CN107733635A - Data safe transmission method based on gateway - Google Patents
Data safe transmission method based on gateway Download PDFInfo
- Publication number
- CN107733635A CN107733635A CN201711227460.8A CN201711227460A CN107733635A CN 107733635 A CN107733635 A CN 107733635A CN 201711227460 A CN201711227460 A CN 201711227460A CN 107733635 A CN107733635 A CN 107733635A
- Authority
- CN
- China
- Prior art keywords
- security gateway
- side security
- gateway
- server
- hasha
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/66—Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
Abstract
The present invention relates to safe information transmission field, and it discloses a kind of data safe transmission method based on gateway, is not changing existing framework, on the premise of not influenceing existing business, is realizing Security Data Transmission.In the present invention, by the way that before service server, home network porch deployment secure gateway realizes safe transmission;When carrying out data transmission, the session key of negotiation terminal side security gateway and service server side security gateway first, then signed and added to sending packet and receiving terminal is sent to using session key after transmission time information, transmission time is added when signing;Receiving terminal is decrypted after receiving packet using session key, and transmission time information is verified, signature is verified after being verified.
Description
Technical field
The present invention relates to safe information transmission field, and in particular to a kind of data safe transmission method based on gateway.
Background technology
With the progressively development of Internet of Things, increasing intelligent appliance and household are gradually come into the family of people, raw
Quality living improves and is improved also with science and technology.But thing followed safety problem also gradually displays, and
And start to grow in intensity so that in the state of the personal information of people is in dangerous.
Safe transmission, or the safety using weak algorithm are not used due to the limitation of terminal device resource itself, during transmission
Transmission means so that the information wherein transmitted can be easily intercepted, so as to cause personal information exposure and the intelligence of oneself
Equipment is by bad consequences such as malice manipulations.
The content of the invention
The technical problems to be solved by the invention are:A kind of data safe transmission method based on gateway is proposed, is not being changed
Become existing framework, on the premise of not influenceing existing business, realize Security Data Transmission.
The present invention solves the technical scheme that above-mentioned technical problem uses:
A kind of data safe transmission method based on gateway, applied to including end side security gateway, service server side
In the data safe transmission system of security gateway, time server and CA servers;The end side security gateway and business clothes
The certificate as identity unique mark that CA servers are issued is provided with the security gateway of business device side, and supports symmetric cryptography
Algorithm, rivest, shamir, adelman and individual event hash algorithm;This method comprises the following steps:
A. session key is established between end side security gateway and server side security gateway;
B. the processing step of terminal or server end as transmitting terminal when sending http protocol packages includes b1-b4:
B1. current time value is obtained from time server, then with header field name time, be worth for acquisition it is current when
Between be worth form write-in http agreements head, be designated as HTTPAT;
B2. individual event hash function generation hashA values are used to HTTPAT;
B3. hashA is encrypted using transmitting terminal private key, generates enhashA, then with header field name sign, value
The head of http agreements is write for enhashA form, is designated as HTTPAS;
B4. use the session key established in step a HTTPAS to be encrypted generation HTTPAD, be then sent to reception
End;
C. the processing step of server end or terminal as receiving terminal when receiving http protocol packages includes c1-c7:
C1. using session key decryption HTTPAD, HTTPAS is obtained;
C2. the transmission time value of transmitting terminal is obtained from HTTPAS header;
C3. obtain current time and compared with the transmission time value of transmitting terminal from time server, judge that difference is
It is no in threshold range, if so, then entering step c4, otherwise, packet discard, disconnect;
C4. the public key of transmitting terminal and transmission time are spliced, judges whether packet is deposited receiving end with this
Storage, if it is, abandoning the packet, is disconnected;Otherwise, the packet is stored, into step c5;
C5. the entitled sign of header fields is deleted from HTTPAS header, is worth the part for enhashA, is obtained
HTTPAT;Then hashA is obtained using transmitting terminal public key decryptions;
C6. individual event hash function generation hashA ' values are used to HTTPAT;
C7. the hashA in hashA ' and step c5 is compared, if equal, safe transmission has been completed;Otherwise, number is abandoned
According to bag, disconnect.
As further optimization, step a is specifically included:
A1. the certificate that CA servers are issued is exchanged between end side security gateway and service server side security gateway, and
In the information of CA server authentication certificates;
A2. service server side security gateway generation random key, the public key encryption of first using terminal side security gateway, so
The private key for reusing server side security gateway afterwards is encrypted;
A3. end side security gateway first uses the public key decryptions of server side, then reuses the private key decryption of oneself, obtains
To session key;
A4. end side security gateway, which is sent, confirms packet.
Optimize as further, in step c3, the threshold range is 3 minutes.
The beneficial effects of the invention are as follows:
The certificate issued using credible CA, and internet time server provide the basis of safe transmission, by industry
It is engaged in before server, home network porch deployment secure gateway realizes safe transmission, is not changing existing framework, is not influenceing industry
Under conditions of business, the safety of transmission is ensured, strengthens the security of system.
Brief description of the drawings
Fig. 1 is the gateway deployment schematic diagram for realizing Security Data Transmission.
Embodiment
The present invention is directed to propose a kind of data safe transmission method based on gateway, is not changing existing framework, is not influenceing
On the premise of existing business, Security Data Transmission is realized.
Before the present invention is implemented, it is necessary to before service server, home network porch deployment secure gateway, such as scheme
Shown in 1;Be provided with that CA servers issue in end side security gateway and service server side security gateway is used as identity only
The certificate of one mark, and support symmetric encipherment algorithm (such as aes, being transmitted for ciphertext), rivest, shamir, adelman (such as rsa, to use
In being signed) and individual event hash algorithm (such as sha256, the integrality for information);
After above-mentioned gateway is disposed, the data safe transmission method of realization comprises the following steps:
1) session is established using CA certificate and algorithm between end side security gateway and service server side security gateway
Key:
A) certificate that CA is issued is exchanged between end side security gateway and service server side security gateway, in CA servers
Verify the information of certificate in there;
B) server side security gateway generates random key as session key, the public key of first using terminal side security gateway
Encryption, the private key for then reusing server side security gateway are encrypted;
C end sides security gateway first uses the public key decryptions of server side, then reuses the private key decryption of oneself, obtains
Session key;
D) end side security gateway, which is sent, confirms packet.
2) one end for sending http protocol packages uses following processing mode:
A) current time value is obtained from time server, with head field name time, is worth to obtain the form write-in of time
The head of http agreements, is designated as HTTPAT
B) individual event hash function generation hashA values are used to HTTPAT;
C) hashA is encrypted using the private key of transmitting terminal, generates enhashA, with head field name sign, be worth and be
The head of enhashA form write-in http agreements, is designated as HTTPAS;
D) HTTPAS is encrypted the session key in using 1), generates HTTPAD, then sends.
3) receiving terminal uses following processing mode:
A) using session key decryption HTTPAD, HTTPAS is obtained;
B) time and its value are obtained from HTTPAS header;
C) from time server obtain current time, compared with the time value in b), if difference receive scope (such as
3 minutes), then carry out in next step;Otherwise packet discard, disconnect;
D) by the public key of transmitting terminal and the splicing of transmission time, receiving terminal whether this packet of received mistake is judged, if
It is then to abandon this packet, disconnect;Otherwise, stored, carried out in next step;
E) it is sign to be obtained from HTTPAS header and delete head, is worth the part for enhashA, public using transmitting terminal
Key is decrypted to obtain hashA;Delete sign heads after http bags be 2) a) in HTTPAT;
F) individual event hash function generation hashA ' values are used to HTTPAT;
G) hashA ' in comparing f) and e) in hashA;If equal, safe transmission has been completed;Otherwise data are abandoned,
Disconnect.
Claims (3)
1. the data safe transmission method based on gateway, it is characterised in that applied to including end side security gateway, business service
In the data safe transmission system of device side security gateway, time server and CA servers;The end side security gateway and industry
The certificate as identity unique mark that CA servers are issued is provided with business server side security gateway, and is supported symmetrical
AES, rivest, shamir, adelman and individual event hash algorithm;
This method comprises the following steps:
A. session key is established between end side security gateway and server side security gateway;
B. the processing step of terminal or server end as transmitting terminal when sending http protocol packages includes b1-b4:
B1. current time value is obtained from time server, then with header field name time, is worth the current time value for acquisition
Form write-in http agreements head, be designated as HTTPAT;
B2. individual event hash function generation hashA values are used to HTTPAT;
B3. hashA is encrypted using transmitting terminal private key, generates enhashA, then with header field name sign, be worth and be
The head of enhashA form write-in http agreements, is designated as HTTPAS;
B4. use the session key established in step a HTTPAS to be encrypted generation HTTPAD, be then sent to receiving terminal;
C. the processing step of server end or terminal as receiving terminal when receiving http protocol packages includes c1-c7:
C1. using session key decryption HTTPAD, HTTPAS is obtained;
C2. the transmission time value of transmitting terminal is obtained from HTTPAS header;
C3. obtain current time and compared with the transmission time value of transmitting terminal from time server, judge difference whether
In threshold range, if so, then entering step c4, otherwise, packet discard, disconnect;
C4. the public key of transmitting terminal and transmission time are spliced, judges whether receiving end stores packet with this, such as
Fruit is then to abandon the packet, disconnect;Otherwise, the packet is stored, into step c5;
C5. the entitled sign of header fields is deleted from HTTPAS header, is worth the part for enhashA, obtains HTTPAT;So
Afterwards hashA is obtained using transmitting terminal public key decryptions;
C6. individual event hash function generation hashA ' values are used to HTTPAT;
C7. the hashA in hashA ' and step c5 is compared, if equal, safe transmission has been completed;Otherwise, packet discard,
Disconnect.
2. the data safe transmission method based on gateway as claimed in claim 1, it is characterised in that
Step a is specifically included:
A1. the certificate that CA servers are issued is exchanged between end side security gateway and service server side security gateway, and in CA
The information of server authentication certificate;
A2. service server side security gateway generation random key, the public key encryption of first using terminal side security gateway, Ran Houzai
It is encrypted using the private key of server side security gateway;
A3. end side security gateway first uses the public key decryptions of server side, then reuses the private key decryption of oneself, must attend the meeting
Talk about key;
A4. end side security gateway, which is sent, confirms packet.
3. the data safe transmission method based on gateway as claimed in claim 1 or 2, it is characterised in that described in step c3
Threshold range is 3 minutes.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711227460.8A CN107733635B (en) | 2017-11-29 | 2017-11-29 | Data security transmission method based on gateway |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711227460.8A CN107733635B (en) | 2017-11-29 | 2017-11-29 | Data security transmission method based on gateway |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107733635A true CN107733635A (en) | 2018-02-23 |
CN107733635B CN107733635B (en) | 2020-10-09 |
Family
ID=61220155
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711227460.8A Active CN107733635B (en) | 2017-11-29 | 2017-11-29 | Data security transmission method based on gateway |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107733635B (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109379333A (en) * | 2018-09-10 | 2019-02-22 | 安徽师范大学 | Safe transmission method based on network layer |
CN109413643A (en) * | 2018-10-10 | 2019-03-01 | 湖北三好电子有限公司 | Wireless medical gateway apparatus and system |
CN109474613A (en) * | 2018-12-11 | 2019-03-15 | 北京数盾信息科技有限公司 | A kind of Expressway Information publication private network security hardened system of identity-based certification |
CN111556064A (en) * | 2020-05-06 | 2020-08-18 | 广东纬德信息科技股份有限公司 | Key management method, device, medium and terminal equipment based on power gateway |
CN112995230A (en) * | 2021-05-18 | 2021-06-18 | 杭州海康威视数字技术股份有限公司 | Encrypted data processing method, device and system |
CN116318759A (en) * | 2022-09-09 | 2023-06-23 | 中国地质调查局西宁自然资源综合调查中心 | Data aggregation method and system for real-time encryption transmission |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104219228A (en) * | 2014-08-18 | 2014-12-17 | 四川长虹电器股份有限公司 | User registration and user identification method and user registration and user identification system |
CN104901952A (en) * | 2015-05-04 | 2015-09-09 | 太原科技大学 | Method for improving Woo-Lam protocol coping with new attack mode |
CN105681470A (en) * | 2012-03-29 | 2016-06-15 | 北京奇虎科技有限公司 | Communication method, server and terminal based on hypertext transfer protocol |
CN106470103A (en) * | 2015-08-17 | 2017-03-01 | 苏宁云商集团股份有限公司 | A kind of client sends the method and system of encryption URL request |
US20170187531A1 (en) * | 2015-12-28 | 2017-06-29 | International Business Machines Corporation | Providing encrypted personal data to applications based on established policies for release of the personal data |
CN106911684A (en) * | 2017-02-17 | 2017-06-30 | 武汉斗鱼网络科技有限公司 | A kind of method for authenticating and system |
CN107277061A (en) * | 2017-08-08 | 2017-10-20 | 四川长虹电器股份有限公司 | End cloud security communication means based on IOT equipment |
CN107295024A (en) * | 2017-08-24 | 2017-10-24 | 四川长虹电器股份有限公司 | It is a kind of to realize the method that web front end is landed safely and accessed |
-
2017
- 2017-11-29 CN CN201711227460.8A patent/CN107733635B/en active Active
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105681470A (en) * | 2012-03-29 | 2016-06-15 | 北京奇虎科技有限公司 | Communication method, server and terminal based on hypertext transfer protocol |
CN104219228A (en) * | 2014-08-18 | 2014-12-17 | 四川长虹电器股份有限公司 | User registration and user identification method and user registration and user identification system |
CN104901952A (en) * | 2015-05-04 | 2015-09-09 | 太原科技大学 | Method for improving Woo-Lam protocol coping with new attack mode |
CN106470103A (en) * | 2015-08-17 | 2017-03-01 | 苏宁云商集团股份有限公司 | A kind of client sends the method and system of encryption URL request |
US20170187531A1 (en) * | 2015-12-28 | 2017-06-29 | International Business Machines Corporation | Providing encrypted personal data to applications based on established policies for release of the personal data |
CN106911684A (en) * | 2017-02-17 | 2017-06-30 | 武汉斗鱼网络科技有限公司 | A kind of method for authenticating and system |
CN107277061A (en) * | 2017-08-08 | 2017-10-20 | 四川长虹电器股份有限公司 | End cloud security communication means based on IOT equipment |
CN107295024A (en) * | 2017-08-24 | 2017-10-24 | 四川长虹电器股份有限公司 | It is a kind of to realize the method that web front end is landed safely and accessed |
Non-Patent Citations (1)
Title |
---|
苏锐丹; 丁振国; 周利华: "一种实用的面向Web的公平防抵赖协议", 《 西安电子科技大学学报》 * |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109379333A (en) * | 2018-09-10 | 2019-02-22 | 安徽师范大学 | Safe transmission method based on network layer |
CN109379333B (en) * | 2018-09-10 | 2021-04-13 | 安徽师范大学 | Safe transmission method based on network layer |
CN109413643A (en) * | 2018-10-10 | 2019-03-01 | 湖北三好电子有限公司 | Wireless medical gateway apparatus and system |
CN109474613A (en) * | 2018-12-11 | 2019-03-15 | 北京数盾信息科技有限公司 | A kind of Expressway Information publication private network security hardened system of identity-based certification |
CN111556064A (en) * | 2020-05-06 | 2020-08-18 | 广东纬德信息科技股份有限公司 | Key management method, device, medium and terminal equipment based on power gateway |
CN111556064B (en) * | 2020-05-06 | 2022-03-11 | 广东纬德信息科技股份有限公司 | Key management method, device, medium and terminal equipment based on power gateway |
CN112995230A (en) * | 2021-05-18 | 2021-06-18 | 杭州海康威视数字技术股份有限公司 | Encrypted data processing method, device and system |
CN116318759A (en) * | 2022-09-09 | 2023-06-23 | 中国地质调查局西宁自然资源综合调查中心 | Data aggregation method and system for real-time encryption transmission |
Also Published As
Publication number | Publication date |
---|---|
CN107733635B (en) | 2020-10-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107733635A (en) | Data safe transmission method based on gateway | |
US11757864B1 (en) | Certificate authentication | |
US11228442B2 (en) | Authentication method, authentication apparatus, and authentication system | |
CN106506470B (en) | network data security transmission method | |
CN109347809A (en) | A kind of application virtualization safety communicating method towards under autonomous controllable environment | |
CN104486077B (en) | A kind of end-to-end cryptographic key negotiation method of VoIP real time datas safe transmission | |
EP1946479B1 (en) | Communication securiy | |
CN105162599B (en) | A kind of data transmission system and its transmission method | |
CN106878016A (en) | Data is activation, method of reseptance and device | |
CN104702611A (en) | Equipment and method for protecting session key of secure socket layer | |
CN109068321B (en) | Method and system for negotiating session key, mobile terminal and intelligent household equipment | |
CN103095696A (en) | Identity authentication and key agreement method suitable for electricity consumption information collection system | |
CN109218825A (en) | A kind of video encryption system | |
JP2013502782A (en) | Method, device, and network system for negotiating encryption information | |
CN108683647A (en) | A kind of data transmission method based on multi-enciphering | |
CN113630407B (en) | Method and system for enhancing transmission security of MQTT protocol by using symmetric cryptographic technology | |
CN109151508A (en) | A kind of video encryption method | |
CN113612605A (en) | Method, system and equipment for enhancing MQTT protocol identity authentication by using symmetric cryptographic technology | |
CN102036238A (en) | Method for realizing user and network authentication and key distribution based on public key | |
CN112637136A (en) | Encrypted communication method and system | |
EP3570487B1 (en) | Private key generation method, device and system | |
CN115567206A (en) | Method and system for realizing encryption and decryption of network data message by quantum distribution key | |
CN108040071A (en) | A kind of VoIP audio-video encryptions key dynamic switching method | |
CN109274663A (en) | Communication means based on SM2 dynamic key exchange and SM4 data encryption | |
CN101552666B (en) | Real time media stream encryption transmission method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |