus for setting up safe encryption channel.
Background technology
At present, using user terminal operations Web bank, carry out electric business transaction, Rich Media (Rich Communication Suit, RCS) scene such as communication is more and more universal, and the Wi-Fi network of public place is probably malice, and malice Wi-Fi network Monitoring and interception to internet message will be very easy to, even if safe Wi-Fi network or carrier data network there is also network The possibility that message is monitored, intercept.
For example, certain User logs in electric business website carries out shopping online, it is necessary to user input branch during completing to conclude the business The sensitive informations such as the number of paying a bill, password, from the terminal of user's operation, be to the network between electric business website server or paying server It is insecure, it is possible to be monitored by hacker, intercepted, thus reveal the information such as account, password, cause the economic loss of user.Cause This, need to consult between user terminal and server to obtain one for encrypt key, Content of Communication is encrypted, at present In actual applications, there are two kinds of schemes for setting up safe encryption channel, a kind of scheme is to obtain double using Diffie-Hellman The key of Fang Tongxin, for being encrypted to Content of Communication, this key exchange scheme cannot solve the problems, such as man-in-the-middle attack, it is impossible to Ensure the security of communication;Another scheme is the key that intercommunication is obtained using public and private key and certificate, in communication Hold encryption, in this scheme, a side of communication need to authority Certificate Authority (Certificate Authority, CA certificate) is applied for, this needs to pay certain expense, and usual certificate has certain term of validity, it is necessary to regularly replace, certificate update fiber crops It is tired.
In view of the above problems, need a kind of new scheme for setting up safe encryption channel badly, man-in-the-middle attack can either be resisted, The necessity of ca authentication can also be reduced, cumbersome problem is avoided to reduce expense.
The content of the invention
The embodiment of the present application provides a kind of method and apparatus for setting up safe encryption channel, to resist man-in-the-middle attack, and Reduce the necessity of ca authentication.
The concrete technical scheme that the embodiment of the present application is provided is as follows:
In a first aspect, the embodiment of the present application provides a kind of method for setting up safe encryption channel, including:
First equipment sets up the first communication port with the second equipment;
The first equipment generation first key and the first mark, first mark and the first key are uniquely right Should;
The first key is split as N number of part by first equipment, and N is the positive integer more than or equal to 2;
X part of the first key and the described first mark are passed through first communication port by first equipment Send to the second equipment, and by described first mark and the first key remainder by other communication ports send to Second equipment, X is the positive integer less than N.
So, due to setting up each portion of the first key that safe encryption channel is used between the first equipment and the second equipment Dividing can be transmitted by least two communication ports, now be needed during man-in-the-middle attack logical while listening for all of communication Road, difficulty is greatly increased such that it is able to be prevented effectively from the problem of man-in-the-middle attack, and the security of cipher key delivery is substantially improved, and And reduce the necessity of ca authentication, it is to avoid the troublesome operation of ca authentication.
With reference in a first aspect, in a kind of possible design, first equipment is by X part of the first key and institute State the first mark to be sent to the second equipment by first communication port, and described first is identified and the first key Remainder is sent to the second equipment by other communication ports, including:
When N is 2, first equipment is by the Part I of the first key and first mark by described the One communication port is sent to the second equipment, and by the Part II of the described first mark and the first key by the second communication Passage is sent to the second equipment, and second communication port is different from first communication port.
In this design, first key is transmitted by 2 communication ports, now needed during man-in-the-middle attack while listening for 2 communication ports, difficulty is greatly increased so that attacking people may only grasp the communication key of part such that it is able to effectively keep away Exempt from the problem of man-in-the-middle attack, while reducing necessity of ca authentication, it is often more important that the enforcement difficulty of this design is relatively low, It is easy to promote.
With reference in a first aspect, in a kind of possible design, the first equipment generation first key includes:
The private key of first equipment choice first, the Diffie-Hellman for determining is consulted to institute using with second equipment State the first private key and carry out computing with the disclosure of the Diffie-Hellman and obtain the first key.
With reference in a first aspect, in a kind of possible design, first equipment by the Part I of the first key and First mark is sent to the second equipment by first communication port, and described first is identified and the first key Part II sent to the second equipment by the second communication port, also include:
First equipment receives the second key that second equipment sends, and second key is second equipment Based on the second private key of itself selection, the Diffie-Hellman for determining is consulted to described second using with first equipment Private key carries out what computing was obtained with the disclosure of the Diffie-Hellman;
First private key described in first equipment utilization and the second key computing obtain target cipher key;
Target cipher key is encrypted to the Content of Communication sent to second equipment described in first equipment utilization.
With reference in a first aspect, in a kind of possible design, first equipment by the Part I of the first key and First mark is sent to the second equipment by first communication port, and described first is identified and the first key Part II sent to before the second equipment by the second communication port, also include:
First equipment is downloaded after second equipment is got including the first public key, the certificate of the first private key To first public key.
With reference in a first aspect, in a kind of possible design, first equipment by the Part I of the first key and First mark is sent to the second equipment by first communication port, and described first is identified and the first key Part II sent to the second equipment by the second communication port, including:
The Part I and Part II of the first key are utilized first public key encryption by first equipment;
First equipment sends the Part I after encryption and first mark by first communication port To the second equipment, and the Part II after the described first mark and encryption is sent to the second equipment by the second communication port.
With reference in a first aspect, in a kind of possible design, first equipment by the Part I of the first key and First mark is sent to the second equipment by first communication port, and described first is identified and the first key Part II sent to the second equipment by the second communication port, also include:
First key is encrypted to the Content of Communication sent to second equipment described in first equipment utilization.
Second aspect, a kind of method for setting up safe encryption channel of the embodiment of the present application, including:
Second equipment receives part of key and the corresponding unique mark that the first equipment is sent by different communication passage;
Unique mark identical part of key is spliced into first key by second equipment;
Second equipment is encrypted based on the first key to Content of Communication.
So, each self-corresponding unique mark when the second equipment can be transmitted based on part of key, each several part key is spelled It is connected into complete first key, it is ensured that the integrality of the first key of transmission, so as to realize safety encryption using first key, supports Imperial man-in-the-middle attack.
With reference to second aspect, in a kind of possible design, second equipment is based on the first key to Content of Communication It is encrypted, including:
Second equipment is based on the private key of itself selection and the first key computing obtains target cipher key;
Target cipher key is encrypted to the Content of Communication sent to first equipment described in second equipment utilization.
With reference to second aspect, in a kind of possible design, second equipment spells unique mark identical part of key First key is connected into, including:
The private key solution that unique mark identical part of key is locally stored second equipment using second equipment After close, the part of key is spliced into first key.
With reference to second aspect, in a kind of possible design, second equipment is based on the first key to Content of Communication It is encrypted, including:
First key is encrypted to the Content of Communication sent to first equipment described in second equipment utilization.
The third aspect, the embodiment of the present application provides a kind of equipment for setting up safe encryption channel, including:
Processing unit, for setting up the first communication port with opposite equip.;Generation first key and the first mark, described the One mark and the first key are uniquely corresponded to;The first key is split as N number of part, N is just whole more than or equal to 2 Number;
Communication unit, for X part of the first key and the described first mark is logical by the described first communication Road is sent to opposite equip., and the remainder of the described first mark and the first key is sent by other communication ports To opposite equip., X is the positive integer less than N.
With reference to the third aspect, in a kind of possible design, the communication unit specifically for:
When N is 2, the Part I of the first key and first mark are sent out by first communication port Deliver to opposite equip., and the Part II of the described first mark and the first key is sent to right by the second communication port End equipment, second communication port is different from first communication port.
With reference to the third aspect, in a kind of possible design, the processing unit specifically for:
Select the first private key, using with the opposite equip. consult determine Diffie-Hellman to first private key with The disclosure of the Diffie-Hellman carries out computing and obtains the first key.
With reference to the third aspect, in a kind of possible design, the communication unit by the Part I of the first key and First mark is sent to opposite equip. by first communication port, and described first is identified and the first key Part II sent to opposite equip. by the second communication port, be additionally operable to:
The second key that the opposite equip. sends is received, second key is that the opposite equip. is selected based on itself The second private key, using with first equipment consult determine the Diffie-Hellman it is close with described to second private key The disclosure of key exchange algorithm carries out what computing was obtained;
The processing unit, is additionally operable to obtain target cipher key using first private key and the second key computing;Profit The Content of Communication sent to the opposite equip. is encrypted with the target cipher key.
With reference to the third aspect, in a kind of possible design, the communication unit by the Part I of the first key and First mark is sent to opposite equip. by first communication port, and described first is identified and the first key Part II sent to before opposite equip. by the second communication port, be additionally operable to:
After the opposite equip. is got including the first public key, the certificate of the first private key, it is public that download obtains described first Key.
With reference to the third aspect, in a kind of possible design, the communication unit specifically for:
The Part I and Part II of the first key are utilized into first public key encryption;
Part I after encryption and first mark are sent to opposite equip. by first communication port, and Part II after described first mark and encryption is sent to opposite equip. by the second communication port.
With reference to the third aspect, in a kind of possible design, the processing unit is additionally operable to:
The Part I of the first key and first mark are communicated by described first in the communication unit Passage is sent to opposite equip., and the Part II of the described first mark and the first key is sent out by the second communication port Deliver to after opposite equip., the Content of Communication sent to the opposite equip. is encrypted using the first key.
Based on same inventive concept, because the principle and beneficial effect of the equipment solve problem may refer to above-mentioned first Each possible implementation method of aspect and first aspect and the beneficial effect brought, therefore the implementation of the device may refer to The implementation of method, repeats part and repeats no more.
Fourth aspect, the embodiment of the present application provides a kind of equipment for setting up safe encryption channel, including:
Communication unit, for receiving part of key and corresponding unique mark that opposite equip. is sent by different communication passage Know;
Processing unit, for unique mark identical part of key to be spliced into first key;Based on the first key Content of Communication is encrypted.
With reference to fourth aspect, in a kind of possible design, the processing unit specifically for:
Private key and the first key computing based on selection obtain target cipher key;
The Content of Communication sent to the opposite equip. is encrypted using the target cipher key.
With reference to fourth aspect, in a kind of possible design, the processing unit specifically for:
After unique mark identical part of key is decrypted using the private key that second equipment is locally stored, by the portion Key is divided to be spliced into first key.
With reference to fourth aspect, in a kind of possible design, the processing unit specifically for:
The Content of Communication sent to the opposite equip. is encrypted using the first key.
Based on same inventive concept, because the principle and beneficial effect of the equipment solve problem may refer to above-mentioned second Each possible implementation method of aspect and second aspect and the beneficial effect brought, therefore the implementation of the device may refer to The implementation of method, repeats part and repeats no more.
5th aspect, the embodiment of the present application provides a kind of equipment, including:Memory, has program stored therein in the memory Instruction;Transceiver;At least one processor, for performing described program instruction to realize:The first communication is set up with opposite equip. Passage;Generation first key and the first mark, first mark and the first key are uniquely corresponded to;By the first key N number of part is split as, N is the positive integer more than or equal to 2;By the transceiver by X of first key part and institute State the first mark to be sent to the second equipment by first communication port, and described first is identified and the first key Remainder is sent to the second equipment by other communication ports, and X is the positive integer less than N.The processor calls storage to exist Instruction in the memory designed with realizing the method for above-mentioned first aspect in scheme, due to the reality of the equipment solve problem Apply mode and beneficial effect may refer to above-mentioned first aspect and first aspect each possible method implementation method and Beneficial effect, therefore the implementation of the equipment may refer to the implementation of the above method, repeats part and repeats no more.
6th aspect, the embodiment of the present application provides a kind of equipment, including:Memory, has program stored therein in the memory Instruction;Transceiver;At least one processor, for performing described program instruction to realize:Opposite end is received by the transceiver Part of key and corresponding unique mark that equipment is sent by different communication passage;Unique mark identical part of key is spelled It is connected into first key;Content of Communication is encrypted based on the first key.The processor calls storage in the storage Instruction in device designed with realizing the method for above-mentioned second aspect in scheme, due to the equipment solve problem implementation method with And beneficial effect may refer to the implementation method and beneficial effect of each possible method of above-mentioned second aspect and second aspect, Therefore the implementation of the equipment may refer to the implementation of the above method, repeats part and repeats no more.
7th aspect, the embodiment of the present application provides a kind of computer-readable storage medium, and the storage medium is non-volatile meter Calculation machine readable storage medium storing program for executing, the non-volatile computer readable storage medium storing program for executing is stored with least one program, each described journey Sequence includes computer software instructions used involved by above-mentioned first aspect method design, and the instruction is when by with treatment The equipment of device, memory and transceiver makes the equipment perform the method design of above-mentioned first aspect and first aspect when performing.
Eighth aspect, the embodiment of the present application provides a kind of computer-readable storage medium, and the storage medium is non-volatile meter Calculation machine readable storage medium storing program for executing, the non-volatile computer readable storage medium storing program for executing is stored with least one program, each described journey Sequence includes computer software instructions used involved by above-mentioned second aspect method design, and the instruction is when by with treatment The equipment of device, memory and transceiver makes the equipment perform the method design of above-mentioned second aspect and second aspect when performing.
Brief description of the drawings
Fig. 1 is the schematic flow sheet that coded communication is set up using Diffie-Hellman;
Fig. 2 is to obtain communicating the process schematic of the key for using;
Fig. 3 is the schematic flow sheet that coded communication is set up using public and private key and certificate method;
Fig. 4 is the method flow diagram for setting up safe encryption channel in the embodiment of the present application;
Fig. 5 is the method flow diagram for setting up safe encryption channel in the embodiment of the present application under a kind of application scenarios;
Fig. 6 is the method flow diagram for setting up safe encryption channel in the embodiment of the present application under another application scenarios;
Fig. 7 is a kind of equipment structure chart for setting up safe encryption channel in the embodiment of the present application;
Fig. 8 is a kind of equipment structure chart for setting up safe encryption channel in the embodiment of the present application;
Fig. 9 is a kind of equipment structure chart for setting up safe encryption channel in the embodiment of the present application;
Figure 10 is a kind of equipment structure chart for setting up safe encryption channel in the embodiment of the present application.
Specific embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present application, the technical scheme in the embodiment of the present application is described.
At present in actual applications, there are two kinds of schemes for setting up safe encryption channel,
A and B see using the idiographic flow that Diffie-Hellman sets up coded communication in the first key exchange scheme Shown in Fig. 1, following steps are specifically included:
Step 10, A and B set up common communications passage, for example, set up transmission control protocol (Transmission Control Protocol, TCP) link.
Step 11, A consult with B, exchange disclosure, such as exchange algorithm, the disclosure needed for algorithm.
Step 12, A selection private key Xa are, it is necessary to illustrate, Xa need not send on the net, only be stored in A local.
Step 13, A carry out computing with exchange algorithm to disclosure and Xa, obtain Ya, and Ya is sent into B.
Step 14, B selection private key Xb are, it is necessary to illustrate, Xb need not send on the net, only be stored in B local.
Step 15, B carry out computing with exchange algorithm to disclosure and Xb, obtain Yb, and Yb is sent into A.
, using Xa, Yb as parameter, computing obtains key (key) for step 16, A.
, using Xb, Ya as parameter, computing obtains key (key) for step 17, B, and exchange algorithm can ensure what A was calculated The key that key and B is calculated is identical.
Step 18, A, B both sides are encrypted with key to Content of Communication.
For said process, there is possibility that is monitored, intercepting, such as third party C can pretend to be B to be communicated with A, pretend to be A Communicated with B, obtain communicating the key for using, so that the full content of A, B communication is grasped, it is specific as shown in Figure 2.
Step 21, C and A consult to obtain key1.
Step 22, C and B consult to obtain key2
Step 23, C are untied with key1 when receiving the message of A hairs and obtained in plain text, then issue B with key2 encryptions.
Step 24, C are untied with key2 when receiving the message of B hairs and are obtained in plain text, A being issued being encrypted with key1.
It follows that the first key exchange scheme cannot solve the problems, such as man-in-the-middle attack, it is impossible to ensure the peace of communication Quan Xing.
A and B can using the idiographic flow that public and private key and certificate method set up coded communication in second key exchange scheme Refering to shown in Fig. 3, following steps are specifically included:
Step 30, B provide the identity information of oneself to Certificate Authority (Certificate Authority, CA) Shen Please certificate.
After step 31, CA checking B identity, certificate, comprising a pair of public keys, private key, identity information and to B identity Digital signature.
Private key is stored in B locally by step 32, B, and public key, identity information, signature can be disclosed to be downloaded, transmits.
Step 33, A and B set up common communications passage, for example, set up TCP links.
Step 34, A are downloaded and are obtained the public key of B, and B identity information, signature.
Step 35, A verify that certificate is strictly that CA is issued by signature to CA, if A trusts this CA, A trusts B.
Step 36, A generation random secret keys key.
Step 37, A are sent to B after the public key encryption by the random secret key key of generation with B.
Step 38, the decryption of B private keys obtain key.
Step 39, A, B encryption subsequent communications content
It should be noted that 1) above-mentioned interaction is only critical workflow, actual agreements also have some subsidiary details, such as pacify Full socket layer (Secure Sockets Layer, SSL)/safe transmission layer protocol (Transport Layer Security, TLS), also AES is consulted, and A, B exchange the random number of each self-generating, is generated to be actually used in encrypt with random number+key and led to Believe key of content etc.;2) under some scenes, B may also require that and the identity of A is authenticated that is, A also provides digital certificate;3) Can not also be by authoritative CA, the public key of one or both the direct preset other side that communicates;4) authentication of S35 can also be omitted Process;5), certificate identity certification can also be used cooperatively with the key exchange algorithm such as above D-H.
It follows that needing to pay certain expense to authoritative CA application certificates;Usual certificate has certain term of validity, it is necessary to fixed Phase is changed, and certificate/public key updates trouble;Also need to communication counterpart and trust CA;Needed in preset other side's certificate or public key similar Digital signature means certifying software do not distorted by attacker, there are problems that certificate/public key transmission it is troublesome;If omitting certificate body Part cannot then avoid man-in-the-middle attack when recognizing.
In view of above two sets up problem present in the scheme of safe encryption channel, the embodiment of the present application provides a kind of new The method and apparatus for setting up safe encryption channel, man-in-the-middle attack can either be resisted, additionally it is possible to reduce the necessity of ca authentication. Wherein, method and apparatus are based on same inventive concept, because the principle of method and device solve problem is similar, therefore device Implementation with method can be repeated part and repeated no more with cross-reference.
Refering to shown in Fig. 4, the method flow diagram for setting up safe encryption channel that the embodiment of the present application is provided is specifically included Step is as follows:
Step 41:First equipment sets up the first communication port with the second equipment.
In practical application, the first equipment is usually terminal device, and the second equipment is usually application server, or, first Equipment is terminal device with the second equipment, and optionally, the first communication port is common communications passage, the communication of such as TCP links Passage.
Step 42:First equipment generates first key and the first mark, and first mark and the first key are unique Correspondence.
It is noted that the first key of the first equipment generation is usually character string forms, optionally, two can be used System character string, octal character string or hexadecimal string represent, the first key generated using different AESs Length differs.
First equipment generation first mark be globally unique identifier (Universally Unique Identifier, UUID), commonly used digital expression is led to, it is all unique that UUID ensure that for the equipment of any one aerial first when same 's.Optionally, the UUID in the embodiment of the present application calculates generation according to the standard that Open Software Foundation (OSF) formulates, and adopts With Ethernet card address, nsec, chip identification (ID) code and other possible numerals.It is exemplary, UUID by with Under several parts combination:
(1) current date and time, first part of UUID is relevant with the time, if the first equipment is at a time given birth to Into after a UUID, a UUID is generated again afterwards within several seconds excessively, then first part is different, and remaining is identical.
(2) clock sequence.
(3) globally unique IEEE machine recognitions number, if being provided with network interface card in the first equipment, from (MAC) of network interface card Location obtains, if otherwise obtained without network interface card.
It should be noted that being above a kind of part of exemplary UUID, it would however also be possible to employ other modes are entered Row combination, does not limit specifically, as long as ensure that globally unique.
Step 43:The first key is split as N number of part by the first equipment, and N is the positive integer more than or equal to 2.
Preferably, the first key is split as 2 parts by the first equipment, it is respectively Part I and Part II.
Specifically, first equipment can split when first key is split from the optional position of first key, it is optional , the communication length that first equipment is based on each communication port limits to split first key, or presets each communication The corresponding key length constraints of passage, splits according to default constraints to first key.
Step 44:First equipment communicates X part of the first key and the described first mark by described first Passage is sent to the second equipment, and the remainder of the described first mark and the first key is sent out by other communication ports The second equipment is delivered to, X is the positive integer less than N.
When the first key is split as 2 parts by the first equipment, the first equipment is by the Part I of first key Sent to the second equipment by first communication port with the first mark, and first is identified the Part II with first key Sent to the second equipment by the second communication port, second communication port is different from first communication port.
Example 1, the first equipment generation the first key represented with hexadecimal string, be 82a0359a55871902b04c23f56134d757, totally 16 byte, two parts of fractionation are respectively 82a0359a55871902b04c23f5 and 6134d757, by Part I and first mark by the first communication port send to Second equipment, wherein Part I in the preceding first mark rear, by the first mark and Part II by the second communication port hair The second equipment is delivered to, wherein first identifies in preceding Part I rear.
When the first key is split as at least 3 parts by the first equipment, the first equipment is sending first key When each part and the first mark, in addition it is also necessary to send the corresponding fractionation sequence number of the part of key, the fractionation sequence number is used to describe this Position relationship of the part of key where in first key, so that the second equipment is based on the fractionation sequence number and corresponding first mark Each several part key is carried out the splicing of complete and accurate for knowledge.
Example 2, the same first key 82a0359a55871902b04c23f56134d757 using in example 1 above, first The key is split as 3 parts by equipment, is respectively 82a0359a55871902b0,4c23f5,6134d757, corresponding fractionation Sequence number is respectively (01), (02) and (03), at this point it is possible to Part I, the first mark and corresponding fractionation sequence number (01) are led to The first communication port is crossed to send to the second equipment;By the first mark, Part II and corresponding fractionation sequence number (02) by second Communication port is sent to the second equipment;First mark, Part III and corresponding fractionation sequence number (03) is logical by the third communication Road is sent to the second equipment, optionally, the communication that any two part is used in Part I, Part II, Part III Passage can also be identical, as long as incomplete same.
Step 45:Second equipment receive the part of key that the first equipment sent by different communication passage and it is corresponding only After one mark, unique mark identical part of key is spliced into first key.
Step 46:Second equipment is encrypted based on the first key to the Content of Communication sent to the first equipment.
Because the various pieces of first key can be transmitted by least two communication ports, now man-in-the-middle attack When need while listening for all of communication port, difficulty is greatly increased such that it is able to be prevented effectively from the problem of man-in-the-middle attack, greatly Width lifts the security of cipher key delivery, and reduces the necessity of ca authentication, it is to avoid the troublesome operation of ca authentication.
The method in 4 is described in detail below by two practical application scenes, be split as 2 with by first key here Part illustrates
Scene one
Scene one is when carrying out online transaction between user's opening mobile phone application and application server, to be exchanged using key and calculated Method sets up the process of coded communication, and idiographic flow see shown in Fig. 5.Now A is to be provided with the mobile phone of application, the B applications Application server.
50th, A and B set up the first communication port, such as set up TCP links.
51st, A consults with B, exchanges disclosure, such as exchange algorithm, the disclosure needed for algorithm.
52nd, A randomly chooses the first private key Xa, Xa and need not be sent on the net, A is only stored in locally, with the exchange decided through consultation Algorithm carries out computing to disclosure and Xa, obtains first key Ya, and it is the first mark, example to generate a globally unique identifier Such as it is UUID1.
53rd, Ya is split into two parts by A, the first communication port that the Part I of Ya is set up by step 50, is sent To B, while carrying the UUID1 for above generating.
54th, the Part II of Ya is sent to B by A by the second communication port, while the UUID1 for above generating is carried, can Choosing, the second communication port is short message channel, and short message called number is the number of B, and now application server is carried equivalent to service For business (Service Provider, SP), can be by the reception of short message and submission (short message peer to Peer, SMPP) consensus standard and the short message such as/China Mobile Peer to Peer Protocol (ChinaMobile Peer to Peer, CMPP) Gateway or sms center are docked, without installing client identification module (Subscriber on the application server Identification Module, SIM) card, now the communicating number of B can be preset in the application software of A, it is also possible to Consult to determine to be informed by B during AES in step 51.
55th, by consensus standards such as SMPP/CMPP be transmitted to short message according to called number by sms center/Short Message Service Gateway B。
56th, B receives the Part II of Ya and the Part I of Ya, is associated by UUID1, and is spliced into complete Ya。
57th, B randomly chooses the second private key Xb, and computing is carried out to disclosure and Xb with the exchange algorithm decided through consultation, obtains the Two key Yb, A is sent to by Yb.
58th, using Xa, Yb as parameter, computing obtains target cipher key (key1) to A
59th, using Xb, Ya as parameter, computing obtains key1 to B
510th, A, B both sides are encrypted with key1 to Content of Communication.
It should be noted that in scene one, being directed to A and first key being split as into two parts to describe encryption in detail Flow, in actual applications, optionally can also be split as more parts by first key, by the first communication port or Two communication ports or other communication ports are sent to B, and process is similar to, will not be repeated here.
Scene two
Scene two is when carrying out online transaction between user's opening mobile phone application and application server, using public and private key and card Book method sets up the process of coded communication, and idiographic flow see shown in Fig. 6.Now A is to be provided with the mobile phone of application, and B should The application server of application.
60th, B applies certificate or oneself Generating Certificate to CA, comprising private key, public key, identity information and to B bodies in certificate The signature of part, B is stored in locally by private key, and public key, identity information, signature can be disclosed to be downloaded, transmits.
61st, A and B set up the first communication port, for example, set up such as TCP links.
It should be noted that step 60 is not limited specifically with the execution sequence of step 61, step 60 can be first carried out and held again Row step 61;Step 61 can also be first carried out and perform step 60 again;Or perform simultaneously.
62nd, A, B both sides consult to determine AES, password exchange algorithm that A is downloaded and obtained public key, B identity informations, signs Name.
63rd, A verifies the identity of B, can choose whether to need the body of checking B according to the situation of practical application in practical application Part, when that need not verify the identity of B, step 63 can not be performed.
64th, A generates first key key1 at random, and it is the first mark, such as UUID1 to generate a globally unique identifier.
65th, key1 is split into two parts by A, by the first communication port after the public key encryption by Part I with B, is sent To B, while carrying the UUID1 for above generating.
66th, B is sent to by the second communication port after public key encryptions of the A by the Part II of key1 with B, while before carrying The UUID1 of face generation, optionally, the second communication port is short message channel, and short message called number is the number of B, now application clothes Business device is equivalent to SP) can be docked with Short Message Service Gateway or sms center by consensus standards such as the SMPP/CMPP of short message, without SIM to be installed on the application server, now the communicating number of B can be preset in the application software of A, it is also possible in step Consult to determine to be informed by B during AES in 51.
67th, by consensus standards such as SMPP/CMPP be transmitted to short message according to called number by sms center/Short Message Service Gateway B。
68th, after B receives the Part II of Ya and the Part I of Ya, UUID1 is associated, respectively with local private key solution After close, complete key1 is spliced into.
69th, A, B both sides are encrypted with key1 to Content of Communication.
Based on above-described embodiment, as shown in fig. 7, the equipment knot for setting up safe encryption channel provided for the embodiment of the present application Structure schematic diagram.The equipment 700 may include mobile phone, panel computer, personal digital assistant (Personal Digital Assistant, PDA), point-of-sale terminal (Point of Sales, POS), vehicle-mounted computer, desktop computer, notebook, server Deng, can be used for performing the implementation procedure of the first equipment or device A in the method shown in Fig. 1-Fig. 6, the equipment 700 includes:Place Reason unit 710 and communication unit 711, wherein:
Processing unit 710, for setting up the first communication port with opposite equip.;Generation first key and the first mark, institute State the first mark and the first key is uniquely corresponded to;The first key is split as N number of part, N is more than or equal to 2 just Integer;
Communication unit 711, for X part of the first key and the described first mark to be communicated by described first Passage is sent to opposite equip., and the remainder of the described first mark and the first key is sent out by other communication ports Opposite equip. is delivered to, X is the positive integer less than N.
Optionally, the communication unit 711 specifically for:
When N is 2, the Part I of the first key and first mark are sent out by first communication port Deliver to opposite equip., and the Part II of the described first mark and the first key is sent to right by the second communication port End equipment, second communication port is different from first communication port.
Optionally, the processing unit 710 specifically for:
Select the first private key, using with the opposite equip. consult determine Diffie-Hellman to first private key with The disclosure of the Diffie-Hellman carries out computing and obtains the first key.
Optionally, the Part I of the first key and first mark are passed through described by the communication unit 711 First communication port is sent to opposite equip., and the Part II of the described first mark and the first key is led to by second Letter passage is sent to opposite equip., is additionally operable to:
The second key that the opposite equip. sends is received, second key is that the opposite equip. is selected based on itself The second private key, using with first equipment consult determine the Diffie-Hellman it is close with described to second private key The disclosure of key exchange algorithm carries out what computing was obtained;
The processing unit 710, is additionally operable to obtain target cipher key using first private key and the second key computing; The Content of Communication sent to the opposite equip. is encrypted using the target cipher key.
Optionally, the Part I of the first key and first mark are passed through described by the communication unit 711 First communication port is sent to opposite equip., and the Part II of the described first mark and the first key is led to by second Letter passage is sent to before opposite equip., is additionally operable to:
After the opposite equip. is got including the first public key, the certificate of the first private key, it is public that download obtains described first Key.
Optionally, the communication unit 711 specifically for:
The Part I and Part II of the first key are utilized into first public key encryption;
Part I after encryption and first mark are sent to opposite equip. by first communication port, and Part II after described first mark and encryption is sent to opposite equip. by the second communication port.
Optionally, the processing unit 710 is additionally operable to:
The Part I of the first key and first mark are led to by described first in the communication unit 711 Letter passage is sent to opposite equip., and the Part II of the described first mark and the first key is passed through into the second communication port Send to opposite equip., the Content of Communication sent to the opposite equip. is encrypted using the first key.
The above-mentioned equipment 700 being related to of the embodiment of the present application, can be independent part, it is also possible to be integrated with miscellaneous part In, such as the said equipment 700 provided in an embodiment of the present invention can be the terminal in existing communication network, it is also possible to be integrated with Part in terminal.
It should be noted that the functional realiey and interactive mode of the unit of equipment 700 in the embodiment of the present invention Can be will not be repeated here with further reference to the description of related method embodiment.
In addition, each " unit " can be by ASIC (application-specific above Integrated circuit, ASIC), the processor and memory of one or more softwares or firmware program are performed, it is integrated to patrol Volume circuit, and/or other can provide the device of above-mentioned functions to realize.
Because the implementation method and beneficial effect of the solve problem of equipment 700 may refer to the inventive method embodiment Implementation method and beneficial effect, therefore the implementation of the equipment 700 may refer to the implementation of method, repeats part and repeats no more.
Based on identical inventive concept, the embodiment of the present application also provides a kind of equipment, as shown in Figure 8.The equipment 800 includes depositing Reservoir 801, the processor 802 of transceiver 803 and at least one;Each part is connected by bus.
Memory 801 is used to store computer executable program code, and described program code includes instruction;Work as processor 802 when performing the instruction, and the instruction makes the equipment perform the safe encryption channel set up of the application embodiment of the method The implementation procedure of the first equipment in method;For example:Step 41,42,43,44 method in the application embodiment of the method Fig. 4.Due to The implementation method and beneficial effect of the equipment solve problem may refer to the implementation method of the above method and having for being brought Beneficial effect, therefore the implementation of the equipment may refer to the implementation of the above method, repeats part and repeats no more.
Based on above-described embodiment, as shown in figure 9, the equipment knot for setting up safe encryption channel provided for the embodiment of the present application Structure schematic diagram.The equipment 900 may include mobile phone, panel computer, PDA, POS, vehicle-mounted computer, desktop computer, notebook, server Deng, can be used for performing the implementation procedure of the second equipment or equipment B in the method shown in Fig. 1-Fig. 6, the equipment 900 includes:Place Reason unit 910 and communication unit 911, wherein:
Communication unit 911, for receive part of key that opposite equip. sent by different communication passage and it is corresponding only One mark;
Processing unit 910, for unique mark identical part of key to be spliced into first key;It is close based on described first Key is encrypted to Content of Communication.
Choosing, the processing unit 910 specifically for:
Private key and the first key computing based on selection obtain target cipher key;
The Content of Communication sent to the opposite equip. is encrypted using the target cipher key.
Optionally, the processing unit 910 specifically for:
After unique mark identical part of key is decrypted using the private key that second equipment is locally stored, by the portion Key is divided to be spliced into first key.
Optionally, the processing unit 910 specifically for:
The Content of Communication sent to the opposite equip. is encrypted using the first key.
The above-mentioned equipment 900 being related to of the embodiment of the present application, can be independent part, it is also possible to be integrated with miscellaneous part In, such as the said equipment 900 provided in an embodiment of the present invention can be application server in existing communication network, or It is integrated in the part in the server.
It should be noted that the functional realiey and interactive mode of the unit of equipment 900 in the embodiment of the present invention Can be will not be repeated here with further reference to the description of related method embodiment.
In addition, each " unit " can be by ASIC (application-specific above Integrated circuit, ASIC), the processor and memory of one or more softwares or firmware program are performed, it is integrated to patrol Volume circuit, and/or other can provide the device of above-mentioned functions to realize.
Because the implementation method and beneficial effect of the solve problem of equipment 900 may refer to the inventive method embodiment Implementation method and beneficial effect, therefore the implementation of the equipment 900 may refer to the implementation of method, repeats part and repeats no more.
Based on same inventive concept, the embodiment of the present application also provides a kind of equipment 1000, and the equipment 1000 is used to perform The implementation procedure for setting up the second equipment in safe encryption channel embodiment of the method for Fig. 4 is stated, as shown in Figure 10, the equipment 1000 is wrapped Processor 1002, memory 1001, transceiver 1003 are included, the program code for performing the present invention program is stored in memory 1001 In, coordinate the method for setting up safe encryption channel performed shown in Fig. 4 with the transceiver 1003 for instruction processing unit 1002.
It is understood that the processor being related in the embodiment of the present application the said equipment 800 and equipment 1000 can be one Individual general central processor (CPU), microprocessor, ASIC application-specific Integrated circuit (ASIC), or one or more integrated circuits for controlling the execution of the present invention program program.
The transceiver can be that by the entity module of transmission-receiving function, so as to logical with other equipment or communication network Letter.
Memory, such as RAM, preserve operating system and perform the program of the present invention program.Operating system is for controlling Other programs are run, the program of management system resource.Memory can be read-only storage read-only memory (ROM) or The other kinds of static storage device of static information and instruction, random access memory random access can be stored Memory (RAM) can storage information and the other kinds of dynamic memory, or magnetic disk storage for instructing.
These memories, transceiver can be connected by bus with processor, or can also be by special connection Line is connected with processor respectively.
It should be understood by those skilled in the art that, embodiments herein can be provided as method, system or computer program Product.Therefore, the application can be using the reality in terms of complete hardware embodiment, complete software embodiment or combination software and hardware Apply the form of example.And, the application can be used and wherein include the computer of computer usable program code at one or more The computer program implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) is produced The form of product.
The application is the flow with reference to method, equipment (system) and computer program product according to the embodiment of the present application Figure and/or block diagram are described.It should be understood that every first-class during flow chart and/or block diagram can be realized by computer program instructions The combination of flow and/or square frame in journey and/or square frame and flow chart and/or block diagram.These computer programs can be provided The processor of all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing devices is instructed to produce A raw machine so that produced for reality by the instruction of computer or the computing device of other programmable data processing devices The device of the function of being specified in present one flow of flow chart or multiple one square frame of flow and/or block diagram or multiple square frames.
These computer program instructions may be alternatively stored in can guide computer or other programmable data processing devices with spy In determining the computer-readable memory that mode works so that instruction of the storage in the computer-readable memory is produced and include finger Make the manufacture of device, the command device realize in one flow of flow chart or multiple one square frame of flow and/or block diagram or The function of being specified in multiple square frames.
These computer program instructions can be also loaded into computer or other programmable data processing devices so that in meter Series of operation steps is performed on calculation machine or other programmable devices to produce computer implemented treatment, so as in computer or The instruction performed on other programmable devices is provided for realizing in one flow of flow chart or multiple flows and/or block diagram one The step of function of being specified in individual square frame or multiple square frames.
Although having been described for the preferred embodiment of the application, those skilled in the art once know basic creation Property concept, then can make other change and modification to these embodiments.So, appended claims are intended to be construed to include excellent Select embodiment and fall into having altered and changing for the application scope.
Obviously, those skilled in the art can carry out various changes and modification without deviating from this Shen to the embodiment of the present application Please embodiment spirit and scope.So, if these modifications of the embodiment of the present application and modification belong to the application claim And its within the scope of equivalent technologies, then the application is also intended to comprising these changes and modification.

Claims (22)

1. a kind of method for setting up safe encryption channel, it is characterised in that including:
First equipment sets up the first communication port with the second equipment;
The first equipment generation first key and the first mark, first mark and the first key are uniquely corresponded to;
The first key is split as N number of part by first equipment, and N is the positive integer more than or equal to 2;
First equipment sends X part of the first key and the described first mark by first communication port To the second equipment, and the remainder of the described first mark and the first key is sent to second by other communication ports Equipment, X is the positive integer less than N.
2. the method for claim 1, it is characterised in that first equipment by X part of the first key and First mark is sent to the second equipment by first communication port, and described first is identified and the first key Remainder sent to the second equipment by other communication ports, including:
When N is 2, first equipment leads to the Part I of the first key and first mark by described first Letter passage is sent to the second equipment, and the Part II of the described first mark and the first key is passed through into the second communication port Send to the second equipment, second communication port is different from first communication port.
3. method as claimed in claim 2, it is characterised in that the first equipment generation first key includes:
The private key of first equipment choice first, the Diffie-Hellman for determining is consulted to described the using with second equipment One private key carries out computing and obtains the first key with the disclosure of the Diffie-Hellman.
4. method as claimed in claim 3, it is characterised in that first equipment by the Part I of the first key and First mark is sent to the second equipment by first communication port, and described first is identified and the first key Part II sent to the second equipment by the second communication port, also include:
First equipment receives the second key that second equipment sends, and second key is based on for second equipment Second private key of itself selection, the Diffie-Hellman for determining is consulted to second private key using with first equipment Carry out what computing was obtained with the disclosure of the Diffie-Hellman;
First private key described in first equipment utilization and the second key computing obtain target cipher key;
Target cipher key is encrypted to the Content of Communication sent to second equipment described in first equipment utilization.
5. method as claimed in claim 2, it is characterised in that first equipment by the Part I of the first key and First mark is sent to the second equipment by first communication port, and described first is identified and the first key Part II sent to before the second equipment by the second communication port, also include:
After second equipment is got including the first public key, the certificate of the first private key, download obtains institute to first equipment State the first public key.
6. method as claimed in claim 5, it is characterised in that first equipment by the Part I of the first key and First mark is sent to the second equipment by first communication port, and described first is identified and the first key Part II sent to the second equipment by the second communication port, including:
The Part I and Part II of the first key are utilized first public key encryption by first equipment;
First equipment sends to the Part I after encryption and first mark by first communication port Two equipment, and the Part II after the described first mark and encryption is sent to the second equipment by the second communication port.
7. method as claimed in claim 6, it is characterised in that first equipment by the Part I of the first key and First mark is sent to the second equipment by first communication port, and described first is identified and the first key Part II sent to the second equipment by the second communication port, also include:
First key is encrypted to the Content of Communication sent to second equipment described in first equipment utilization.
8. a kind of method for setting up safe encryption channel, it is characterised in that including:
Second equipment receives part of key and the corresponding unique mark that the first equipment is sent by different communication passage;
Unique mark identical part of key is spliced into first key by second equipment;
Second equipment is encrypted based on the first key to Content of Communication.
9. method as claimed in claim 8, it is characterised in that second equipment is based on the first key to Content of Communication It is encrypted, including:
Second equipment is based on the private key of itself selection and the first key computing obtains target cipher key;
Target cipher key is encrypted to the Content of Communication sent to first equipment described in second equipment utilization.
10. method as claimed in claim 8, it is characterised in that second equipment is by unique mark identical part of key First key is spliced into, including:
After second equipment decrypts unique mark identical part of key using the private key that second equipment is locally stored, The part of key is spliced into first key.
11. methods as claimed in claim 10, it is characterised in that second equipment is based on the first key in communication Appearance is encrypted, including:
First key is encrypted to the Content of Communication sent to first equipment described in second equipment utilization.
A kind of 12. equipment for setting up safe encryption channel, it is characterised in that including:
Processing unit, for setting up the first communication port with opposite equip.;Generation first key and the first mark, first mark Know and the first key is uniquely corresponded to;The first key is split as N number of part, N is the positive integer more than or equal to 2;
Communication unit, for X part of the first key and the described first mark to be sent out by first communication port Deliver to opposite equip., and the remainder of the described first mark and the first key is sent to right by other communication ports End equipment, X is the positive integer less than N.
13. equipment as claimed in claim 12, it is characterised in that the communication unit specifically for:
N be 2 when, by the Part I of the first key and it is described first mark by first communication port send to Opposite equip., and the Part II of the described first mark and the first key is sent to opposite end by the second communication port and sets Standby, second communication port is different from first communication port.
14. equipment as claimed in claim 13, it is characterised in that the processing unit specifically for:
Select the first private key, using with the opposite equip. consult determine Diffie-Hellman to first private key with it is described The disclosure of Diffie-Hellman carries out computing and obtains the first key.
15. equipment as claimed in claim 14, it is characterised in that the communication unit is by the Part I of the first key Sent to opposite equip. by first communication port with the described first mark, and the described first mark and described first is close The Part II of key is sent to opposite equip. by the second communication port, is additionally operable to:
Receive the second key that the opposite equip. sends, second key is that the opposite equip. is based on the of itself selection Two private keys, are handed over second private key and the key using the Diffie-Hellman for consulting to determine with first equipment The disclosure of scaling method carries out what computing was obtained;
The processing unit, is additionally operable to obtain target cipher key using first private key and the second key computing;Using institute Target cipher key is stated to be encrypted the Content of Communication sent to the opposite equip..
16. equipment as claimed in claim 13, it is characterised in that the communication unit is by the Part I of the first key Sent to opposite equip. by first communication port with the described first mark, and the described first mark and described first is close The Part II of key is sent to before opposite equip. by the second communication port, is additionally operable to:
After the opposite equip. is got including the first public key, the certificate of the first private key, download obtains first public key.
17. equipment as claimed in claim 16, it is characterised in that the communication unit specifically for:
The Part I and Part II of the first key are utilized into first public key encryption;
Part I after encryption and first mark are sent to opposite equip. by first communication port, and by institute The Part II after the first mark and encryption is stated to be sent to opposite equip. by the second communication port.
18. equipment as claimed in claim 17, it is characterised in that the processing unit is additionally operable to:
The Part I of the first key and first mark are passed through into first communication port in the communication unit Send to opposite equip., and by described first mark and the first key Part II by the second communication port send to After opposite equip., the Content of Communication sent to the opposite equip. is encrypted using the first key.
A kind of 19. equipment for setting up safe encryption channel, it is characterised in that including:
Communication unit, for receiving part of key and the corresponding unique mark that opposite equip. is sent by different communication passage;
Processing unit, for unique mark identical part of key to be spliced into first key;Based on the first key to logical Letter content is encrypted.
20. equipment as claimed in claim 19, it is characterised in that the processing unit specifically for:
Private key and the first key computing based on selection obtain target cipher key;
The Content of Communication sent to the opposite equip. is encrypted using the target cipher key.
21. equipment as claimed in claim 19, it is characterised in that the processing unit specifically for:
It is after unique mark identical part of key is decrypted using the private key that second equipment is locally stored, the part is close Key is spliced into first key.
22. equipment as claimed in claim 21, it is characterised in that the processing unit specifically for:
The Content of Communication sent to the opposite equip. is encrypted using the first key.
CN201611086497.9A 2016-11-30 2016-11-30 Method and equipment for establishing secure encrypted channel Active CN106788989B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611086497.9A CN106788989B (en) 2016-11-30 2016-11-30 Method and equipment for establishing secure encrypted channel

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611086497.9A CN106788989B (en) 2016-11-30 2016-11-30 Method and equipment for establishing secure encrypted channel

Publications (2)

Publication Number Publication Date
CN106788989A true CN106788989A (en) 2017-05-31
CN106788989B CN106788989B (en) 2020-01-21

Family

ID=58914940

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611086497.9A Active CN106788989B (en) 2016-11-30 2016-11-30 Method and equipment for establishing secure encrypted channel

Country Status (1)

Country Link
CN (1) CN106788989B (en)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107920052A (en) * 2017-08-02 2018-04-17 唐盛(北京)物联技术有限公司 A kind of encryption method and intelligent apparatus
CN109388111A (en) * 2017-08-02 2019-02-26 西门子股份公司 The method and apparatus of security function is realized under equipment and/or facility control environment
CN109428867A (en) * 2017-08-30 2019-03-05 华为技术有限公司 A kind of message encipher-decipher method, network equipment and system
CN109547471A (en) * 2018-12-24 2019-03-29 武汉船舶通信研究所(中国船舶重工集团公司第七二二研究所) Network communication method and device
CN110098931A (en) * 2019-06-05 2019-08-06 浙江汇信科技有限公司 Data transmission method based on trusted " government and enterprises' connection connects " platform
CN110198214A (en) * 2019-06-02 2019-09-03 四川虹微技术有限公司 Identity generation method, verification method and device
CN110198320A (en) * 2019-06-03 2019-09-03 江苏恒宝智能系统技术有限公司 A kind of ciphered information transmission method
CN113132944A (en) * 2021-04-22 2021-07-16 上海银基信息安全技术股份有限公司 Multi-channel secure communication method, device, vehicle end, equipment end and medium
US11153757B2 (en) 2018-01-19 2021-10-19 Guangdong Oppo Mobile Telecommunications Corp., Ltd. Method for instructing user equipment to obtain key, user equipment and network device
CN113517980A (en) * 2020-04-09 2021-10-19 中国移动通信有限公司研究院 Key processing method, device and storage medium
CN114978679A (en) * 2022-05-18 2022-08-30 深圳市乐凡信息科技有限公司 Tablet-based online examination method and related equipment

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020146119A1 (en) * 2001-02-05 2002-10-10 Alexander Liss Two channel secure communication
CN1926793A (en) * 2004-03-09 2007-03-07 汤姆逊许可证公司 Safety data transmission management and control through multi-channel authorization
US20130311783A1 (en) * 2011-02-10 2013-11-21 Siemens Aktiengesellschaft Mobile radio device-operated authentication system using asymmetric encryption
CN103458400A (en) * 2013-09-05 2013-12-18 中国科学院数据与通信保护研究教育中心 Key management method for voice encryption communication system
CN103618609A (en) * 2013-09-09 2014-03-05 南京邮电大学 User timely revocation method based on attribute-based encryption in cloud environment
CN103780375A (en) * 2012-10-19 2014-05-07 中国电信股份有限公司 Data transmitting method and device, and data receiving method and device
CN104333455A (en) * 2014-11-26 2015-02-04 肖龙旭 Secrete communication system and method for smart phone

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020146119A1 (en) * 2001-02-05 2002-10-10 Alexander Liss Two channel secure communication
CN1926793A (en) * 2004-03-09 2007-03-07 汤姆逊许可证公司 Safety data transmission management and control through multi-channel authorization
US20130311783A1 (en) * 2011-02-10 2013-11-21 Siemens Aktiengesellschaft Mobile radio device-operated authentication system using asymmetric encryption
CN103780375A (en) * 2012-10-19 2014-05-07 中国电信股份有限公司 Data transmitting method and device, and data receiving method and device
CN103458400A (en) * 2013-09-05 2013-12-18 中国科学院数据与通信保护研究教育中心 Key management method for voice encryption communication system
CN103618609A (en) * 2013-09-09 2014-03-05 南京邮电大学 User timely revocation method based on attribute-based encryption in cloud environment
CN104333455A (en) * 2014-11-26 2015-02-04 肖龙旭 Secrete communication system and method for smart phone

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109388111A (en) * 2017-08-02 2019-02-26 西门子股份公司 The method and apparatus of security function is realized under equipment and/or facility control environment
CN107920052A (en) * 2017-08-02 2018-04-17 唐盛(北京)物联技术有限公司 A kind of encryption method and intelligent apparatus
US11003763B2 (en) 2017-08-02 2021-05-11 Siemens Aktiengesellschaft Methods and apparatuses for achieving a security function, in particular in the environment of a device and/or installation controller
CN109428867A (en) * 2017-08-30 2019-03-05 华为技术有限公司 A kind of message encipher-decipher method, network equipment and system
CN109428867B (en) * 2017-08-30 2020-08-25 华为技术有限公司 Message encryption and decryption method, network equipment and system
US11153757B2 (en) 2018-01-19 2021-10-19 Guangdong Oppo Mobile Telecommunications Corp., Ltd. Method for instructing user equipment to obtain key, user equipment and network device
CN109547471A (en) * 2018-12-24 2019-03-29 武汉船舶通信研究所(中国船舶重工集团公司第七二二研究所) Network communication method and device
CN110198214A (en) * 2019-06-02 2019-09-03 四川虹微技术有限公司 Identity generation method, verification method and device
CN110198214B (en) * 2019-06-02 2022-02-22 四川虹微技术有限公司 Identity generation method, identity verification method and identity verification device
CN110198320A (en) * 2019-06-03 2019-09-03 江苏恒宝智能系统技术有限公司 A kind of ciphered information transmission method
CN110198320B (en) * 2019-06-03 2021-10-26 恒宝股份有限公司 Encrypted information transmission method and system
CN110098931A (en) * 2019-06-05 2019-08-06 浙江汇信科技有限公司 Data transmission method based on trusted " government and enterprises' connection connects " platform
CN110098931B (en) * 2019-06-05 2020-04-24 浙江汇信科技有限公司 Data transmission method based on trusted 'government-enterprise connection' platform
CN113517980A (en) * 2020-04-09 2021-10-19 中国移动通信有限公司研究院 Key processing method, device and storage medium
CN113132944A (en) * 2021-04-22 2021-07-16 上海银基信息安全技术股份有限公司 Multi-channel secure communication method, device, vehicle end, equipment end and medium
CN113132944B (en) * 2021-04-22 2023-10-20 上海银基信息安全技术股份有限公司 Multi-path secure communication method, device, vehicle end, equipment end and medium
CN114978679A (en) * 2022-05-18 2022-08-30 深圳市乐凡信息科技有限公司 Tablet-based online examination method and related equipment
CN114978679B (en) * 2022-05-18 2024-05-31 深圳市乐凡信息科技有限公司 Online examination method based on flat plate and related equipment

Also Published As

Publication number Publication date
CN106788989B (en) 2020-01-21

Similar Documents

Publication Publication Date Title
CN106788989A (en) A kind of method and apparatus for setting up safe encryption channel
CN110380852B (en) Bidirectional authentication method and communication system
JP5579872B2 (en) Secure multiple UIM authentication and key exchange
US8291231B2 (en) Common key setting method, relay apparatus, and program
CN103118027B (en) The method of TLS passage is set up based on the close algorithm of state
EP2950506B1 (en) Method and system for establishing a secure communication channel
AU2011309758B2 (en) Mobile handset identification and communication authentication
EP2304636B1 (en) Mobile device assisted secure computer network communications
CA2694500C (en) Method and system for secure communication
US8738898B2 (en) Provision of secure communications connection using third party authentication
EP2204008B1 (en) Credential provisioning
WO2019079356A1 (en) Authentication token with client key
EP1976322A1 (en) An authentication method
CN101409619B (en) Flash memory card and method for implementing virtual special network key exchange
AU2003202511A1 (en) Methods for authenticating potential members invited to join a group
US8458468B2 (en) Method and system for protecting information exchanged during communication between users
US20070266236A1 (en) Secure network and method of operation
CN104901935A (en) Bilateral authentication and data interaction security protection method based on CPK (Combined Public Key Cryptosystem)
CN111131416A (en) Business service providing method and device, storage medium and electronic device
KR20110083886A (en) Apparatus and method for other portable terminal authentication in portable terminal
CN110912686A (en) Secure channel key negotiation method and system
CN113411187A (en) Identity authentication method and system, storage medium and processor
ES2926968T3 (en) A first entity, a second entity, an intermediate node, methods for establishing a secure session between a first and a second entity, and software products
CN113422753B (en) Data processing method, device, electronic equipment and computer storage medium
CN110417722A (en) A kind of business datum communication means, communication equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant