CN107094156B - Secure communication method and system based on P2P mode - Google Patents

Secure communication method and system based on P2P mode Download PDF

Info

Publication number
CN107094156B
CN107094156B CN201710473340.XA CN201710473340A CN107094156B CN 107094156 B CN107094156 B CN 107094156B CN 201710473340 A CN201710473340 A CN 201710473340A CN 107094156 B CN107094156 B CN 107094156B
Authority
CN
China
Prior art keywords
certificate
communication
data
encryption
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710473340.XA
Other languages
Chinese (zh)
Other versions
CN107094156A (en
Inventor
郭迎春
喻波
王志海
王志华
秦凯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Wondersoft Technology Co Ltd
Original Assignee
Beijing Wondersoft Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Wondersoft Technology Co Ltd filed Critical Beijing Wondersoft Technology Co Ltd
Priority to CN201710473340.XA priority Critical patent/CN107094156B/en
Publication of CN107094156A publication Critical patent/CN107094156A/en
Application granted granted Critical
Publication of CN107094156B publication Critical patent/CN107094156B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/104Peer-to-peer [P2P] networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a secure communication method and a system based on a P2P mode, which comprises the following steps: separating P2P communication data from normal traffic data; requesting the P2P encryption public key of the communication opposite-end client from the security capability center; generating a random key and encrypting P2P communication data to be sent to the opposite-end client; encrypting the random key by using an encryption public key of the opposite-end client; signing combined data using a local client's private signature key, the combined data comprising the encrypted P2P communication data and a random key; and sending the signed combined data to the opposite-end client. Through the scheme, safe point-to-point communication between users can be provided.

Description

Secure communication method and system based on P2P mode
Technical Field
The invention relates to the field of information security, in particular to a secure communication method and system based on a P2P mode.
Background
In the era of 'internet +', the development of mobile internet is deepened, and the mobile intelligent terminal is not only a communication and entertainment tool, but also promotes the rapid development of mobile government affairs, mobile law enforcement, mobile office, mobile electronic commerce and the like.
Android, as a mobile operating system with the highest market share in a smart phone, has hundreds of millions of huge user groups, but due to open sources of codes, the universality of system vulnerabilities is beyond imagination. The information security events of the mobile terminal occur frequently, and the information security becomes a focus of social attention.
Compared with the traditional method for guaranteeing personal information safety on the Android mobile phone, the method avoids browsing sensitive websites and installing various antivirus software as much as possible. However, this only ensures that the mobile phone system is safe within a certain range, and how to ensure that the mobile phone is also safe in the communication process becomes a difficult problem.
Disclosure of Invention
In order to solve the above technical problem, the present invention provides a secure communication method based on P2P mode, which includes the following steps:
1) separating P2P communication data from non-P2P communication data;
2) requesting the P2P encryption public key of the communication opposite-end client from the security capability center;
3) generating a random key and encrypting P2P communication data to be sent to the opposite-end client;
4) encrypting the random key by using an encryption public key of the opposite-end client;
5) signing combined data using a private signature key of a local client, the combined data comprising the P2P communication data and a random key that are unencrypted;
6) sending the signed combined data and the encrypted P2P communication data and the encrypted random key to the peer client.
According to the embodiment of the present invention, preferably, the P2P communication data includes: instant messaging data, file transfer data, and voice communication data.
According to an embodiment of the present invention, before the step 1), the method further includes:
a) the local client applies for opening a TF card to a safety capacity center in an encryption mode;
b) the safety capacity center decrypts the application information, sends the application information to the CA center and informs the CA center to generate a certificate;
c) the CA center generates a certificate according to the application information and returns the certificate to the security capability center;
d) the safety capacity center sends the certificate to the card opening tool according to the application information;
e) and the card opening tool writes the certificate into the TF card.
According to an embodiment of the present invention, preferably, the step a) includes:
a.1) downloading a local client to obtain an encrypted public key of a safety capacity center;
and a.2) the local client encrypts the application information and the time information by using the encrypted public key and signs the application information and the time information by using a self signature certificate private key.
According to an embodiment of the present invention, preferably, the step b) includes:
b.1) the security capability center queries a database to obtain a signature public key of the local client;
b.2) the safety capacity center uses the own encryption private key to decrypt and obtain the application information and the time information of the local client, and checks the signature of the application information and the time information;
and b.3) determining returned information according to the application time information obtained by decryption.
According to an embodiment of the present invention, preferably, the local client includes a TF card, and the TF card includes: and the encryption and decryption certificate and the signature certificate are bound with the user identity, and the encryption and decryption certificate, the signature certificate and the user information are stored in the security capability center.
In order to solve the above technical problem, the present invention provides a secure communication system based on P2P mode, the system comprising:
the system comprises at least two communication terminals, a security module and a data processing module, wherein the communication terminals use a hardware encryption TF card and are packaged into a security capability SDK (software development kit), and the functions of user login authentication, key agreement, certificate acquisition, hardware encryption and decryption, signature, key generation, random number generation and TF card formatting are provided for upper-layer security application;
the safety capacity center is responsible for the functions of opening and managing the TF card, managing logs and issuing certificates, and is matched with the communication terminal to complete encryption service: TF card service opening, self-checking reporting, login authentication, communication key application, opposite-end certificate application, file encryption and certificate validity verification;
the CA center receives the application of the security capability center and is used for sending the certificate of the application to the security capability center when the application passes verification;
and the communication service module is used for providing communication encryption and decryption services between the communication terminals.
According to the embodiment of the present invention, preferably, the security capability center issues the certificate by using a card opening tool, if the issuance is successful, the TF card of the user communication terminal has the certificate bound to the user identity, and simultaneously stores the certificate and the user information in the security capability center for applying query, encryption and decryption services.
According to an embodiment of the present invention, preferably, the certificate includes: the certificate of the security capability center and the certificate of the communication terminal are respectively divided into two versions: the encryption and decryption certificate and the signature certificate are used for encrypting and decrypting communication data of two communication parties and preventing the communication data from being stolen by a third party, and the signature certificate is used for signing the communication data of the two communication parties and ensuring that the data obtained by the two communication parties come from a credible terminal or system.
To solve the above technical problem, the present invention provides a communication terminal comprising a computer processing means and a computer storage medium storing computer instructions, which when executed by the computer processing means, performs one of the above methods.
By the technical scheme of the invention, the following beneficial technical effects are achieved:
1) end-to-end encrypted communication is realized in a standard voice channel, any third-party service provider is not required to provide special lines or operation and maintenance support, and the problem of secret loss caused by service provider intention or management technology loopholes is avoided.
2) The voice channel is encrypted, the conversation is stable, and the voice has no delay.
3) After the mobile phone is lost, sensitive information, namely data information such as an address book and a call record of a specific contact person can be erased by using a remote instruction.
Drawings
FIG. 1 is a system architecture diagram of the present invention
FIG. 2 is a communication-relay framework diagram of the invention P2P
FIG. 3 is a card issuing flow chart of the present invention
FIG. 4 is a communication flow chart of the client and the security capability center according to the present invention
FIG. 5 is a flow chart of secret information login of the present invention
Fig. 6 is a flow chart of file encryption transmission according to the present invention.
Detailed Description
The invention separates point-to-point (P2P) communication data (instant messaging, file transfer, voice call) and common traffic data (non-P2P communication data). And the development application software system marks the point (P2P) data to realize the separation from the common internet surfing data.
< architecture of the System of the present invention >
Fig. 1 shows the system configuration of the present invention: the mobile phone intelligent terminal (may include various intelligent terminals with operating systems, such as an Android intelligent terminal and an ios intelligent terminal, where the following clients have the same meaning as the intelligent terminal, and the intelligent terminal includes an encrypted TF card, a secure SDK, and an application client), a security capability center, a CA center (certificate authority), and a secure application service platform (also called a secure letter, a secure session service platform, or a secure server). The confidential information application service platform is mainly responsible for account registration, login, logout, personal address list management, common IM message communication management and confidential information communication management of the client of the confidential information, confidential information and other security applications, and is a server management platform of client security application software. The secret information application service platform can be used for realizing the functions independently by the server, can also be used for finishing the functions together by the server and the service database, and can also be used for realizing the functions by the cloud.
The intelligent mobile phone terminal uses a hardware encryption TF card to be packaged into a security capability SDK, and can provide interfaces for upper-layer security application, such as user login authentication, key agreement, certificate acquisition, hardware encryption and decryption, signature, key generation, random number generation, TF card formatting and the like.
The safety capacity center (KMC) is mainly responsible for the functions of opening and managing the TF card, managing logs and issuing certificates, and is matched with an encryption machine to complete encryption services: the method comprises the following functions of TF card service opening, self-checking reporting, login authentication, communication key application, opposite-end certificate application, file encryption, certificate validity verification and the like.
The invention adopts a standard PKI system, and the CA server issues the digital certificate with the certificate format of X.509. The certificate issued by the CA comprises a security capability center certificate and a mobile phone terminal certificate, and the certificates of the security capability center certificate and the mobile phone terminal certificate are divided into two versions: a communication certificate (i.e., an encryption/decryption certificate) and an identity certificate (i.e., a signature certificate). The communication certificate is used for encrypting and decrypting communication data between the mobile phone and communication data between the mobile phone and the safety capacity center, and therefore the communication data are prevented from being stolen by a third party. The identity certificates are used for signing communication data of the two parties, and the data obtained by the two parties is ensured to come from a credible terminal or platform.
The invention provides interfaces of pkcs #11 and Guomu 2 standards, which can more easily meet the selection of different users. The system uses sm1, sm2, sm3 and sm4 algorithms according to different requirements, so that safety is guaranteed, and flexibility is considered.
The transmission of the point-to-point communication data in the system adopts a P2P application framework, so that the system does not depend on a special centralized server. In the P2P structure, each node (peer) mostly has the functions of three aspects of information consumers, information providers and information communication at the same time. From a computing perspective, P2P breaks the traditional Client/Server (C/S) model, and the status of each node in the network is peer-to-peer. Each node serves as a server and provides services for other nodes, and meanwhile, the nodes can enjoy the services provided by other nodes.
The existing internet has some middleware such as NAT and firewall, so that two clients (not in the same intranet) cannot directly communicate. Most middleware implements an asymmetric communication model, i.e., hosts in the intranet can initialize links to the outside, while hosts in the extranet cannot initialize links to the intranet. The inaccessibility of intranet hosts hidden behind middleware requires P2P technology to enable direct communication between intranet and intranet hosts across NAT. The system adopts a P2P mode of the relay node: the principle is that a server with public network IP relays and forwards communication data of two different intranet clients, as shown in FIG. 2. In the figure, a client A and a client B are hidden behind respective NAT and can not directly establish communication connection, so that a link is established with a server S firstly, the server S has a public network IP, and then the data transmitted is relayed through a path established by the server S and the other party.
The system supports various forms of data for encryption transmission: text, pictures, files, audio-video, telephone speech, etc.
< Process flow of the present invention >
The customer firstly needs to go to the security capability center to apply for opening the card, and the flow is shown in fig. 3:
1) verifying the validity of the TF card;
2) the card opening tool applies for a certificate to a security capability center;
3) the CA center generates a certificate and returns the certificate to the security capability center;
4) the safety capacity center transmits the data to the card opening tool;
5) and writing the certificate to the TF through the card opening tool.
And the safety capacity center issues a certificate by using a card opening tool, if the certificate is successfully issued, an encryption certificate and a signature certificate bound with the identity of the user are contained in the TF card of the user, and the certificate and the user information are stored in the safety capacity center for application of inquiry, encryption and decryption services. The user thus has the identity in the system of the invention.
After the certificate is successfully issued, the client applies for downloading the key through the flow of fig. 4.
The specific steps of fig. 4 are as follows:
a client:
1) downloading by the client to obtain an encrypted public key of the safety capacity center;
2) the client encrypts the application information and the time information by using a public key of the security capability center, and signs the application information and the time information by using a private key of a self signature certificate.
Safety capacity center:
1) the safety capacity center queries a database to obtain a signature public key of the client;
2) the safety capacity center decrypts by using a decryption private key of the safety capacity center to obtain application information and time information of the client, and checks whether signature data are sent by the client by using a signature public key of the client;
3) and judging whether the request is over-time according to the decrypted time information, if so, returning over-time information, and if not, inquiring the database to return the applied information.
After the user inputs the registered user name and password through the secret communication login interface in the figure 5, the user clicks the login button, the user name and password information is called and sent to the secret communication application service platform of the secret communication through webService, the secret communication application service platform and the safety capability center verify together and return the login result, if the login fails, the user is prompted with error information, and the login process is ended. If the login is successful, entering a secret main interface, and completing the login, wherein the detailed flow is shown in figure 5.
SecID: unique ID representing user, pubc/pric: public/private keys representing users, pubs/pris: respectively representing the public/private keys of the security capability center.
Step 1, a secret information client sends a login request to a secret information application service platform (secret information server), and the request packet data comprises: secID, pubs encrypted data (secID, 16-bit random number, current time), and pric signed data (secID, 16-bit random number, time stamp). Here, the secret information client and the secret information terminal are the same as those of the above-mentioned mobile phone smart terminal, and both refer to smart terminals having an operating system.
For each login of a client, the random number appearing at the position and the random numbers appearing subsequently are the same random number, so that the uniqueness and the safety of the login are ensured; for example, if the user continuously clicks 2 times of login, the server and the client cannot distinguish the two times of login, and the two times of login of the user can be distinguished through the generated random number; the random number is generated by a random number generation algorithm and is difficult to forge, so that the security of the system can be increased.
And 2, the secret letter application service platform inquires whether the corresponding service state is available according to the secID.
And 3, if the request is available, forwarding the request, wherein the forwarded request packet data comprises: pubs encrypted data (secID, 16-bit random number, current time), and pric signed data (secID, 16-bit random number, time stamp).
And 4, the safety capacity center decrypts and verifies the forwarded request packet data, verifies the user, the random number and the time stamp, and generates the time stamp of the server if the verification is successful.
And 5, if the decryption and the verification are successful, the safety capacity center returns a data packet, and the returned data packet comprises: secure token, pubc encrypted data (16-bit random number, server timestamp), pris signed data (16-bit random number, server timestamp).
And 6, generating a service token by the secret information application service platform according to the returned data.
And 7, the secret letter application service platform successfully verifies the returned data and returns a data packet to the secret letter client, wherein the returned data packet comprises: service token, security token, pubc encrypted data (16-bit random number, server timestamp), pris signed data (16-bit random number, server timestamp).
And 8, the encrypted message client decrypts the verification tag, verifies the random number and the server timestamp, and completes the verification of the client to the server.
And 9, the secret information client logs in the secret information to the secret information application service platform and simultaneously carries the service token and the safety token.
And step 10, the secret information application service platform sends a request for verifying the security token to the security capability center.
And step 11, the safety capacity center returns a result of whether the verification is successful to the secret information application service platform.
And step 12, if the secret information application service platform receives the result of successful verification, the secret information application service platform (secret information server) allows the user to log in and establish connection.
And step 13, the secret letter application service platform (secret letter server) returns a result of whether the login is successful to the secret letter terminal.
When the client and the safety capacity center and the client communicate with each other, the data must be encrypted and decrypted and the signature and signature verification data must be signed through a national encryption algorithm, and the data information safety between the communication parties can be ensured because the identity private key of the user is only stored in the encryption TF card.
After receiving the successful login result, the client (trusted terminal) can perform secure data transmission by using a corresponding key through the flow of fig. 6, thereby implementing encrypted communication.
The file encryption transmission flow of fig. 6 is as follows:
the client A:
1) requesting an encrypted public key of a client B from a security capability center;
2) a file (sm1 algorithm) for generating a random key and encrypting the key to send to the client B;
3) encrypting the random key (sm2 algorithm) using the encryption public key of the client B;
4) the combined data to be sent to client B is signed using the client's private signature key (sm2 algorithm signs the plaintext key and file) and can then be sent to client B.
And a client B:
1) requesting a signature public key of a client A from a security capability center;
2) decrypting the key with the encrypted private key and decrypting the file with the key (sm1 algorithm);
3) the signature data is verified using the public signature key of client a (sm2 algorithm).
The system of the invention uses an asymmetric encryption algorithm of the national password, in the asymmetric encryption technology, two keys are provided, namely an encryption private key and an encryption public key, wherein the encryption private key is held by the owner and can not be published, and the encryption public key is published to other people by the owner. The encryption private key and the signature private key are stored in the encryption TF card or the encryption TF card, and are not disclosed to the outside, and the encryption public key and the signature public key are stored in a database of a safety capacity center and can be inquired by both communication parties.
DETAILED DESCRIPTION OF EMBODIMENT (S) OF INVENTION
The invention relates to a business-level secret communication service system based on the invention for a communication operator. The special mobile phone terminal which is specially customized for the client and is internally provided with a security encryption chip authenticated by the national cryptology provides the client with a business-level end-to-end mobile phone voice communication encryption function by utilizing a commercial cryptography technology and an information security technology, thereby preventing eavesdropping.
By implementing the technical scheme of the invention, the following technical effects are achieved.
1. The national merchant and password authentication and the voice encryption are safer. And a high-intensity encryption algorithm such as an sm1 stream encryption and decryption algorithm and an sm2 asymmetric algorithm is adopted.
2. End-to-end whole-course encryption, one-session-one-secret is more secure; end-to-end whole-course cryptograph transmission, random key and one key for one conversation.
3. End-to-end encrypted communication is realized in a standard voice channel, any third-party service provider is not required to provide special lines or operation and maintenance support, and the problem of secret loss caused by service provider intention or management technology loopholes is avoided.
4. The voice channel is encrypted, the conversation is stable, and the voice has no delay.
5. After the mobile phone is lost, sensitive information, namely data information such as an address book and a call record of a specific contact person can be erased by using a remote instruction.
The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be protected within the protection scope of the present invention.

Claims (10)

1. A secure communication method based on a P2P mode comprises the following steps:
1) separating P2P communication data from non-P2P communication data;
2) requesting the P2P encryption public key of the communication opposite-end client from the security capability center;
3) generating a random key and encrypting P2P communication data to be sent to the opposite-end client;
4) encrypting the random key by using an encryption public key of the opposite-end client;
5) signing combined data using a private signature key of a local client, the combined data comprising the P2P communication data and a random key that are unencrypted;
6) sending the signed combined data and the encrypted P2P communication data and the encrypted random key to the peer client.
2. The method of claim 1, the P2P communication data comprising: instant messaging data, file transfer data, and voice communication data.
3. The method of claim 1, prior to step 1), further comprising:
a) the local client applies for opening a TF card to a safety capacity center in an encryption mode;
b) the safety capacity center decrypts the application information, sends the application information to the certificate authority and informs the certificate authority to generate a certificate;
c) the certificate authority generates a certificate according to the application information and returns the certificate to the safety capacity center;
d) the safety capacity center sends the certificate to the card opening tool according to the application information;
e) and the card opening tool writes the certificate into the TF card.
4. The method of claim 3, the step a) comprising:
a.1) downloading a local client to obtain an encrypted public key of a safety capacity center;
and a.2) the local client encrypts the application information and the time information by using the encrypted public key and signs the application information and the time information by using a self signature certificate private key.
5. The method of claim 3 or 4, the step b) comprising:
b.1) the security capability center queries a database to obtain a signature public key of the local client;
b.2) the safety capacity center uses the own encryption private key to decrypt and obtain the application information and the time information of the local client, and checks the signature of the application information and the time information;
and b.3) determining returned information according to the application time information obtained by decryption.
6. The method of claim 1, the local client comprising a TF card, the TF card comprising: and the encryption and decryption certificate and the signature certificate are bound with the user identity, and the encryption and decryption certificate, the signature certificate and the user information are stored in the security capability center.
7. A secure communication system based on P2P mode, the system comprising:
the system comprises at least two communication terminals, a security module and a data processing module, wherein the communication terminals use a hardware encryption TF card and are packaged into a security capability SDK (software development kit), and the functions of user login authentication, key agreement, certificate acquisition, hardware encryption and decryption, signature, key generation, random number generation and TF card formatting are provided for upper-layer security application;
the safety capacity center is responsible for the functions of opening and managing the TF card, managing logs and issuing certificates, and is matched with the communication terminal to complete encryption service: TF card service opening, self-checking reporting, login authentication, communication key application, opposite-end certificate application, file encryption and certificate validity verification;
the certificate authority center receives the application of the safety capability center and is used for sending the certificate of the application to the safety capability center when the application passes verification;
the communication service module is used for providing communication encryption and decryption services between the communication terminals;
the local terminal is used for separating P2P communication data from non-P2P communication data, requesting an encryption public key of a P2P communication opposite-end client from the security capability center, generating a random key, encrypting P2P communication data to be sent to the opposite-end client,
encrypting the random key using an encrypted public key of the peer client, signing combined data including the unencrypted P2P communication data and random key using a private signature key of the local client, sending the signed combined data and the encrypted P2P communication data and encrypted random key to the peer client.
8. The system of claim 7, wherein the security capability center issues the certificate by using a card opening tool, if the issuance is successful, the TF card of the user communication terminal has the certificate bound with the user identity, and the certificate and the user information are stored in the security capability center for applying the query, encryption and decryption services.
9. The system of claim 7, the certificate comprising: the certificate of the security capability center and the certificate of the communication terminal are respectively divided into two versions: the encryption and decryption certificate and the signature certificate are used for encrypting and decrypting communication data of two communication parties and preventing the communication data from being stolen by a third party, and the signature certificate is used for signing the communication data of the two communication parties and ensuring that the data obtained by the two communication parties come from a credible terminal or system.
10. A communication terminal comprising computer processing means and a computer storage medium having stored thereon computer instructions which, when executed by said computer processing means, perform the method of any of the preceding claims 1 to 6.
CN201710473340.XA 2017-06-21 2017-06-21 Secure communication method and system based on P2P mode Active CN107094156B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710473340.XA CN107094156B (en) 2017-06-21 2017-06-21 Secure communication method and system based on P2P mode

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710473340.XA CN107094156B (en) 2017-06-21 2017-06-21 Secure communication method and system based on P2P mode

Publications (2)

Publication Number Publication Date
CN107094156A CN107094156A (en) 2017-08-25
CN107094156B true CN107094156B (en) 2020-02-28

Family

ID=59639513

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710473340.XA Active CN107094156B (en) 2017-06-21 2017-06-21 Secure communication method and system based on P2P mode

Country Status (1)

Country Link
CN (1) CN107094156B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107493294B (en) * 2017-09-04 2020-08-21 上海润欣科技股份有限公司 Safe access and management control method of OCF (optical clock and frequency conversion) equipment based on asymmetric encryption algorithm
CN109361508B (en) * 2018-10-11 2022-11-18 联洋国融(北京)科技有限公司 Data transmission method, electronic device and computer readable storage medium
CN109361512A (en) * 2018-10-11 2019-02-19 深圳市捷恩斯威科技有限公司 Data transmission method
CN111030827A (en) * 2019-12-06 2020-04-17 深圳乐信软件技术有限公司 Information interaction method and device, electronic equipment and storage medium
CN111538973A (en) * 2020-03-26 2020-08-14 成都云巢智联科技有限公司 Personal authorization access control system based on state cryptographic algorithm
CN111931158A (en) * 2020-08-10 2020-11-13 深圳大趋智能科技有限公司 Bidirectional authentication method, terminal and server
CN114844713A (en) * 2022-05-23 2022-08-02 贵州大学 A video stream encryption method and related equipment based on national secret algorithm

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20070029864A (en) * 2005-09-09 2007-03-15 삼성전자주식회사 Method and apparatus for securely transmitting and receiving data one-to-one
CN101741903B (en) * 2009-11-20 2012-08-15 北京工业大学 Group-based trust data management method in mobile P2P network
CN101707611A (en) * 2009-11-20 2010-05-12 北京工业大学 Safe and effective privacy protection method of P2P system
CN102111411A (en) * 2011-01-21 2011-06-29 南京信息工程大学 Method for switching encryption safety data among peer-to-peer user nodes in P2P network
CN102868709B (en) * 2011-07-04 2016-01-20 中国移动通信集团公司 A kind of certificate management method based on P2P and device thereof
CN106470201A (en) * 2015-08-21 2017-03-01 中兴通讯股份有限公司 A kind of user authen method and device
US10057225B1 (en) * 2016-12-29 2018-08-21 Wells Fargo Bank, N.A. Wireless peer to peer mobile wallet connections

Also Published As

Publication number Publication date
CN107094156A (en) 2017-08-25

Similar Documents

Publication Publication Date Title
CN107094156B (en) Secure communication method and system based on P2P mode
KR101508360B1 (en) Apparatus and method for transmitting data, and recording medium storing program for executing method of the same in computer
JP5047291B2 (en) Method and system for providing authentication services to Internet users
US10742426B2 (en) Public key infrastructure and method of distribution
CN109302412B (en) VoIP communication processing method based on CPK, terminal, server and storage medium
CN105871797A (en) Handshake method, device and system of client and server
US20170279807A1 (en) Safe method to share data and control the access to these in the cloud
US20050182937A1 (en) Method and system for sending secure messages over an unsecured network
CN101304423A (en) User identity authentication method and system
CN104901935A (en) Bilateral authentication and data interaction security protection method based on CPK (Combined Public Key Cryptosystem)
CN110932850A (en) Communication encryption method and system
WO2016134631A1 (en) Processing method for openflow message, and network element
US11349818B2 (en) Secure virtual personalized network
CN104869000A (en) Identity-based cryptograph cross-domain secure communication method and system
KR101880999B1 (en) End to end data encrypting system in internet of things network and method of encrypting data using the same
CN110995730B (en) Data transmission method and device, proxy server and proxy server cluster
JP4608245B2 (en) Anonymous communication method
CN113660089B (en) Tax payment user identity authentication method and device based on blockchain
CN114978564B (en) Data transmission method and device based on multiple encryption
CN114205170B (en) Bridging port platform networking communication and service encryption calling method
US20240097903A1 (en) Ipcon mcdata session establishment method
CN107431690B (en) Methods for electronic communication systems to communicate in an open environment
CN116032623A (en) Business resource service method, device, system and storage medium
CN104901932A (en) Secure login method based on CPK (Combined Public Key Cryptosystem) identity authentication technology
Nyakomitta et al. Secure end point data security using java application programming interface

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant