CN107733635B - Data security transmission method based on gateway - Google Patents

Data security transmission method based on gateway Download PDF

Info

Publication number
CN107733635B
CN107733635B CN201711227460.8A CN201711227460A CN107733635B CN 107733635 B CN107733635 B CN 107733635B CN 201711227460 A CN201711227460 A CN 201711227460A CN 107733635 B CN107733635 B CN 107733635B
Authority
CN
China
Prior art keywords
security gateway
server
side security
gateway
value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201711227460.8A
Other languages
Chinese (zh)
Other versions
CN107733635A (en
Inventor
付强
常清雪
肖建
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sichuan Changhong Electric Co Ltd
Original Assignee
Sichuan Changhong Electric Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sichuan Changhong Electric Co Ltd filed Critical Sichuan Changhong Electric Co Ltd
Priority to CN201711227460.8A priority Critical patent/CN107733635B/en
Publication of CN107733635A publication Critical patent/CN107733635A/en
Application granted granted Critical
Publication of CN107733635B publication Critical patent/CN107733635B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention relates to the field of information security transmission, and discloses a data security transmission method based on a gateway, which realizes data security transmission on the premise of not changing the existing architecture and not influencing the existing service. In the invention, a security gateway is arranged at the entrance of a home network to realize safe transmission before a service server; when data transmission is carried out, firstly, session keys of a terminal side security gateway and a service server side security gateway are negotiated, then a data packet to be transmitted is signed, transmission time information is added, and then the data packet is encrypted and transmitted to a receiving end by adopting the session keys, and transmission time is added during signing; and the receiving end decrypts the data packet by adopting the session key, verifies the sending time information and verifies the signature after the verification is passed.

Description

Data security transmission method based on gateway
Technical Field
The invention relates to the field of information security transmission, in particular to a data security transmission method based on a gateway.
Background
With the gradual development of the internet of things, more and more intelligent household appliances and home furnishings gradually enter the families of people, and the quality of life is improved along with the progress of science and technology. But the accompanying security problems are also gradually emerging and are becoming more and more intense, putting people's personal information in a dangerous situation.
Due to the limitation of the resources of the terminal equipment, safe transmission is not adopted during transmission, or a safe transmission mode of a weak algorithm is used, so that the transmitted information can be easily intercepted, and the adverse effects of personal information exposure, malicious control of the intelligent equipment and the like are caused.
Disclosure of Invention
The technical problem to be solved by the invention is as follows: the data security transmission method based on the gateway is provided, and the data security transmission is realized on the premise of not changing the existing architecture and not influencing the existing service.
The technical scheme adopted by the invention for solving the technical problems is as follows:
a data security transmission method based on gateway is applied to a data security transmission system comprising a terminal side security gateway, a service server side security gateway, a time server and a CA server; the terminal side security gateway and the service server side security gateway are respectively provided with a certificate which is issued by a CA server and used as an identity unique identifier, and respectively support a symmetric encryption algorithm, an asymmetric encryption algorithm and a single hash algorithm; the method comprises the following steps:
a. a session key is established between a terminal side security gateway and a server side security gateway;
b. the processing steps of the terminal or the server end as the sending end when sending the http protocol packet comprise b1-b 4:
b1. obtaining a current time value from a time server, writing the current time value into a header of an http protocol in a format of a header field name time, which is the obtained current time value, and recording the current time value as HTTPAT;
b2. generating a hashA value by using a singleton hash function for the HTTPAT;
b3. encrypting the hashA by using a private key of a sending end to generate enhashA, writing the enhashA into a http protocol header in a format of a header field name sign with the value of enhashA, and recording the http protocol header as HTTPAS;
b4. b, encrypting HTTPAS by using the session key established in the step a to generate HTTPAD, and then sending the HTTPAD to a receiving end;
c. the processing steps of the server or the terminal as the receiving end when receiving the http protocol packet comprise c1-c 7:
c1. decrypting the HTTPAD by using the session key to obtain HTTPAS;
c2. obtaining a sending time value of a sending end from header information of the HTTPAS;
c3. acquiring the current time from the time server, comparing the current time with the sending time value of the sending end, judging whether the difference value is within the threshold range, if so, entering the step c4, otherwise, discarding the data packet and disconnecting the connection;
c4. the public key of the sending end and the sending time are spliced so as to judge whether the data packet is stored by the receiving end or not, if so, the data packet is discarded, and the connection is disconnected; otherwise, storing the data packet, and proceeding to step c 5;
c5. deleting a part with a header field name sign and an enhashA value from header information of the HTTPAS to obtain the HTTPAT; then, decrypting by using a public key of the sending end to obtain hashA;
c6. generating a hashA' value by using a singleton hash function for the HTTPAT;
c7. comparing hashA' with hashA in step c5, and if equal, the secure transfer is complete; otherwise, the data packet is discarded and the connection is disconnected.
As a further optimization, step a specifically includes:
a1. exchanging a certificate issued by a CA server between a terminal side security gateway and a service server side security gateway, and verifying the information of the certificate at the CA server;
a2. the method comprises the steps that a business server side security gateway generates a random key, a public key of a terminal side security gateway is used for encryption, and then a private key of the server side security gateway is used for encryption;
a3. the terminal side security gateway decrypts by using the public key of the server side, and then decrypts by using the private key of the terminal side to obtain a session key;
a4. and the terminal side security gateway sends a confirmation data packet.
As a further optimization, in step c3, the threshold range is 3 minutes.
The invention has the beneficial effects that:
the certificate issued by the trusted CA and the internet time server are used for providing a basis for safe transmission, and the safe transmission is realized by arranging the safety gateway at the entrance of the home network in front of the service server, so that the transmission safety is guaranteed and the system safety is enhanced under the conditions that the existing architecture is not changed and the service is not influenced.
Drawings
Fig. 1 is a schematic diagram of a gateway deployment for implementing secure data transmission.
Detailed Description
The invention aims to provide a gateway-based data security transmission method, which realizes data security transmission on the premise of not changing the existing architecture and not influencing the existing service.
Before implementing the present invention, it is necessary to deploy a security gateway at the entrance of the home network before the service server, as shown in fig. 1; the terminal side security gateway and the service server side security gateway are respectively provided with a certificate which is issued by a CA server and used as an identity unique identifier, and respectively support a symmetric encryption algorithm (such as aes and used for ciphertext transmission), an asymmetric encryption algorithm (such as rsa and used for signature) and a single hash algorithm (such as sha256 and used for information integrity);
after the gateway is deployed, the realized data security transmission method comprises the following steps:
1) and a session key is established between the terminal side security gateway and the service server side security gateway by using a certificate and an algorithm of the CA:
a) the terminal side security gateway exchanges the certificate issued by the CA with the service server side security gateway, and the information of the certificate is verified at the CA server;
b) the server side security gateway generates a random key as a session key, firstly encrypts the random key by using a public key of the terminal side security gateway, and then encrypts the random key by using a private key of the server side security gateway;
c, the terminal side security gateway decrypts by using the public key of the server side, and then decrypts by using the private key of the terminal side to obtain a session key;
d) and the terminal side security gateway sends a confirmation data packet.
2) One end of the http protocol packet is sent by using the following processing mode:
a) obtaining the current time value from the time server, writing the current time value into the header of the http protocol in the format of the header field name time and the value as the obtaining time, and recording the current time value as HTTPAT
b) Generating a hashA value by using a singleton hash function for the HTTPAT;
c) encrypting the hashA by using a private key of a sending end to generate enhashA, writing the enhashA into a http protocol header in a format of a header field name sign and a value of enhashA, and recording the http protocol header as HTTPAS;
d) encrypting HTTPAS by using the session key in the step 1), generating HTTPAD, and then sending.
3) The receiving end uses the following processing mode:
a) decrypting the HTTPAD by using the session key to obtain HTTPAS;
b) obtaining time and the value thereof from header information of HTTPAS;
c) obtaining the current time from the time server, comparing the current time with the time value in b), and if the difference value is within an acceptance range (such as 3 minutes), carrying out the next step; otherwise, discarding the data packet and disconnecting the connection;
d) splicing the public key and the sending time of the sending end, judging whether the receiving end has received the data packet, if so, discarding the data packet, and disconnecting the connection; otherwise, storing the data and carrying out the next step;
e) acquiring and deleting a part with a header sign and an enhashA value from header information of the HTTPAS, and decrypting by using a public key of a sending end to obtain the hashA; the http packet after the sign header is deleted is 2) HTTPAT in a);
f) generating a hashA' value by using a singleton hash function for the HTTPAT;
g) comparing hashA' in f) with hashA in e); if equal, the secure transfer is complete; otherwise, the data is discarded and the connection is disconnected.

Claims (2)

1. The gateway-based data security transmission method is characterized by being applied to a data security transmission system comprising a terminal side security gateway, a service server side security gateway, a time server and a CA server; the terminal side security gateway and the service server side security gateway are respectively provided with a certificate which is issued by a CA server and used as an identity unique identifier, and respectively support a symmetric encryption algorithm, an asymmetric encryption algorithm and a single hash algorithm;
the method comprises the following steps:
a. establishing a session key between a terminal side security gateway and a service server side security gateway by using a certificate and an algorithm of a CA, and specifically comprising the following steps of a1-a4:
a1. exchanging a certificate issued by a CA server between a terminal side security gateway and a service server side security gateway, and verifying the information of the certificate at the CA server;
a2. the method comprises the steps that a business server side security gateway generates a random key, a public key of a terminal side security gateway is used for encryption, and then a private key of the server side security gateway is used for encryption;
a3. the terminal side security gateway decrypts by using the public key of the server side, and then decrypts by using the private key of the terminal side to obtain a session key;
a4. the terminal side security gateway sends a confirmation data packet;
b. the processing steps of the terminal or the server end as the sending end when sending the http protocol packet comprise b1-b 4:
b1. obtaining a current time value from a time server, writing the current time value into a header of an http protocol in a format of a header field name time, which is the obtained current time value, and recording the current time value as HTTPAT;
b2. generating a hashA value by using a singleton hash function for the HTTPAT;
b3. encrypting the hashA by using a private key of a sending end to generate enhashA, writing the enhashA into a http protocol header in a format of a header field name sign with the value of enhashA, and recording the http protocol header as HTTPAS;
b4. b, encrypting HTTPAS by using the session key established in the step a to generate HTTPAD, and then sending the HTTPAD to a receiving end;
c. the processing steps of the server or the terminal as the receiving end when receiving the http protocol packet comprise c1-c 7:
c1. decrypting the HTTPAD by using the session key to obtain HTTPAS;
c2. obtaining a sending time value of a sending end from header information of the HTTPAS;
c3. acquiring the current time from the time server, comparing the current time with the sending time value of the sending end, judging whether the difference value is within the threshold range, if so, entering the step c4, otherwise, discarding the data packet and disconnecting the connection;
c4. the public key of the sending end and the sending time are spliced so as to judge whether the data packet is stored by the receiving end or not, if so, the data packet is discarded, and the connection is disconnected; otherwise, storing the data packet, and proceeding to step c 5;
c5. deleting a part with a header field name sign and an enhashA value from header information of the HTTPAS to obtain the HTTPAT; then, decrypting by using a public key of the sending end to obtain hashA;
c6. generating a hashA' value by using a singleton hash function for the HTTPAT;
c7. comparing hashA' with hashA in step c5, and if equal, the secure transfer is complete; otherwise, the data packet is discarded and the connection is disconnected.
2. The gateway-based data security transmission method of claim 1, wherein in the step c3, the threshold range is 3 minutes.
CN201711227460.8A 2017-11-29 2017-11-29 Data security transmission method based on gateway Active CN107733635B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711227460.8A CN107733635B (en) 2017-11-29 2017-11-29 Data security transmission method based on gateway

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711227460.8A CN107733635B (en) 2017-11-29 2017-11-29 Data security transmission method based on gateway

Publications (2)

Publication Number Publication Date
CN107733635A CN107733635A (en) 2018-02-23
CN107733635B true CN107733635B (en) 2020-10-09

Family

ID=61220155

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711227460.8A Active CN107733635B (en) 2017-11-29 2017-11-29 Data security transmission method based on gateway

Country Status (1)

Country Link
CN (1) CN107733635B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109379333B (en) * 2018-09-10 2021-04-13 安徽师范大学 Safe transmission method based on network layer
CN109413643A (en) * 2018-10-10 2019-03-01 湖北三好电子有限公司 Wireless medical gateway apparatus and system
CN109474613B (en) * 2018-12-11 2022-08-19 北京数盾信息科技有限公司 Highway information issuing private network security reinforcement system based on identity authentication
CN111556064B (en) * 2020-05-06 2022-03-11 广东纬德信息科技股份有限公司 Key management method, device, medium and terminal equipment based on power gateway
CN112995230B (en) * 2021-05-18 2021-08-24 杭州海康威视数字技术股份有限公司 Encrypted data processing method, device and system
CN116318759A (en) * 2022-09-09 2023-06-23 中国地质调查局西宁自然资源综合调查中心 Data aggregation method and system for real-time encryption transmission

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104219228A (en) * 2014-08-18 2014-12-17 四川长虹电器股份有限公司 User registration and user identification method and user registration and user identification system
CN104901952A (en) * 2015-05-04 2015-09-09 太原科技大学 Method for improving Woo-Lam protocol coping with new attack mode
CN105681470A (en) * 2012-03-29 2016-06-15 北京奇虎科技有限公司 Communication method, server and terminal based on hypertext transfer protocol
CN106470103A (en) * 2015-08-17 2017-03-01 苏宁云商集团股份有限公司 A kind of client sends the method and system of encryption URL request
CN106911684A (en) * 2017-02-17 2017-06-30 武汉斗鱼网络科技有限公司 A kind of method for authenticating and system
CN107277061A (en) * 2017-08-08 2017-10-20 四川长虹电器股份有限公司 End cloud security communication means based on IOT equipment
CN107295024A (en) * 2017-08-24 2017-10-24 四川长虹电器股份有限公司 It is a kind of to realize the method that web front end is landed safely and accessed

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10411892B2 (en) * 2015-12-28 2019-09-10 International Business Machines Corporation Providing encrypted personal data to applications based on established policies for release of the personal data

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105681470A (en) * 2012-03-29 2016-06-15 北京奇虎科技有限公司 Communication method, server and terminal based on hypertext transfer protocol
CN104219228A (en) * 2014-08-18 2014-12-17 四川长虹电器股份有限公司 User registration and user identification method and user registration and user identification system
CN104901952A (en) * 2015-05-04 2015-09-09 太原科技大学 Method for improving Woo-Lam protocol coping with new attack mode
CN106470103A (en) * 2015-08-17 2017-03-01 苏宁云商集团股份有限公司 A kind of client sends the method and system of encryption URL request
CN106911684A (en) * 2017-02-17 2017-06-30 武汉斗鱼网络科技有限公司 A kind of method for authenticating and system
CN107277061A (en) * 2017-08-08 2017-10-20 四川长虹电器股份有限公司 End cloud security communication means based on IOT equipment
CN107295024A (en) * 2017-08-24 2017-10-24 四川长虹电器股份有限公司 It is a kind of to realize the method that web front end is landed safely and accessed

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
一种实用的面向Web的公平防抵赖协议;苏锐丹; 丁振国; 周利华;《 西安电子科技大学学报》;20110427;全文 *

Also Published As

Publication number Publication date
CN107733635A (en) 2018-02-23

Similar Documents

Publication Publication Date Title
CN107733635B (en) Data security transmission method based on gateway
CN111835752B (en) Lightweight authentication method based on equipment identity and gateway
JP2020202594A (en) Computer implemented system and method for secure session establishment and encrypted exchange of data
CN109302412B (en) VoIP communication processing method based on CPK, terminal, server and storage medium
US8533461B2 (en) Wireless local area network terminal pre-authentication method and wireless local area network system
CN110048849B (en) Multi-layer protection session key negotiation method
US11736304B2 (en) Secure authentication of remote equipment
CN106878016A (en) Data is activation, method of reseptance and device
CN108683647B (en) Data transmission method based on multiple encryption
JP2013502782A (en) Method, device, and network system for negotiating encryption information
WO2013004112A1 (en) Method and device for data transmission
CN106549858B (en) Instant messaging encryption method based on identification password
CN103079200A (en) Wireless access authentication method, system and wireless router
CN109068321B (en) Method and system for negotiating session key, mobile terminal and intelligent household equipment
CN113630248A (en) Session key negotiation method
CN107635227A (en) A kind of group message encryption method and device
CN114826659B (en) Encryption communication method and system
CN108040071B (en) Dynamic switching method for VoIP audio and video encryption key
CZ2013373A3 (en) Authentication method of safe data channel
CN114553430A (en) SDP-based novel power service terminal safe access system
CN108206738B (en) Quantum key output method and system
Cho et al. Using QKD in MACsec for secure Ethernet networks
CN106209384B (en) Use the client terminal of security mechanism and the communication authentication method of charging unit
CN114928503B (en) Method for realizing secure channel and data transmission method
CN107733929B (en) Authentication method and authentication system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant