CN107733635A - Data safe transmission method based on gateway - Google Patents

Data safe transmission method based on gateway Download PDF

Info

Publication number
CN107733635A
CN107733635A CN201711227460.8A CN201711227460A CN107733635A CN 107733635 A CN107733635 A CN 107733635A CN 201711227460 A CN201711227460 A CN 201711227460A CN 107733635 A CN107733635 A CN 107733635A
Authority
CN
China
Prior art keywords
security gateway
side security
gateway
server
hasha
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201711227460.8A
Other languages
Chinese (zh)
Other versions
CN107733635B (en
Inventor
付强
常清雪
肖建
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sichuan Changhong Electric Co Ltd
Original Assignee
Sichuan Changhong Electric Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sichuan Changhong Electric Co Ltd filed Critical Sichuan Changhong Electric Co Ltd
Priority to CN201711227460.8A priority Critical patent/CN107733635B/en
Publication of CN107733635A publication Critical patent/CN107733635A/en
Application granted granted Critical
Publication of CN107733635B publication Critical patent/CN107733635B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC

Abstract

The present invention relates to safe information transmission field, and it discloses a kind of data safe transmission method based on gateway, is not changing existing framework, on the premise of not influenceing existing business, is realizing Security Data Transmission.In the present invention, by the way that before service server, home network porch deployment secure gateway realizes safe transmission;When carrying out data transmission, the session key of negotiation terminal side security gateway and service server side security gateway first, then signed and added to sending packet and receiving terminal is sent to using session key after transmission time information, transmission time is added when signing;Receiving terminal is decrypted after receiving packet using session key, and transmission time information is verified, signature is verified after being verified.

Description

Data safe transmission method based on gateway
Technical field
The present invention relates to safe information transmission field, and in particular to a kind of data safe transmission method based on gateway.
Background technology
With the progressively development of Internet of Things, increasing intelligent appliance and household are gradually come into the family of people, raw Quality living improves and is improved also with science and technology.But thing followed safety problem also gradually displays, and And start to grow in intensity so that in the state of the personal information of people is in dangerous.
Safe transmission, or the safety using weak algorithm are not used due to the limitation of terminal device resource itself, during transmission Transmission means so that the information wherein transmitted can be easily intercepted, so as to cause personal information exposure and the intelligence of oneself Equipment is by bad consequences such as malice manipulations.
The content of the invention
The technical problems to be solved by the invention are:A kind of data safe transmission method based on gateway is proposed, is not being changed Become existing framework, on the premise of not influenceing existing business, realize Security Data Transmission.
The present invention solves the technical scheme that above-mentioned technical problem uses:
A kind of data safe transmission method based on gateway, applied to including end side security gateway, service server side In the data safe transmission system of security gateway, time server and CA servers;The end side security gateway and business clothes The certificate as identity unique mark that CA servers are issued is provided with the security gateway of business device side, and supports symmetric cryptography Algorithm, rivest, shamir, adelman and individual event hash algorithm;This method comprises the following steps:
A. session key is established between end side security gateway and server side security gateway;
B. the processing step of terminal or server end as transmitting terminal when sending http protocol packages includes b1-b4:
B1. current time value is obtained from time server, then with header field name time, be worth for acquisition it is current when Between be worth form write-in http agreements head, be designated as HTTPAT;
B2. individual event hash function generation hashA values are used to HTTPAT;
B3. hashA is encrypted using transmitting terminal private key, generates enhashA, then with header field name sign, value The head of http agreements is write for enhashA form, is designated as HTTPAS;
B4. use the session key established in step a HTTPAS to be encrypted generation HTTPAD, be then sent to reception End;
C. the processing step of server end or terminal as receiving terminal when receiving http protocol packages includes c1-c7:
C1. using session key decryption HTTPAD, HTTPAS is obtained;
C2. the transmission time value of transmitting terminal is obtained from HTTPAS header;
C3. obtain current time and compared with the transmission time value of transmitting terminal from time server, judge that difference is It is no in threshold range, if so, then entering step c4, otherwise, packet discard, disconnect;
C4. the public key of transmitting terminal and transmission time are spliced, judges whether packet is deposited receiving end with this Storage, if it is, abandoning the packet, is disconnected;Otherwise, the packet is stored, into step c5;
C5. the entitled sign of header fields is deleted from HTTPAS header, is worth the part for enhashA, is obtained HTTPAT;Then hashA is obtained using transmitting terminal public key decryptions;
C6. individual event hash function generation hashA ' values are used to HTTPAT;
C7. the hashA in hashA ' and step c5 is compared, if equal, safe transmission has been completed;Otherwise, number is abandoned According to bag, disconnect.
As further optimization, step a is specifically included:
A1. the certificate that CA servers are issued is exchanged between end side security gateway and service server side security gateway, and In the information of CA server authentication certificates;
A2. service server side security gateway generation random key, the public key encryption of first using terminal side security gateway, so The private key for reusing server side security gateway afterwards is encrypted;
A3. end side security gateway first uses the public key decryptions of server side, then reuses the private key decryption of oneself, obtains To session key;
A4. end side security gateway, which is sent, confirms packet.
Optimize as further, in step c3, the threshold range is 3 minutes.
The beneficial effects of the invention are as follows:
The certificate issued using credible CA, and internet time server provide the basis of safe transmission, by industry It is engaged in before server, home network porch deployment secure gateway realizes safe transmission, is not changing existing framework, is not influenceing industry Under conditions of business, the safety of transmission is ensured, strengthens the security of system.
Brief description of the drawings
Fig. 1 is the gateway deployment schematic diagram for realizing Security Data Transmission.
Embodiment
The present invention is directed to propose a kind of data safe transmission method based on gateway, is not changing existing framework, is not influenceing On the premise of existing business, Security Data Transmission is realized.
Before the present invention is implemented, it is necessary to before service server, home network porch deployment secure gateway, such as scheme Shown in 1;Be provided with that CA servers issue in end side security gateway and service server side security gateway is used as identity only The certificate of one mark, and support symmetric encipherment algorithm (such as aes, being transmitted for ciphertext), rivest, shamir, adelman (such as rsa, to use In being signed) and individual event hash algorithm (such as sha256, the integrality for information);
After above-mentioned gateway is disposed, the data safe transmission method of realization comprises the following steps:
1) session is established using CA certificate and algorithm between end side security gateway and service server side security gateway Key:
A) certificate that CA is issued is exchanged between end side security gateway and service server side security gateway, in CA servers Verify the information of certificate in there;
B) server side security gateway generates random key as session key, the public key of first using terminal side security gateway Encryption, the private key for then reusing server side security gateway are encrypted;
C end sides security gateway first uses the public key decryptions of server side, then reuses the private key decryption of oneself, obtains Session key;
D) end side security gateway, which is sent, confirms packet.
2) one end for sending http protocol packages uses following processing mode:
A) current time value is obtained from time server, with head field name time, is worth to obtain the form write-in of time The head of http agreements, is designated as HTTPAT
B) individual event hash function generation hashA values are used to HTTPAT;
C) hashA is encrypted using the private key of transmitting terminal, generates enhashA, with head field name sign, be worth and be The head of enhashA form write-in http agreements, is designated as HTTPAS;
D) HTTPAS is encrypted the session key in using 1), generates HTTPAD, then sends.
3) receiving terminal uses following processing mode:
A) using session key decryption HTTPAD, HTTPAS is obtained;
B) time and its value are obtained from HTTPAS header;
C) from time server obtain current time, compared with the time value in b), if difference receive scope (such as 3 minutes), then carry out in next step;Otherwise packet discard, disconnect;
D) by the public key of transmitting terminal and the splicing of transmission time, receiving terminal whether this packet of received mistake is judged, if It is then to abandon this packet, disconnect;Otherwise, stored, carried out in next step;
E) it is sign to be obtained from HTTPAS header and delete head, is worth the part for enhashA, public using transmitting terminal Key is decrypted to obtain hashA;Delete sign heads after http bags be 2) a) in HTTPAT;
F) individual event hash function generation hashA ' values are used to HTTPAT;
G) hashA ' in comparing f) and e) in hashA;If equal, safe transmission has been completed;Otherwise data are abandoned, Disconnect.

Claims (3)

1. the data safe transmission method based on gateway, it is characterised in that applied to including end side security gateway, business service In the data safe transmission system of device side security gateway, time server and CA servers;The end side security gateway and industry The certificate as identity unique mark that CA servers are issued is provided with business server side security gateway, and is supported symmetrical AES, rivest, shamir, adelman and individual event hash algorithm;
This method comprises the following steps:
A. session key is established between end side security gateway and server side security gateway;
B. the processing step of terminal or server end as transmitting terminal when sending http protocol packages includes b1-b4:
B1. current time value is obtained from time server, then with header field name time, is worth the current time value for acquisition Form write-in http agreements head, be designated as HTTPAT;
B2. individual event hash function generation hashA values are used to HTTPAT;
B3. hashA is encrypted using transmitting terminal private key, generates enhashA, then with header field name sign, be worth and be The head of enhashA form write-in http agreements, is designated as HTTPAS;
B4. use the session key established in step a HTTPAS to be encrypted generation HTTPAD, be then sent to receiving terminal;
C. the processing step of server end or terminal as receiving terminal when receiving http protocol packages includes c1-c7:
C1. using session key decryption HTTPAD, HTTPAS is obtained;
C2. the transmission time value of transmitting terminal is obtained from HTTPAS header;
C3. obtain current time and compared with the transmission time value of transmitting terminal from time server, judge difference whether In threshold range, if so, then entering step c4, otherwise, packet discard, disconnect;
C4. the public key of transmitting terminal and transmission time are spliced, judges whether receiving end stores packet with this, such as Fruit is then to abandon the packet, disconnect;Otherwise, the packet is stored, into step c5;
C5. the entitled sign of header fields is deleted from HTTPAS header, is worth the part for enhashA, obtains HTTPAT;So Afterwards hashA is obtained using transmitting terminal public key decryptions;
C6. individual event hash function generation hashA ' values are used to HTTPAT;
C7. the hashA in hashA ' and step c5 is compared, if equal, safe transmission has been completed;Otherwise, packet discard, Disconnect.
2. the data safe transmission method based on gateway as claimed in claim 1, it is characterised in that
Step a is specifically included:
A1. the certificate that CA servers are issued is exchanged between end side security gateway and service server side security gateway, and in CA The information of server authentication certificate;
A2. service server side security gateway generation random key, the public key encryption of first using terminal side security gateway, Ran Houzai It is encrypted using the private key of server side security gateway;
A3. end side security gateway first uses the public key decryptions of server side, then reuses the private key decryption of oneself, must attend the meeting Talk about key;
A4. end side security gateway, which is sent, confirms packet.
3. the data safe transmission method based on gateway as claimed in claim 1 or 2, it is characterised in that described in step c3 Threshold range is 3 minutes.
CN201711227460.8A 2017-11-29 2017-11-29 Data security transmission method based on gateway Active CN107733635B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711227460.8A CN107733635B (en) 2017-11-29 2017-11-29 Data security transmission method based on gateway

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711227460.8A CN107733635B (en) 2017-11-29 2017-11-29 Data security transmission method based on gateway

Publications (2)

Publication Number Publication Date
CN107733635A true CN107733635A (en) 2018-02-23
CN107733635B CN107733635B (en) 2020-10-09

Family

ID=61220155

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711227460.8A Active CN107733635B (en) 2017-11-29 2017-11-29 Data security transmission method based on gateway

Country Status (1)

Country Link
CN (1) CN107733635B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109379333A (en) * 2018-09-10 2019-02-22 安徽师范大学 Safe transmission method based on network layer
CN109413643A (en) * 2018-10-10 2019-03-01 湖北三好电子有限公司 Wireless medical gateway apparatus and system
CN109474613A (en) * 2018-12-11 2019-03-15 北京数盾信息科技有限公司 A kind of Expressway Information publication private network security hardened system of identity-based certification
CN111556064A (en) * 2020-05-06 2020-08-18 广东纬德信息科技股份有限公司 Key management method, device, medium and terminal equipment based on power gateway
CN112995230A (en) * 2021-05-18 2021-06-18 杭州海康威视数字技术股份有限公司 Encrypted data processing method, device and system
CN116318759A (en) * 2022-09-09 2023-06-23 中国地质调查局西宁自然资源综合调查中心 Data aggregation method and system for real-time encryption transmission

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104219228A (en) * 2014-08-18 2014-12-17 四川长虹电器股份有限公司 User registration and user identification method and user registration and user identification system
CN104901952A (en) * 2015-05-04 2015-09-09 太原科技大学 Method for improving Woo-Lam protocol coping with new attack mode
CN105681470A (en) * 2012-03-29 2016-06-15 北京奇虎科技有限公司 Communication method, server and terminal based on hypertext transfer protocol
CN106470103A (en) * 2015-08-17 2017-03-01 苏宁云商集团股份有限公司 A kind of client sends the method and system of encryption URL request
US20170187531A1 (en) * 2015-12-28 2017-06-29 International Business Machines Corporation Providing encrypted personal data to applications based on established policies for release of the personal data
CN106911684A (en) * 2017-02-17 2017-06-30 武汉斗鱼网络科技有限公司 A kind of method for authenticating and system
CN107277061A (en) * 2017-08-08 2017-10-20 四川长虹电器股份有限公司 End cloud security communication means based on IOT equipment
CN107295024A (en) * 2017-08-24 2017-10-24 四川长虹电器股份有限公司 It is a kind of to realize the method that web front end is landed safely and accessed

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105681470A (en) * 2012-03-29 2016-06-15 北京奇虎科技有限公司 Communication method, server and terminal based on hypertext transfer protocol
CN104219228A (en) * 2014-08-18 2014-12-17 四川长虹电器股份有限公司 User registration and user identification method and user registration and user identification system
CN104901952A (en) * 2015-05-04 2015-09-09 太原科技大学 Method for improving Woo-Lam protocol coping with new attack mode
CN106470103A (en) * 2015-08-17 2017-03-01 苏宁云商集团股份有限公司 A kind of client sends the method and system of encryption URL request
US20170187531A1 (en) * 2015-12-28 2017-06-29 International Business Machines Corporation Providing encrypted personal data to applications based on established policies for release of the personal data
CN106911684A (en) * 2017-02-17 2017-06-30 武汉斗鱼网络科技有限公司 A kind of method for authenticating and system
CN107277061A (en) * 2017-08-08 2017-10-20 四川长虹电器股份有限公司 End cloud security communication means based on IOT equipment
CN107295024A (en) * 2017-08-24 2017-10-24 四川长虹电器股份有限公司 It is a kind of to realize the method that web front end is landed safely and accessed

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
苏锐丹; 丁振国; 周利华: "一种实用的面向Web的公平防抵赖协议", 《 西安电子科技大学学报》 *

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109379333A (en) * 2018-09-10 2019-02-22 安徽师范大学 Safe transmission method based on network layer
CN109379333B (en) * 2018-09-10 2021-04-13 安徽师范大学 Safe transmission method based on network layer
CN109413643A (en) * 2018-10-10 2019-03-01 湖北三好电子有限公司 Wireless medical gateway apparatus and system
CN109474613A (en) * 2018-12-11 2019-03-15 北京数盾信息科技有限公司 A kind of Expressway Information publication private network security hardened system of identity-based certification
CN111556064A (en) * 2020-05-06 2020-08-18 广东纬德信息科技股份有限公司 Key management method, device, medium and terminal equipment based on power gateway
CN111556064B (en) * 2020-05-06 2022-03-11 广东纬德信息科技股份有限公司 Key management method, device, medium and terminal equipment based on power gateway
CN112995230A (en) * 2021-05-18 2021-06-18 杭州海康威视数字技术股份有限公司 Encrypted data processing method, device and system
CN116318759A (en) * 2022-09-09 2023-06-23 中国地质调查局西宁自然资源综合调查中心 Data aggregation method and system for real-time encryption transmission

Also Published As

Publication number Publication date
CN107733635B (en) 2020-10-09

Similar Documents

Publication Publication Date Title
CN107733635A (en) Data safe transmission method based on gateway
US11757864B1 (en) Certificate authentication
US11228442B2 (en) Authentication method, authentication apparatus, and authentication system
CN106506470B (en) network data security transmission method
CN109347809A (en) A kind of application virtualization safety communicating method towards under autonomous controllable environment
CN104486077B (en) A kind of end-to-end cryptographic key negotiation method of VoIP real time datas safe transmission
EP1946479B1 (en) Communication securiy
CN105162599B (en) A kind of data transmission system and its transmission method
CN106878016A (en) Data is activation, method of reseptance and device
CN104702611A (en) Equipment and method for protecting session key of secure socket layer
CN109068321B (en) Method and system for negotiating session key, mobile terminal and intelligent household equipment
CN103095696A (en) Identity authentication and key agreement method suitable for electricity consumption information collection system
CN109218825A (en) A kind of video encryption system
JP2013502782A (en) Method, device, and network system for negotiating encryption information
CN108683647A (en) A kind of data transmission method based on multi-enciphering
CN113630407B (en) Method and system for enhancing transmission security of MQTT protocol by using symmetric cryptographic technology
CN109151508A (en) A kind of video encryption method
CN113612605A (en) Method, system and equipment for enhancing MQTT protocol identity authentication by using symmetric cryptographic technology
CN102036238A (en) Method for realizing user and network authentication and key distribution based on public key
CN112637136A (en) Encrypted communication method and system
EP3570487B1 (en) Private key generation method, device and system
CN115567206A (en) Method and system for realizing encryption and decryption of network data message by quantum distribution key
CN108040071A (en) A kind of VoIP audio-video encryptions key dynamic switching method
CN109274663A (en) Communication means based on SM2 dynamic key exchange and SM4 data encryption
CN101552666B (en) Real time media stream encryption transmission method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant