CN108200085A

CN108200085A - A kind of data distribution, retransmission method and device

Info

Publication number: CN108200085A
Application number: CN201810096484.2A
Authority: CN
Inventors: 孙吉平; 张树勇
Original assignee: Beijing Senseshield Technology Co Ltd
Current assignee: Beijing Senseshield Technology Co Ltd
Priority date: 2018-01-31
Filing date: 2018-01-31
Publication date: 2018-06-22
Anticipated expiration: 2038-01-31
Also published as: CN108200085B

Abstract

The invention discloses a kind of data forwarding method, including：Data ciphertext and the first record identification are obtained, wherein, the first record identification is generated by server-side and is used in server-side and first key associated storage required when the data ciphertext is decrypted；Include the data forwarding request of M recipient's mark, the first record identification and N recipient's mark to server-side transmission, server-side to be asked to forward record based on the M including M recipient's mark and the first record identification, first record identification and N recipient are identified associated storage to record for N forwardings, N and M are not equal to M for positive integer and N；Data ciphertext and the first record identification are sent to N recipient.The invention also discloses corresponding data forwarding method and data distribution/retransmission units.By data distribution/forwarding scheme of the present invention, safety of the data in transmission process can be effectively improved when improving user and forwarding data while convenience operationally.

Description

A kind of data distribution, retransmission method and device

Technical field

The present invention relates to information security field, more particularly to a kind of data distribution, retransmission method and device.

Background technology

In internet, high development is current, and more and more data contents need to send by network.If by data Content is transmitted in a network in plain text easily to be intercepted and captured by hacker, can when data are sent or are forwarded in order to improve the safety of data To use Digital Envelope Technology.

Digital Envelope Technology uses two layers of encryption system, and digital envelope includes encrypted content and for content-encrypt Content key (CEK) ciphertext.Sender is generally close to be encrypted to obtain content to content key using recipient's public key Key ciphertext, but content key can also be encrypted using the symmetric key that sender and recipient negotiate in advance.When connecing It when debit receives digital envelope, needs first to decrypt to obtain content key with the ciphertext of key pair content key, then with content key pair Content ciphertext decrypts to obtain content original text.Digital Envelope Technology combines that asymmetric key algorithm is safe and symmetric key is calculated The fireballing advantage of method, it can be ensured that confidentiality of the data in transmission process can simultaneously prevent data to be tampered.

At present, the data forwarding technology based on digital envelope also exists in terms of Information Security and forwarding convenience is improved Room for improvement.

Invention content

In view of this, the embodiment of the present invention proposes a kind of safety based on improved Digital Envelope Technology and convenience Higher data distribution, forwarding scheme.

For this purpose, an embodiment of the present invention provides a kind of data forwarding method, applied to sender's client, including：It obtains Data ciphertext and the first record identification, wherein, the first record identification is generated by server-side and is used in server-side and to the number Required first key associated storage when being decrypted according to ciphertext；Include M recipient's mark, the first record to server-side transmission The data forwarding request of mark and N recipient's mark, server-side to be asked to be based on including M recipient's mark and the first record First record identification and N recipient are identified associated storage and are recorded for N forwardings by the M forwarding records of mark, and N and M is just Integer and N are not equal to M；Data ciphertext and the first record identification are sent to N recipient.

Preferably, being further included in the data forwarding request number is verified for the N verified to N recipient According to the N verifications data include at least N recipient's public key.

Preferably, the N verifications data further include N check numbers and first key N ciphertexts, the first key N ciphertexts are by using N recipient's public key to N check numbers and first key encryption generation.

Preferably, N verification data further include the second key N ciphertexts, the second key N ciphertexts are by using the Generation is encrypted in N recipient's public key second key required to N check numbers and when the data ciphertext is decrypted.

Preferably, the first record identification is additionally operable in server-side and first subdata the first ciphertext associated storage, second Key is used to that first the first ciphertext of subdata to be decrypted to obtain the first subdata, and the first subdata is used to replace the data Predetermined portions in ciphertext are to obtain another data ciphertext that can be decrypted by first key.

Preferably, the data ciphertext includes be decrypted respectively by the first key and the second key the One data ciphertext and the second data ciphertext.

Preferably, the method further includes：Include what the first record identification and N recipient identified to server-side transmission Revocation request, so that N is forwarded record deletion by server-side.

The embodiment of the present invention additionally provides a kind of data forwarding device, and including processor, the processor operation is scheduled Computer instruction is to perform the data forwarding method applied to sender's client of any of the above-described embodiment.

The embodiment of the present invention additionally provides a kind of data forwarding method, applied to server-side, including：It is connect from M recipient When receiving the data forwarding request including M recipient's mark, the first record identification and N recipient's mark, based on including M Recipient identifies and the M of the first record identification forwarding records, and the first record identification is identified associated storage with N recipient is N forwarding records, wherein, first record identification is generated by server-side and is used in server-side with being solved to data ciphertext Required first key associated storage when close, N and M are not equal to M for positive integer and N；It receives from N recipient and is connect including N When debit identifies and the data receiver of the first record identification is asked, first key is sent to by N based on N forwarding records Recipient.

Preferably, being further included in the data forwarding request number is verified for the N verified to N recipient According to the N verifications data include at least N recipient's public key, and the method further includes：By N verification data storages In N forwarding records；When receiving data receiver request from N recipient, verify data to the using N N recipient is verified, and after N recipient is by verification, and the first key is sent to N recipient.

Preferably, the first record identification is additionally operable in server-side and first subdata the first ciphertext associated storage, it is described Method further includes：After N recipient is by verification, decrypted to obtain the first son with second key pair the first ciphertext of the first subdata N recipient is sent to after data, wherein, the first subdata is used to replace the predetermined portions in the data ciphertext to obtain energy Enough another data ciphertexts being decrypted by first key.

Preferably, after N recipient is by verification, the second key is sent to N recipient.

Preferably, the method further includes：The data including the first record identification and N recipient's mark are received to turn During hair revocation request, N is forwarded into record deletion.

The embodiment of the present invention additionally provides a kind of data forwarding device, and including processor, the processor operation is scheduled Computer instruction is to perform the data forwarding method applied to server-side of any of the above-described embodiment.

The embodiment of the present invention additionally provides a kind of data forwarding method, applied to recipient's client, including：It is connect from M When debit receives data ciphertext and the first record identification, include the first record identification to server-side transmission and N recipient marks The data receiver request of knowledge, wherein, first record identification is generated by server-side and is used in server-side and to data ciphertext Required first key associated storage, N are positive integer when being decrypted；Server-side is obtained from server-side to be based on including described first The first key that the N forwardings of record identification and N recipient's mark are recorded and returned, is decrypted to data ciphertext When use first key.

Preferably, when receiving the N verification data ciphertexts for being verified to N recipient from server-side, make Verification data ciphertext is decrypted, and decrypted result is sent to server-side with N recipient's private key.

Preferably, the N verification data ciphertext includes first key N ciphertexts, the first key N ciphertexts are led to It crosses with N recipient's public key to N check numbers and first key encryption generation.

Preferably, the N verifications data ciphertext further includes the second key N ciphertexts, the second key N ciphertexts By using N recipient's public key, life is encrypted in the second key required to N check numbers and when the data ciphertext is decrypted Into.

Preferably, the method further includes：After the decrypted result is verified by server-side, is obtained from server-side One subdata replaces the predetermined portions in the data ciphertext with the first subdata and obtains another data ciphertext, and close with first Key is decrypted to obtain data clear text to another data ciphertext.

Preferably, the method further includes：After the decrypted result is verified by server-side, is obtained from server-side Two keys, and the second key is used when the data ciphertext is decrypted.

The embodiment of the present invention additionally provides a kind of data forwarding device, and including processor, the processor operation is scheduled Computer instruction is to perform the data forwarding method applied to recipient's client of any of the above-described embodiment.

Data distribution through the embodiment of the present invention/forwarding scheme can operated when improving user and forwarding data On convenience while, effectively improve safety of the data in transmission process.

Description of the drawings

Fig. 1 is the schematic flow chart of one embodiment of the data distributing method of the present invention；

Fig. 2 is the schematic flow chart of another embodiment of the data distributing method of the present invention；

Fig. 3 is the schematic flow chart of one embodiment of the data forwarding method of the present invention；

Fig. 4 is the schematic flow chart of another embodiment of the data forwarding method of the present invention；

Fig. 5 is the schematic flow chart of one embodiment of the data forwarding method of the present invention；

Fig. 6 is the schematic flow chart of one embodiment of the data forwarding method of the present invention；

Fig. 7 is the schematic flow chart of another embodiment of the data forwarding method of the present invention；

Fig. 8 is the schematic flow chart of one embodiment of the data distributing method of the present invention；

Fig. 9 is the schematic flow chart of one embodiment of the data forwarding method of the present invention；

Figure 10 is the schematic flow chart of one embodiment of the data forwarding method of the present invention.

Specific embodiment

The each embodiment of the present invention is described in detail with reference to the accompanying drawings.

Schematic flow charts of the Fig. 1 for one embodiment of the data distributing method of the present invention, the number of the embodiment of the present invention It is applied to data sender's client according to distribution method.

As shown in Figure 1, the data distributing method of the embodiment of the present invention includes：

S110, it is encrypted during encrypted to data using at least one key, obtains data ciphertext, institute It states at least one key and includes first key；

In embodiments of the present invention, data sender is when needing to data receiver's transmission data, first by number to be sent It according to being encrypted, is handled in encryption process using at least one data key, this is at least one close Key includes first key, and first key can be random number or sender of the sender for the first recipient generation By any character string that self-defined mode is the first recipient generation.In addition, first key can be whole generation or By the way that multiple character strings are combined generation.

The embodiment of the present invention to the cipher mode of data without particular requirement, as an example, cipher mode for example can be：With First key treats transmission data encryption generation data ciphertext；First with close with first again after the data encryption to be sent of other key pairs Key encryption generation data ciphertext；It is close with other keys encryption generation data again after first treating transmission data encryption with first key Text；It is encrypted etc. with the different piece of first key and other key pairs data to be sent.Here other keys are for example It can be the public key of the first recipient or symmetric key that sender and the first recipient negotiate in advance.

S111, the first key is split as to the first sub-key and the second sub-key, and is generated based on the first sub-key First the first ciphertext of sub-key；

It, can be from any in first key to the mode that first key is split without particular requirement in the embodiment of the present invention First key is split as two parts by position.First the first ciphertext of sub-key can be used what sender negotiated with the first recipient Any the first sub-key of key pair or to generation being encrypted, such as can be used first comprising the character string including the first sub-key Recipient's public key or the symmetric key negotiated in advance are encrypted.

S112, distribute to server-side transmission data and ask, including at least the first recipient in the data distribution request marks Knowledge, first recipient's public key, first the first ciphertext of sub-key and the second sub-key；

In the embodiment of the present invention, sender distributes by way of to the distribution request of server-side transmission data to server-side First key is transmitted to the first recipient by verification so as to server-side by first key.Sender is sent to server-side First key is two parts, i.e. first the first ciphertext of sub-key and the second sub-key by sender's processing.Data distribution please The first recipient mark and first recipient's public key are further included in asking in addition to two parts of first key, wherein, first receives For server-side to be made to identify the first recipient, first recipient's public key will need to be sent to the first reception side's mark for server-side The data of side are transmitted after being encrypted.

First the first ciphertext of sub-key is used to verify the first recipient.When first the first ciphertext of sub-key is with When one recipient's public key encryption generates, the first sub-key of key pair encryption that sender is also negotiated with sender with server-side generates First the second ciphertext of sub-key is simultaneously sent to server-side with data distribution request, and server-side uses first the first ciphertext pair of sub-key When first recipient carries out authentication, arranging key can be used to decrypt to obtain the first sub-key to first the second ciphertext of sub-key To examine the verification data that the first recipient returns whether correct.When first the first ciphertext of sub-key is to use sender and first During the symmetric key encryption generation that recipient negotiates, sender can use encrypts the by the above-mentioned key negotiated with server-side One sub-key generates first the second ciphertext of sub-key and is sent to server-side, can also use the above-mentioned key negotiated with server-side Server-side is sent to after the symmetric key encryption used during to generating first the first ciphertext of sub-key, so that server-side can obtain First sub-key or character string including the first sub-key are come inspection data that the first recipient is examined to return.Sender and service The key that end is negotiated for example can be the public key or symmetric key of server-side.

The second sub-key that sender is sent to server-side directly can ask to send with data distribution, can also send It asks to send with data distribution after the preceding key encryption negotiated with sender and server-side.Server-side is receiving the second sub-key Or second sub-key ciphertext and after decrypting and obtaining the second sub-key, stored after being encrypted to the second sub-key or by the Two sub-keys are split as multiple portions and are stored respectively or the second sub-key can also be split as to multiple portions and divided It is stored after not being encrypted.

It can also include other than above- mentioned information and data in addition, sender is sent in the data distribution request of server-side Other information or data.As an example, sender can also ask the Kazakhstan to server-side transmission data ciphertext by data distribution Uncommon value, transmitting side marking etc..

S113, the first record identification returned is received from server-side, and data ciphertext and the first record identification is sent to First recipient.

Server-side extracts the first recipient mark, first when receiving data distribution request from data distribution request These information and data are deposited after the information such as recipient's public key, first the first ciphertext of sub-key and the second sub-key and data Storage, and these information to store and data accordingly create the first record identification, and the first record identification then is returned to hair The side's of sending client.

Sender's client after the first record identification is received from server-side, can a time point in office corresponding data are close Text and the first record identification are transmitted directly to the first recipient or are sent to the first recipient indirectly by another server-side.

First recipient can connect after the first record identification and data ciphertext is received by the first record identification and first Debit identifies to server-side and asks first key, and server-side first the first ciphertext of sub-key can be used to test when receiving request The identity of the first recipient is demonstrate,proved, and in the case where the first recipient is by verification, by the first sub-key and the second sub-key group First key is synthesized, the first recipient will be sent to after first recipient's public key encryption of first key.

Through the embodiment of the present invention, the first key used when being decrypted to data ciphertext processing is two by data sender Part is simultaneously sent to server-side, the verification data that recipient receives from server-side together with recipient's public key and recipient's mark An only part for first key could obtain complete first key only after by verification.As a result, by close by first A part for key is used as verification data, and verifies that data are generated by sender, and verification data can be directly sent to by server-side Recipient is verified, alleviates management and calculated load of the server-side in verification, meanwhile, first key is divided into two parts The processing such as different encryptions or storage are carried out, even if hacker's communication interception data or attack server-side, it is also difficult to determine that first is close The specific composition mode of key and have passed through what kind of processing, it is ensured that first key is in the transmission and when server-side stores Safety.

In an embodiment of the invention, the first sub-key can be encrypted with first recipient's public key to obtain in S111 One the first ciphertext of sub-key, when the first recipient receives first the first ciphertext of sub-key for verification from server-side, can make First the first ciphertext of sub-key is decrypted to obtain the first sub-key, then the first sub-key is returned to clothes with first recipient's private key It is verified at business end.

It in another embodiment, can be with first recipient's public key to the first check number and the first son in S111 Key is encrypted to obtain first the first ciphertext of sub-key.First check number for example can be sender generation fixed length random number or First check number and the first sub-key can be combined into a character string by the character string of the self-defined generation of sender, sender, be used First recipient's public key encrypts this character string first the first ciphertext of sub-key of generation, and the first check number is also carried It is sent in the data distribution request of server-side.First recipient from server-side receive first the first ciphertext of sub-key when, use First recipient's private key is decrypted to obtain the word being spliced by the first check number and the first sub-key to first the first ciphertext of sub-key Symbol goes here and there and returns to server-side, and the first check number and the first sub-key that server-side obtains in being asked from data distribution are combined into Character string is verified come the character string returned to the first recipient.

Fig. 2 is the schematic flow chart of another embodiment of the data distributing method of the present invention.

As shown in Fig. 2, the data distributing method of the embodiment of the present invention includes：

S120, it is encrypted to obtain data ciphertext in the process using at least one key encrypted to data, until A few key includes first key and the second key；

S121, first key is split as to the first sub-key and the second sub-key, and first is generated based on the first sub-key The first ciphertext of sub-key；

S122, the second key is split as to third sub-key and the 4th sub-key, and third is generated based on third sub-key The first ciphertext of sub-key；

S123, distribute to server-side transmission data and ask, the first recipient mark, the are included at least in data distribution request One recipient's public key, first the first ciphertext of sub-key and the second sub-key, the first ciphertext of third sub-key and the 4th sub-key；

S124, the first record identification returned is received from server-side, and data ciphertext and the first record identification is sent to First recipient.

In the embodiment of the present invention, first key and the second key have been used when data are encrypted.First key and Second key is sender's generation, and not known to the first recipient.

Similar with the processing mode of first key, the second key is also split as two parts by sender, is third respectively Sub-key and the 4th sub-key, and third the first ciphertext of sub-key is generated based on third sub-key.Then, sender is sub by third The first ciphertext of key and the 4th sub-key are also carried to be sent together in the data distribution request sent to server-side.

The first ciphertext of third sub-key is also used for carrying out authentication to the first recipient.When the first ciphertext of third sub-key It is when being generated with first recipient's public key encryption, sender also needs the key pair third sub-key negotiated with sender with server-side Encryption generation the second ciphertext of third sub-key is simultaneously sent to server-side with data distribution request；When the first ciphertext of third sub-key is When the symmetric key encryption negotiated using sender and the first recipient is generated, sender can be used above-mentioned and server-side Key encryption third sub-key generation third the second ciphertext of sub-key of negotiation is sent to server-side, can also use it is above-mentioned with Server-side is sent to after the symmetric key encryption used during key pair generation third the first ciphertext of sub-key that server-side is negotiated, with Just the inspection data that server-side can obtain third sub-key the first recipient is examined to return.Sender negotiates with server-side Key for example can be the public key or symmetric key of server-side.

The 4th sub-key that sender is sent to server-side directly can ask to send with data distribution, can also send It asks to send with data distribution after the preceding key encryption negotiated with sender and server-side.Server-side is receiving the 4th sub-key Or the 4th sub-key ciphertext and after decrypting and obtaining the 4th sub-key, stored after being encrypted to the 4th sub-key or by the Four sub-keys are split as multiple portions and are stored respectively or the 4th sub-key can also be split as to multiple portions and divided It is stored after not being encrypted.

First recipient is asked to server-side using decryption after sender receives data ciphertext and the first record identification Required key, server-side respectively test the first recipient with first the first ciphertext of sub-key and the first ciphertext of third sub-key Card after being verified, allows the first recipient to use key needed for decryption.Server-side is sent to the first recipient needed for decryption The mode of data depends on first key and occupation mode of second key when to data encryption, this will be combined later implements Example illustrates.

In the embodiment of the present invention, the first recipient is in ciphertext data ciphertext other than needing first key, it is also necessary to the Two keys or with the relevant data of the second key, server-side receives respectively for first key and the second key are independent to first Fang Jinhang authentications further improve the safety of data ciphertext and key.

The generating mode of the second key can be same or like with the generating mode of first key in the embodiment of the present invention.Example Such as, in an embodiment of the invention, third sub-key can be encrypted with first recipient's public key to obtain third in S122 The first ciphertext of key.In another embodiment, in S122 can with first recipient's public key to the first check number and Third sub-key is encrypted to obtain the first ciphertext of third sub-key, generates the first check number used during first the first ciphertext of sub-key The first check number with being used during generation third the first ciphertext of sub-key can be identical or different, different in used check number In the case of, sender need to carry each check number in the data distribution request sent to server-side and indicate each check number with testing Correspondence between card sub-key ciphertext.

First key and cipher mode during the second key for encrypting data are used to sender below in conjunction with embodiment It is schematically illustrated.

In an embodiment of the invention, sender is when to data encryption, first using first key to sent number According to being encrypted to obtain the first data ciphertext in plain text, then the first subnumber is extracted from the predetermined portions in the first data ciphertext According to replacing the position of first the first subdata of data ciphertext Central Plains with the second subdata, generate the second data ciphertext, and with second Key encrypts the first subdata and obtains first the first ciphertext of subdata.Wherein, the side of the first subdata is extracted from the first ciphertext Formula is unlimited, for example, can respectively be extracted from the head of the first ciphertext, middle part and end low volume data as the first subdata or From the first half of the first ciphertext and the latter half of middle low volume data that extracts respectively as the first subdata.For replacing in the first ciphertext The character string that second subdata of former first subdata position for example can be sky data or sender arbitrarily generates.Hair The side of sending need to only arrange to extract the position of the first subdata from the first ciphertext with the first recipient, without with the first recipient agreement the The generating mode of two subdatas.Meanwhile sender also needs to send first the first ciphertext of subdata, and second is counted to server-side The first recipient is sent to according to ciphertext and the first record identification.First recipient receives the second data ciphertext and the first record identification Afterwards, the first record identification and the first recipient mark are sent to server-side to ask first key and the first subdata first close Text, server-side are respectively verified the first recipient with first the first ciphertext of sub-key and the first ciphertext of third sub-key Afterwards, third sub-key and the 4th sub-key are combined into second secret key decryption the first ciphertext of the first subdata and obtain the first subnumber According to, and the first recipient will be sent to after first recipient's public key encryption of first key and the first subdata.First recipient After receiving first key and the first subdata, replace the predetermined portions in the second data ciphertext with the first subdata and obtain first Data ciphertext, then the first data ciphertext is decrypted to obtain data clear text with first key.In embodiments of the present invention, by will be right First data ciphertext carries out the second data ciphertext that above-mentioned processing obtains and is sent to the first recipient so that the first recipient obtains Ciphertext data in comprising noise, Brute Force can be effectively prevented, improve the safety of data ciphertext.

In another embodiment, sender is when being encrypted data, first by clear data to be sent The first data and the second data are split as, the first data are encrypted using first key to obtain the first data ciphertext, are used Second the second data of key pair are encrypted to obtain the second data ciphertext, and using the first data ciphertext and the second data ciphertext as Above-mentioned data ciphertext is sent to the first recipient together with the first record identification.First recipient receives the first data ciphertext, After two data ciphertexts and the first record identification, the first record identification is sent to ask first key and the second key to server-side, After server-side is respectively verified the first recipient with first the first ciphertext of sub-key and the first ciphertext of third sub-key, The first recipient will be sent to after first recipient's public key encryption of first key and the second key.First recipient receives After one key and the second key, decrypted respectively with first key and second key pair the first data ciphertext and the second data ciphertext It combines to obtain data clear text to the first data and the second data, then by the first data and the second data.In embodiments of the present invention, By the way that data are split as two parts and are sent to recipient after encryption respectively, recipient need to obtain the corresponding key point of two parts Target data can be just obtained after the other decryption to ciphertext in plain text, can improve the safety of data ciphertext.

In further embodiment of the present invention, sender is when being encrypted data, first using first key to pending Data clear text is sent to be encrypted to obtain the first data ciphertext, second key pair the first data ciphertext is reused and is encrypted to obtain Two data ciphertexts, and the second data ciphertext and the first record identification are sent to the first recipient.First recipient receives second After data ciphertext and the first record identification, the first record identification is sent to server-side to ask first key and the second key, is taken It, will after business end is respectively verified the first recipient with first the first ciphertext of sub-key and the first ciphertext of third sub-key The first recipient is sent to after first recipient's public key encryption of first key and the second key.First recipient receives first After key and the second key, first decrypt to obtain the first data ciphertext, then use first key with second key pair the second data ciphertext First data ciphertext is decrypted to obtain data clear text.In embodiments of the present invention, by being sent after data are carried out multi-layer security To recipient, it is successively bright to can just obtain target data after the decryption of data ciphertext that recipient need to obtain two layers of encryption counterpart keys Text can improve the safety of data ciphertext.

Schematic flow charts of the Fig. 3 for one embodiment of the data forwarding method of the present invention, the number of the embodiment of the present invention It is applied to server-side according to retransmission method.

As shown in figure 3, the data forwarding method of the embodiment of the present invention includes：

S130, it is received from sender including at least the first recipient mark, first recipient's public key, the first sub-key When one ciphertext and the data distribution of the second sub-key are asked, the first record identification is returned to sender；

In the embodiment of the present invention, sender distributes by way of to the distribution request of server-side transmission data to server-side First key, so that first key is transmitted to the first recipient by verification by server-side, first key is will to sender Issue the first recipient data be encrypted during use.The first key that sender is sent to server-side is sent out The side's of sending processing is two parts, i.e. first the first ciphertext of sub-key and the second sub-key (referring to S111).Server-side connects from sender The first recipient mark is further included in addition to two parts of first key in the data distribution request received and the first recipient is public Key, wherein, for the first recipient mark for server-side to be made to identify the first recipient, first recipient's public key need to for server-side Be sent to the first recipient data be encrypted after transmit.After server-side receives data distribution request, for the data point Hair request the first record identification of distribution simultaneously returns to sender.

S131, the second sub-key is encrypted to obtain second the first ciphertext of sub-key, the first record identification and the second son is close Key the first ciphertext associated storage, and by the first recipient mark at least the first record identification, first the first ciphertext of sub-key and First recipient's public key associated storage；

Then, server-side to the information and data extracted in asking from data distribution handle and store accordingly.Its In, server-side, which extracts the second sub-key in being asked from data distribution or extracts the second sub-key ciphertext and decrypt, obtains the After two sub-keys, can will the second sub-key encryption after be stored as second the first ciphertext of sub-key or can by second son it is close Key is split as multiple portions and second the first ciphertext of sub-key is stored as after being encrypted respectively.Then, server-side is remembered first Record mark and be individual data distribution record with relevant the first ciphertext of the second sub-key associated storage of decryption of data ciphertext, And for the first recipient mark individually create one forwarding record, by the first record identification and with the first recipient relevant first The data such as the first ciphertext of sub-key, first recipient's public key are stored in this forwarding record.

S132, the data receiver request including the first recipient mark and the first record identification is received from the first recipient When, the first verification is carried out to the first recipient using first the first ciphertext of sub-key；

First recipient can rely on the first record after the first record identification and data ciphertext is received from data sender Mark and the first recipient identify to server-side and ask first key, and server-side, can be by the when receiving data receiver request One the first ciphertext of sub-key is sent to the first recipient to verify the identity of the first recipient.When first the first ciphertext of sub-key is When being generated with first recipient's public key encryption, the first sub-key of key pair that sender can also be negotiated with sender with server-side adds Dense to be sent to server-side into first the second ciphertext of sub-key, server-side is using first the first ciphertext of sub-key to the first recipient When carrying out authentication, arranging key can be used to decrypt to obtain the first sub-key to first the second ciphertext of sub-key to examine first Whether the verification data that recipient returns are correct.When first the first ciphertext of sub-key is negotiated using sender and the first recipient Symmetric key encryption generation when, sender, which can also use, to encrypt the first sub-key by the above-mentioned key negotiated with server-side and gives birth to Server-side is sent into first the second ciphertext of sub-key or can use the above-mentioned key pair generation first negotiated with server-side Server-side is sent to after the symmetric key encryption used during the first ciphertext of sub-key, so as to which server-side can obtain the first sub-key Or the character string comprising the first sub-key come examine the first recipient return inspection data.

S133, when the first recipient verifies at least through first, the first sub-key and the second sub-key are combined as the One key and with being sent to the first recipient after first recipient's public key encryption.

In the case where the first recipient is by verification, the first sub-key and the second sub-key are combined into first by server-side Key will be sent to the first recipient after first recipient's public key encryption of first key, and the first recipient can be used from service The first key obtained is held to be decrypted to obtain data clear text to the data ciphertext obtained from sender.

Through the embodiment of the present invention, a part for first key is used as verification data, and verifies data by sender Verification data directly can be sent to recipient and verified by generation, server-side, alleviate management of the server-side in verification and Calculated load, while ensure first key in the transmission and the safety when server-side stores.

In an embodiment of the invention, first the first ciphertext of sub-key is close to the first son by using first recipient's public key Key is encrypted to obtain, can be by sub by first after first the first ciphertext of sub-key is sent to the first recipient by server-side in S132 Whether what key and the verification data returned from the first recipient were compared to determine the first recipient return is correct the One sub-key.

In another embodiment, the first check number, and the first sub-key are further included in data distribution request First ciphertext is encrypted to obtain by using first recipient's public key to the first check number and the first sub-key, server-side in S132 After first the first ciphertext of sub-key is sent to the first recipient, can by by the first sub-key and the first check number with from first Recipient return verification data be compared to determine the first recipient whether return correctly include the first check number and The data of first sub-key.

Fig. 4 is the schematic flow chart of another embodiment of the data forwarding method of the present invention.

As shown in figure 4, the data forwarding method of the embodiment of the present invention includes：

S140, it is received from sender including at least the first recipient mark, first recipient's public key, the first sub-key When one ciphertext and the second sub-key and the first ciphertext of third sub-key and the data distribution of the 4th sub-key are asked, to sender Return to the first record identification；

S141, the second sub-key is encrypted to obtain second the first ciphertext of sub-key, the 4th sub-key is encrypted to obtain the 4th The first ciphertext of sub-key；

S142, by the first record identification and second the first ciphertext of sub-key and the 4th sub-key the first ciphertext associated storage, And by the first recipient mark at least the first record identification, first the first ciphertext of sub-key, the first ciphertext of third sub-key and First recipient's public key associated storage；

S143, the data receiver request including the first recipient mark and the first record identification is received from the first recipient When, the first verification is carried out to the first recipient using first the first ciphertext of sub-key, using the first ciphertext of third sub-key to the One recipient carries out the second verification；

S144, when the first recipient verifies at least through first, the first sub-key and the second sub-key are combined as the One key and with being sent to the first recipient after first recipient's public key encryption, will when the first recipient verifies by second The first recipient is sent to corresponding to the data of the second verification.

In embodiments of the present invention, sender has used first key and the second key when data are encrypted.The One key and the second key are sender's generation, and not known to the first recipient.With the processing mode class of first key Seemingly, the second key is also split as two parts by sender, is third sub-key and the 4th sub-key respectively, and based on third Key generates third the first ciphertext of sub-key.It is close that the data distribution request that server-side is received from sender includes third The first ciphertext of key and the 4th sub-key.

Server-side carries out the first recipient using both first the first ciphertext of sub-key and first ciphertext of third sub-key Authentication.When the first ciphertext of third sub-key is generated with first recipient's public key encryption, sender can also use sender The key pair third sub-key encryption negotiated with server-side generates the second ciphertext of third sub-key and asks to send with data distribution To server-side；When the first ciphertext of third sub-key is that the symmetric key encryption negotiated using sender and the first recipient is generated When, sender can also be sent out with above-mentioned key encryption third sub-key the second ciphertext of generation third sub-key negotiated with server-side Pair given server-side or used when can generate third the first ciphertext of sub-key with the above-mentioned key pair negotiated with server-side Server-side is sent to after claiming key encryption.Server-side is it is possible thereby to obtain third sub-key to examine the first recipient to third The inspection data returned after the decryption of the first ciphertext of key.

Server-side extracts the ciphertext of the 4th sub-key or the 4th sub-key in being asked from data distribution and decryption obtains After 4th sub-key, the 4th the first ciphertext of sub-key is stored as or by the 4th sub-key after being encrypted to the 4th sub-key It is split as multiple portions and the 4th the first ciphertext of sub-key is stored as after being encrypted respectively, and the second sub-key first is close Text, the 4th the first ciphertext of sub-key are recorded with the first record identification associated storage for individual data distribution.

First recipient is asked to server-side using decryption after sender receives data ciphertext and the first record identification During required key, server-side respectively carries out the first recipient with first the first ciphertext of sub-key and the first ciphertext of third sub-key Verification, after being verified, is combined as first key by the first sub-key and the second sub-key and is added with first recipient's public key The first recipient is sent to after close, and the first recipient will be sent to corresponding to the data of the second verification so that the first recipient The data ciphertext that obtained from sender can be decrypted to obtain data clear text.The correspondence that server-side is sent to the first recipient First key and occupation mode of second key when to data encryption are depended in the mode of the data of the second verification, this will be It is explained later.

In the embodiment of the present invention, the first ciphertext of third sub-key can be by using first recipient's public key to third sub-key Encryption obtains, can be by close by third after the first ciphertext of third sub-key is sent to the first recipient by server-side in S143 Whether what key and the verification data returned from the first recipient were compared to determining first recipient return is correct third Sub-key.

In another embodiment, the first check number, and third sub-key are further included in data distribution request First ciphertext is encrypted to obtain by using first recipient's public key to the first check number and third sub-key, server-side in S142 After the first ciphertext of third sub-key is sent to the first recipient, can by by third sub-key and the first check number with from first Recipient return verification data be compared to determine the first recipient whether return correctly include the first check number and The data of third sub-key.

Fig. 5 is the schematic flow chart of one embodiment of the data forwarding method of the present invention.

As shown in figure 5, the data forwarding method of the embodiment of the present invention includes：

S150, it is received from sender including at least the first recipient mark, first recipient's public key, the first sub-key One ciphertext and the second sub-key, the first ciphertext of the third sub-key and data of the 4th sub-key and first the first ciphertext of subdata During distribution request, the first record identification is returned to sender；

S151, the second sub-key is encrypted to obtain second the first ciphertext of sub-key, the 4th sub-key is encrypted to obtain the 4th The first ciphertext of sub-key；

S152, by the first record identification and second the first ciphertext of sub-key and the 4th the first ciphertext of sub-key and the first son Data the first ciphertext associated storage, and by the first recipient mark at least the first record identification, first the first ciphertext of sub-key, The first ciphertext of third sub-key and first recipient's public key associated storage；

S153, the data receiver request including the first recipient mark and the first record identification is received from the first recipient When, the first verification is carried out to the first recipient using first the first ciphertext of sub-key, using the first ciphertext of third sub-key to the One recipient carries out the second verification；

S154, when the first recipient verifies at least through first, the first sub-key and the second sub-key are combined as the One key and with being sent to the first recipient after first recipient's public key encryption；

S155, when the first recipient by second verify when, it is close that third sub-key and the 4th sub-key are combined as second Key obtains the first subdata, and use first recipient's public key encryption using second secret key decryption the first ciphertext of the first subdata First subdata is sent to the first recipient after obtaining first the second ciphertext of subdata.

In embodiments of the present invention, sender is first bright to sent data using first key when to data encryption Text is encrypted to obtain the first data ciphertext, then extracts the first subdata from the predetermined portions in the first data ciphertext, The position of first the first subdata of data ciphertext Central Plains is replaced with the second subdata, generates the second data ciphertext, and close with second Key encrypts the first subdata and obtains first the first ciphertext of subdata.Server-side can also be carried from the request of the data distribution of sender Get first the first ciphertext of subdata, and by first the first ciphertext of subdata, second the first ciphertext of sub-key, the 4th sub-key One ciphertext is recorded with the first record identification associated storage for individual data distribution.

What the first recipient was received from sender is the second data ciphertext and the first record identification, and sent to server-side First record identification is to ask first key and first the first ciphertext of subdata, first the first ciphertext of sub-key of server-side and After three the first ciphertexts of sub-key are respectively verified the first recipient, third sub-key and the 4th sub-key are combined into Second secret key decryption the first ciphertext of the first subdata obtains the first subdata, and first key and the first subdata are connect with first The first recipient is sent to after debit's public key encryption.After first recipient receives first key and the first subdata, with first The predetermined portions that subdata is replaced in the second data ciphertext obtain the first data ciphertext, then with first key to the first data ciphertext Decryption obtains data clear text.

In embodiments of the present invention, by the way that the second data ciphertext handled the first data ciphertext is sent to First recipient, and the ciphertext of the first subdata will be stored in server-side necessary to the second data ciphertext of decryption so that first Noise is included in the ciphertext data that recipient obtains, it is necessary to obtain the first subdata ability ciphertext data ciphertext, energy from server-side Brute Force is enough effectively prevented, improves the safety of data ciphertext.

In some embodiments of the invention, the first recipient needs when being decrypted to the data ciphertext obtained from sender Holding first key and the second key simultaneously could complete to decrypt, and at this moment, the first recipient is in the second verification by server-side When, server-side, can also be by third other than first key is sent to the first recipient with first recipient's public key encryption Key and the 4th sub-key are combined as the second key and with being sent to the first recipient after first recipient's public key encryption.The present invention Embodiment can improve data ciphertext by making recipient that need to obtain just obtaining data clear text after two key pair ciphertexts are decrypted Safety.

Schematic flow charts of the Fig. 6 for one embodiment of the data forwarding method of the present invention, application of the embodiment of the present invention In recipient's client.

As shown in fig. 6, the data forwarding method of the embodiment of the present invention includes：

S160, when data ciphertext and the first record identification are received from data sender, include first to server-side transmission Recipient identifies and the data receiver of the first record identification is asked；

First recipient is from the data ciphertext that data sender receives by sender in process encrypted to data clear text It is middle to be generated using the encryption of at least one key, and data sender will receive the data needed for the decryption of data ciphertext and first Side's mark has been sent to server-side, these data and information are stored and are accordingly assigned with the first record by server-side Mark.First recipient can identify with the first recipient and the first record identification is asked to server-side to needed for the decryption of data ciphertext Data.

S161, first the first ciphertext of sub-key for carrying out the first verification to the first recipient is received from server-side When, first the first ciphertext of sub-key is decrypted, and the first decrypted result is sent to using first recipient's private key Server-side；

First the first ciphertext of sub-key can be sent to by server-side when receiving data receiver request from the first recipient First recipient verifies the identity of the first recipient.When first the first ciphertext of sub-key is given birth to first recipient's public key encryption First recipient's private key can be used to decrypt to obtain the first decrypted result to first the first ciphertext of sub-key and return for Cheng Shi, the first recipient Back to server-side.When first the first ciphertext of sub-key is that the symmetric key encryption negotiated using sender and the first recipient is generated When, the symmetric key of negotiation can be used to decrypt to obtain the return of the first decrypted result to first the first ciphertext of sub-key for the first recipient To server-side.Server-side can be used from the first sub-key of the data distribution acquisition request of sender or comprising the first sub-key Whether character string is correct to examine the first decrypted result that the first recipient returns.

S162, such as first are verified, and obtain from server-side and are passed through by server-side to the first sub-key and the second sub-key The first key of generation is combined, and first key is used during data ciphertext is decrypted.

It, will be from the data distribution acquisition request of sender in the case where server-side confirms the first recipient by verification First sub-key and the second sub-key are combined into first key, and will be sent to after first recipient's public key encryption of first key One recipient.The first key obtained from server-side can be used to be carried out to the data ciphertext obtained from sender in first recipient Decryption obtains data clear text.

In an embodiment of the invention, first the first ciphertext of sub-key is close to the first son by using first recipient's public key Key encryption generation, the first recipient are the first sub-key to the first decrypted result that first the first ciphertext of sub-key is decrypted. In another embodiment, first the first ciphertext of sub-key by using first recipient's public key to the first check number and Generation is encrypted in one sub-key, and the first decrypted result that the first recipient decrypts first the first ciphertext of sub-key is packet Character string containing the first check number and the first sub-key.

Fig. 7 is the schematic flow chart of another embodiment of the data forwarding method of the present invention.

As shown in fig. 7, the data forwarding method of the embodiment of the present invention includes：

S170, when data ciphertext and the first record identification are received from data sender, include first to server-side transmission Recipient identifies and the data receiver of the first record identification is asked；

S171, first the first ciphertext of sub-key for carrying out the first verification to the first recipient is received from server-side When, first the first ciphertext of sub-key is decrypted, and the first decrypted result is sent to using first recipient's private key Server-side；

S172, such as first are verified, and obtain from server-side and are passed through by server-side to the first sub-key and the second sub-key The first key of generation is combined, and first key is used during data ciphertext is decrypted；

S173, the first ciphertext of third sub-key for carrying out the second verification to the first recipient is received from server-side When, the first ciphertext of third sub-key is decrypted, and the second decrypted result is sent to using first recipient's private key Server-side；

S174, such as second are verified, from server-side obtain corresponding to second verification data with to data ciphertext into It is used during row decryption.

It should be noted that S171 and S173 are not limited to successively perform, but can also perform parallel.

In embodiments of the present invention, sender has used first key and the second key when data are encrypted.The One key and the second key are sender's generation, and not known to the first recipient.It is similar with first key, the second key Also two parts are split as, are third sub-key and the 4th sub-key respectively, sender is based on the first sub-key and third is close Key generates first the first ciphertext of sub-key and the first ciphertext of third sub-key with first recipient's public key encryption.

First recipient is asked to server-side using decryption after sender receives data ciphertext and the first record identification During required key, server-side is using both first the first ciphertext of sub-key and first ciphertext of third sub-key to the first recipient point It carry out not the first verification and the second verification.Server-side verifies the mode of the second decrypted result and the mode of the first decrypted result of verification It is similar, reference can be made to previous embodiment, omits illustrate herein.After the first verification and second are verified, server-side is by the One sub-key and the second sub-key are combined as first key and with being sent to the first recipient after first recipient's public key encryption, and The first recipient will be sent to corresponding to the data of the second verification so that the first recipient can be to the data that are obtained from sender Ciphertext is decrypted to obtain data clear text.Server-side takes to the mode for the data for corresponding to the second verification that the first recipient sends Certainly in first key and occupation mode of second key when to data encryption.

In an embodiment of the invention, the first ciphertext of third sub-key is close to third by using first recipient's public key Key encryption generation, the first recipient are third sub-key to the second decrypted result that the first ciphertext of third sub-key is decrypted. In another embodiment, the first ciphertext of third sub-key by using first recipient's public key to the first check number and Generation is encrypted in three sub-keys, and the second decrypted result that the first recipient decrypts the first ciphertext of third sub-key is packet Character string containing the first check number and the first sub-key.

In an embodiment of the invention, sender is when to data encryption, first using first key to sent number According to being encrypted to obtain the first data ciphertext in plain text, then the first subnumber is extracted from the predetermined portions in the first data ciphertext According to replacing the position of first the first subdata of data ciphertext Central Plains with the second subdata, generate the second data ciphertext, and with second Key encrypts the first subdata and obtains first the first ciphertext of subdata.What the first recipient was received from sender is the second data Ciphertext and the first record identification, and the first record identification is sent to ask first key and the first subdata first close to server-side Text, server-side are respectively verified the first recipient with first the first ciphertext of sub-key and the first ciphertext of third sub-key Afterwards, third sub-key and the 4th sub-key are combined into second secret key decryption the first ciphertext of the first subdata and obtain the first subnumber According to, and the first recipient will be sent to after first recipient's public key encryption of first key and the first subdata.First recipient After receiving first key and the first subdata, replace the predetermined portions in the second data ciphertext with the first subdata and obtain first Data ciphertext, then the first data ciphertext is decrypted to obtain data clear text with first key.In embodiments of the present invention, by will be right First data ciphertext carries out the second data ciphertext that above-mentioned processing obtains and is sent to the first recipient, and it is close to decrypt the second data The ciphertext of the first subdata is stored in server-side necessary to text so that includes and makes an uproar in the ciphertext data that the first recipient obtains Sound, it is necessary to obtain the first subdata ability ciphertext data ciphertext from server-side, Brute Force can be effectively prevented, improve data The safety of ciphertext.

In some embodiments of the invention, the first recipient needs when being decrypted to the data ciphertext obtained from sender Holding first key and the second key simultaneously could complete to decrypt, and at this moment, the first recipient is in the second verification by server-side When, server-side is also close by third other than first key is sent to the first recipient with first recipient's public key encryption Key and the 4th sub-key are combined as the second key and with being sent to the first recipient after first recipient's public key encryption.It is of the invention real Example is applied by making recipient that need to obtain just obtaining data clear text after individual two key pair ciphertexts are decrypted, data can be improved The safety of ciphertext.

Schematic flow charts of the Fig. 8 for one embodiment of the data forwarding method of the present invention, the number of the embodiment of the present invention It is applied to sender's client according to retransmission method.

As shown in figure 8, the data forwarding method of the embodiment of the present invention includes：

S510, data ciphertext and the first record identification are obtained, wherein, the first record identification is generated and is used for by server-side Server-side and first key associated storage required when data ciphertext is decrypted；

S511, the data for including M recipient's mark, the first record identification and N recipient's mark to server-side transmission Forwarding request, server-side to be asked to forward record based on the M including M recipient's mark and the first record identification, by first Record identification identifies associated storage with N recipient and is recorded for N forwardings, and N and M are not equal to M for positive integer and N；

S512, data ciphertext and the first record identification are sent to N recipient.

In embodiments of the present invention, M recipient is to obtain data ciphertext and the first record from aforementioned data sender Any recipient of mark, M recipient is when needing to forward data to N recipient as N recipient Sender.First record identification is that server-side is to be somebody's turn to do when the data sender sends initial data distribution request to server-side The record identification of data distribution request distribution, and the data ciphertext solution that server-side will carry in initial data distribution request Close required first key records, while server-side has also been answered with the first record identification associated storage for individual data distribution The request of data sender, it is that M forwardings are remembered that the first record identification and M recipient are identified associated storage for M recipient Record.

M recipient can send after data ciphertext and the first record identification is obtained from data sender to server-side Include the data forwarding request of M recipient's mark, the first record identification and N recipient's mark.Server-side is receiving this After data forwarding request, first search whether that there are M forwardings to record according to M recipient's mark and the first record identification, if so, It is that N forwardings record that the first record identification and N recipient then are identified associated storage for N recipient.

Since M recipient for server-side forwards the recipient of the key data for the first time, N recipient is server-side the The recipient of key data is forwarded after secondary, the data forwarding that M is also received to the transmission of direction server-side in the present embodiment please Referred to as data is asked to forward request again.

N recipient can will include the first record and mark after M recipient receives data ciphertext and the first record identification Know and the data acquisition request of N recipient's mark is sent to server-side, server-side is in response to the data acquisition request, by key Data or related data are transmitted to N recipient.

Through the embodiment of the present invention, certain data ciphertext and the first record identification are sent to M recipient by data sender It afterwards, can be by being forwarded again to server-side transmission data if M recipient needs same data forwarding to other any recipients The mode of request, request server-side have stored in the key data or dependency number of server-side to other any recipient's forwardings According to realizing and not needing to re-encrypted data to be forwarded and can be carried out quickly forwarding again.

In an embodiment of the invention, M recipient be sent to server-side data forward again request in can also wrap It includes and verifies data for the N verified to N recipient, can include the number such as N recipient's public key in N verification data According to.Key data or related data can be transmitted to N and connect by server-side in the data acquisition request in response to N recipient Before debit, N recipient is verified using N verifications data.For example, server-side can generate a random number, with N Recipient's public key is sent to N recipient after the random number is encrypted, by check N recipient return data whether The identity for verifying N recipient for the random number.Through the embodiment of the present invention, M recipient is for other different data When reception direction server-side transmission data forwards request again, corresponding verification data, verification mode can be provided to server-side With specific aim, Information Security is improved.

In an embodiment of the invention, the N that M recipient forwards request to be sent to server-side again by data is verified In data can include N recipient's public key, N check numbers and first key N ciphertexts, first key N ciphertexts by using N recipient's public key is to N check numbers and first key encryption generation.In another embodiment, M recipient is led to Cross data forward again request be sent to server-side N verification data in can include N recipient's public key, N check numbers and Second key N ciphertexts, the second key N ciphertexts are decrypted by using N recipient's public key to N check numbers and in data ciphertext Generation is encrypted in the second key of Shi Suoxu.In some embodiments of the invention, M recipient forwards request by data again N recipient's public key, N check numbers, above-mentioned first key N can be included by being sent in the N verification data of server-side Ciphertext and the second above-mentioned key N ciphertexts.

Server-side has prestored first key and/or the second key when receiving initial data distribution request, can The verification data of N recipient's return are verified using N check numbers and first key and/or the second key.

In addition, in the embodiment of the present invention, first key or the second key can also be split as two sub-keys, it will wherein One sub-key is stored together in server-side and the first record identification, generates to meet N with other in which sub-key Sub-key ciphertext that debit is verified simultaneously is stored in server-side in N forwarding records.

In the embodiment of the present invention, M recipient in first key N ciphertexts/second key N ciphertexts to be generated or Person can be stored when generation is split from first key or the N ciphertexts of the sub-key of the second key with M recipient's client First key and/or the second key or each sub-key, can also be by sending the side of cipher key acquisition request to server-side The first key of formula acquisition server-side return and/or the second key or each sub-key.

In some embodiments of the invention, server-side prestored the first record identification, first key and the second key and First the first ciphertext of subdata, the second key are used to that first the first ciphertext of subdata to be decrypted to obtain the first subdata, the One subdata is used for the predetermined portions in replacement data ciphertext to obtain another number that can be decrypted by first key According to ciphertext.For N recipient after the verification of server-side has been passed through, first key and the first subdata are returned to N by server-side Recipient.

In other embodiments of the invention, data ciphertext includes what is be decrypted respectively by first key and the second key First data ciphertext and the second data ciphertext.N recipient after the verification of server-side has been passed through, server-side by first key and Second key returns to N recipient.

Schematic flow charts of the Fig. 9 for one embodiment of the data forwarding method of the present invention, the number of the embodiment of the present invention It is applied to server-side according to retransmission method.

As shown in figure 9, the data forwarding method of the embodiment of the present invention includes：

S520, it is received from M recipient including M recipient's mark, the first record identification and N recipient's mark During data forwarding request, record is forwarded based on the M including M recipient's mark and the first record identification, the first record is marked Know and recorded with N recipient's mark associated storage for N forwardings, the first record identification is generated by server-side and is used in server-side Required first key associated storage during with data ciphertext being decrypted, N and M are not equal to M for positive integer and N；

S521, the data receiver request including N recipient's mark and the first record identification is received from N recipient When, first key is sent to by N recipient based on N forwarding records.

The data forwarding method applied to server-side of the embodiment of the present invention is applied to hair corresponding to embodiment illustrated in fig. 8 The data distributing method of the side's of sending client, implementation procedure can be found in embodiment illustrated in fig. 8 and more than other each implementations The explanation of example, in this detailed description will be omitted.

Schematic flow charts of the Figure 10 for one embodiment of the data forwarding method of the present invention, the number of the embodiment of the present invention It is applied to recipient's client according to retransmission method.

As shown in Figure 10, the data forwarding method of the embodiment of the present invention includes：

S530, from M recipient receive data ciphertext and the first record identification when, to server-side transmission include first remember The data receiver request of record mark and N recipient's mark, wherein, first record identification is generated and is used for by server-side Server-side and first key associated storage required when data ciphertext is decrypted, N is positive integer；

S530, turn from server-side acquisition server-side based on the N for including first record identification and N recipient's mark The first key that hair is recorded and returned, first key is used when data ciphertext is decrypted.

The data forwarding method applied to recipient's client of the embodiment of the present invention corresponds to answering for embodiment illustrated in fig. 8 For the data distributing method of sender's client, implementation procedure can be found in embodiment illustrated in fig. 8 and more than other are each The explanation of a embodiment, in this detailed description will be omitted.

In any of the above-described embodiment of the present invention, server-side is receiving letter of the sender with data distribution request transmission When breath and data, these information and data can be identified as index with the first recipient therein and stored, and with being distributed The first record identification associated storage.When sender wishes the dependency number that revocation is directed to the first recipient and server-side is asked to forward According to when, sender can be by include the data distribution revocation that the first record identification and the first recipient identify to server-side transmission It asks to ask server-side that the first recipient is identified to and identified with the first recipient the information deletion of associated storage.Server-side In the data point for including the first record identification and the first recipient and identifying for receiving sender and being sent for the first recipient During hair revocation request, it can will be identified including the first recipient and identify the individual of the information of associated storage with the first recipient Forward record deletion.After the information for deleting the first recipient mark and associated storage in server-side, first receives direction server-side When sending the data receiver request for including the first recipient mark, server-side will can not find the first recipient and identify relevant forwarding Record so as to return to the decryption data such as first key to the first recipient in response to receiving request, realizes transmission The square timely revocation to having distributed data.Meanwhile server-side will include the first recipient and identify and be identified with the first recipient The individual forwarding record deletion of the information of associated storage does not influence to include the first record identification and the second sub-key ciphertext etc. Individual data distribution record if sender needs to restore the data distribution for the first recipient, can send to server-side and wrap The data redistribution for including the information such as the first recipient mark, first the first ciphertext of sub-key, first recipient's public key and data please It asks, these information and data can be stored as individually forwarding record by server-side again, so as to which the first recipient can be from service End obtains data needed for decryption.

The embodiment of the present invention additionally provides a kind of data distribution/retransmission unit, can be by including end of processor and memory End equipment realizes that processor is configurable to the scheduled computer instruction stored in run memory to perform above-mentioned Data distribution/retransmission method applied to sender's client in one embodiment.

The embodiment of the present invention additionally provides a kind of data forwarding device, can be by including processor and memory and as service The terminal device of device realizes that processor is configurable to the scheduled computer instruction stored in run memory to perform The data forwarding method applied to server-side in any of the above-described embodiment.

The embodiment of the present invention additionally provides a kind of data forwarding device, can be by including the terminal device of processor and memory It realizes, processor is configurable to the scheduled computer instruction stored in run memory to perform any of the above-described implementation The data forwarding method applied to recipient's client in example.

Due to exhaustive all embodiments impossible in the application, it is also not possible to all combinations between limit technical characteristic Mode, therefore these specific embodiments that the present invention is not limited to be provided, those skilled in the art are in reality disclosed herein On the basis of applying example, it is fully able to carry out a variety of modifications to these embodiments in the case where not departing from spirit of the invention and design And modification, the embodiments of these variants and modifications should all fall into the application it is claimed within the scope of.

Claims

1. a kind of data forwarding method, applied to sender's client, including：

Obtain data ciphertext and the first record identification, wherein, the first record identification generate by server-side and be used in server-side and Required first key associated storage when the data ciphertext is decrypted；

Include the data forwarding request of M recipient's mark, the first record identification and N recipient's mark to server-side transmission, With ask server-side based on include M recipient mark and the first record identification M forward record, by the first record identification with N recipient identifies associated storage as N forwarding records, and N and M are not equal to M for positive integer and N；

Data ciphertext and the first record identification are sent to N recipient.

2. it the method for claim 1, wherein further includes to carry out N recipient in the data forwarding request The N verification data of verification, the N verifications data include at least N recipient's public key.

3. method as claimed in claim 2, wherein,

N verification data further include N check numbers and first key N ciphertexts, the first key N ciphertexts by using N recipient's public key is to N check numbers and first key encryption generation.

4. method as claimed in claim 3, wherein,

The N verifications data further include the second key N ciphertexts, and the second key N ciphertexts are by using N recipient's public key pair Generation is encrypted in N check numbers and the second key required when the data ciphertext is decrypted.

5. method as claimed in claim 4, wherein, the first record identification is additionally operable to close in server-side and the first subdata first Literary associated storage, the second key are used to that first the first ciphertext of subdata to be decrypted to obtain the first subdata, the first subdata It is close to obtain another data that can be decrypted by first key for replacing the predetermined portions in the data ciphertext Text.

6. method as claimed in claim 4, wherein, the data ciphertext is included respectively by the first key and the second key The the first data ciphertext and the second data ciphertext being decrypted.

7. the method as described in any one of claim 1-6, further includes：

The revocation for including the first record identification and N recipient's mark to server-side transmission is asked, so that server-side forwards N Record deletion.

8. a kind of data forwarding device, including processor, which is characterized in that the processor run scheduled computer instruction with Perform the data forwarding method as described in any one of claim 1-7.

9. a kind of data forwarding method, applied to server-side, including：

The data forwarding for including M recipient's mark, the first record identification and N recipient's mark is received from M recipient During request, record is forwarded based on the M including M recipient's mark and the first record identification, the first record identification is connect with N Debit identifies associated storage as N forwarding records, wherein, first record identification is generated by server-side and is used in server-side Required first key associated storage during with data ciphertext being decrypted, N and M are not equal to M for positive integer and N；

When receiving the data receiver request including N recipient's mark and the first record identification from N recipient, based on described First key is sent to N recipient by N forwarding records.

10. method as claimed in claim 9, wherein, it further includes to carry out N recipient in the data forwarding request The N verification data of verification, the N verifications data include at least N recipient's public key,

The method further includes：N verifications data are stored in the N forwardings record；

When receiving the data receiver request from N recipient, N recipient is verified using N verifications data, And after N recipient is by verification, the first key is sent to N recipient.

11. method as claimed in claim 10, wherein,

12. method as claimed in claim 11, wherein,

13. method as claimed in claim 12, wherein, the first record identification is additionally operable in server-side and the first subdata first Ciphertext associated storage,

The method further includes：

After N recipient is by verification, decrypted after obtaining the first subdata with second key pair the first ciphertext of the first subdata N recipient is sent to,

Wherein, the first subdata is used to replace the predetermined portions in the data ciphertext to obtain to be solved by first key Another data ciphertext of close processing.

14. method as claimed in claim 12, further includes：

After N recipient is by verification, the second key is sent to N recipient.

15. the method as described in any one of claim 9-14, further includes：

When receiving the data forwarding revocation request including the first record identification and N recipient's mark, N forwarding records are deleted It removes.

16. a kind of data forwarding device, including processor, which is characterized in that the processor runs scheduled computer instruction To perform the data forwarding method as described in any one of claim 9-15.

17. a kind of data forwarding method, applied to recipient's client, including：

When receiving data ciphertext and the first record identification from M recipient, to server-side transmission include the first record identification with The data receiver request of N recipient's mark, wherein, first record identification generate by server-side and be used in server-side and Required first key associated storage, N are positive integer when data ciphertext is decrypted；

From server-side obtain server-side based on including first record identification and N recipient mark N forwarding record and The first key returned uses first key when data ciphertext is decrypted.

18. method as claimed in claim 17, further includes：

When the N verification data ciphertexts for being verified to N recipient are received from server-side, N recipient's private is used Verification data ciphertext is decrypted, and decrypted result is sent to server-side in key.

19. method as claimed in claim 18, wherein, the N verification data ciphertext includes first key N ciphertexts, institute First key N ciphertexts are stated by using N recipient's public key to N check numbers and first key encryption generation.

20. method as claimed in claim 19, wherein, the N verifications data ciphertext further includes the second key N ciphertexts, The second key N ciphertexts are required to N check numbers and when the data ciphertext is decrypted by using N recipient's public key Generation is encrypted in second key.

21. method as claimed in claim 20, further includes：

After the decrypted result is verified by server-side, the first subdata is obtained from server-side, institute is replaced with the first subdata It states the predetermined portions in data ciphertext and obtains another data ciphertext, and another data ciphertext is decrypted to obtain with first key Data clear text.

22. method as claimed in claim 20, further includes：

After the decrypted result is verified by server-side, the second key is obtained from server-side, and to the data ciphertext into The second key is used during row decryption.

23. a kind of data forwarding device, including processor, which is characterized in that the processor runs scheduled computer instruction To perform the data forwarding method as described in any one of claim 17-22.