CN108200085B - A kind of data distribution, retransmission method and device - Google Patents
A kind of data distribution, retransmission method and device Download PDFInfo
- Publication number
- CN108200085B CN108200085B CN201810096484.2A CN201810096484A CN108200085B CN 108200085 B CN108200085 B CN 108200085B CN 201810096484 A CN201810096484 A CN 201810096484A CN 108200085 B CN108200085 B CN 108200085B
- Authority
- CN
- China
- Prior art keywords
- key
- data
- recipient
- ciphertext
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Storage Device Security (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of data forwarding methods, comprising: obtains data ciphertext and the first record identification, wherein the first record identification is generated by server-side and is used in server-side and first key associated storage required when the data ciphertext is decrypted;The data forwarding request identified including M recipient's mark, the first record identification and N recipient is sent to server-side, to request server-side based on the M forwarding record for including M recipient's mark and the first record identification, it is that N forwards record that first record identification and N recipient, which are identified associated storage, and N and M are positive integer and N is not equal to M;Data ciphertext and the first record identification are sent to N recipient.The invention also discloses corresponding data forwarding method and data distribution/retransmission units.Data distribution through the invention/forwarding scheme can effectively improve safety of the data in transmission process while improving user's convenience operationally when forwarding data.
Description
Technical field
The present invention relates to information security field, in particular to a kind of data distribution, retransmission method and device.
Background technique
In internet, high development is current, and more and more data contents need to send by network.If by data
Transmission is easy to be intercepted and captured by hacker content in a network in plain text, can when data are sent or are forwarded in order to improve the safety of data
To use Digital Envelope Technology.
Digital Envelope Technology uses two layers of encryption system, and digital envelope includes encrypted content and is used for content-encrypt
Content key (CEK) ciphertext.Sender is generally close to be encrypted to obtain content to content key using recipient's public key
Key ciphertext, but the symmetric key that sender and recipient negotiate in advance can be used also to encrypt to content key.When connecing
It when debit receives digital envelope, needs first to decrypt to obtain content key with the ciphertext of key pair content key, then with content key pair
Content ciphertext decrypts to obtain content original text.Digital Envelope Technology combines that asymmetric key algorithm is highly-safe and symmetric key is calculated
The fireballing advantage of method, it can be ensured that confidentiality of the data in transmission process can simultaneously prevent data to be tampered.
Currently, the data forwarding technology based on digital envelope improve Information Security and forwarding convenience in terms of there is also
Room for improvement.
Summary of the invention
In view of this, the embodiment of the present invention proposes a kind of safety and convenience based on improved Digital Envelope Technology
Higher data distribution, forwarding scheme.
For this purpose, being applied to sender's client the embodiment of the invention provides a kind of data forwarding method, comprising: obtain
Data ciphertext and the first record identification, wherein the first record identification is generated by server-side and is used in server-side and to the number
Required first key associated storage when being decrypted according to ciphertext;Send to server-side includes M recipient's mark, the first record
The data forwarding request of mark and N recipient's mark includes M recipient's mark and the first record to request server-side to be based on
The M of mark forwards record, and it is that N forwarding records that the first record identification and N recipient, which are identified associated storage, and N and M are positive
Integer and N are not equal to M;Data ciphertext and the first record identification are sent to N recipient.
Preferably, further including the N verifying number for being verified to N recipient in the data forwarding request
According to the N verify data includes at least N recipient's public key.
Preferably, the N verify data further includes N check number and first key N ciphertext, the first key
N ciphertext is by generating N check number and first key encryption with N recipient's public key.
Preferably, the N verify data further includes the second key N ciphertext, the second key N ciphertext is by with
N recipient's public key carries out encryption generation to N check number and second key required when the data ciphertext is decrypted.
Preferably, the first record identification is also used in server-side and first subdata the first ciphertext associated storage, second
Key is used to first the first ciphertext of subdata be decrypted to obtain the first subdata, and the first subdata is for replacing the data
Predetermined portions in ciphertext are to obtain another data ciphertext that can be decrypted by first key.
Preferably, the data ciphertext includes be decrypted respectively by the first key and the second key
One data ciphertext and the second data ciphertext.
Preferably, the method also includes: sending to server-side includes that the first record identification and N recipient identify
Revocation request, so that N is forwarded record deletion by server-side.
The embodiment of the invention also provides a kind of data forwarding device, including processor, the processor operation is scheduled
Computer instruction is to execute the data forwarding method applied to sender's client of any of the above-described embodiment.
The embodiment of the invention also provides a kind of data forwarding methods, are applied to server-side, comprising: connect from M recipient
When receiving the data forwarding request including M recipient's mark, the first record identification and N recipient's mark, based on including M
The M of recipient's mark and the first record identification forwards record, and the first record identification is identified associated storage with N recipient and is
N forwarding record, wherein first record identification is generated by server-side and is used to solve in server-side with to data ciphertext
Required first key associated storage when close, N and M are positive integer and N is not equal to M;It receives from N recipient and is connect including N
When the data receiver request of debit's mark and the first record identification, first key is sent to by N based on N forwarding record
Recipient.
Preferably, further including the N verifying number for being verified to N recipient in the data forwarding request
According to, the N verify data includes at least N recipient's public key, the method also includes: the N verify data is stored
In N forwarding record;When receiving the data receiver from N recipient and requesting, using N verify data to the
N recipient verifies, and after N recipient is by verifying, the first key is sent to N recipient.
Preferably, the N verify data further includes N check number and first key N ciphertext, the first key
N ciphertext is by generating N check number and first key encryption with N recipient's public key.
Preferably, the N verify data further includes the second key N ciphertext, the second key N ciphertext is by with
N recipient's public key carries out encryption generation to N check number and second key required when the data ciphertext is decrypted.
Preferably, the first record identification is also used in server-side and first subdata the first ciphertext associated storage, it is described
Method further include: after N recipient is by verifying, decrypted to obtain the first son with second key pair the first ciphertext of the first subdata
N recipient is sent to after data, wherein the first subdata is used to replace the predetermined portions in the data ciphertext to obtain energy
Enough another data ciphertexts being decrypted by first key.
Preferably, the second key is sent to N recipient after N recipient is by verifying.
Preferably, the method also includes: it receives the data including the first record identification and N recipient's mark and turns
When hair revocation request, N is forwarded into record deletion.
The embodiment of the invention also provides a kind of data forwarding device, including processor, the processor operation is scheduled
Computer instruction is to execute the data forwarding method applied to server-side of any of the above-described embodiment.
The embodiment of the invention also provides a kind of data forwarding methods, are applied to recipient's client, comprising: connect from M
When debit receives data ciphertext and the first record identification, sending to server-side includes that the first record identification and N recipient mark
The data receiver of knowledge is requested, wherein first record identification is generated by server-side and is used in server-side and to data ciphertext
Required first key associated storage, N are positive integer when being decrypted;Server-side is obtained from server-side to be based on including described first
The N forwarding of record identification and N recipient's mark records and the first key of return, is decrypted to data ciphertext
When use first key.
Preferably, making when receiving the N verify data ciphertext for being verified to N recipient from server-side
Verify data ciphertext is decrypted with N recipient's private key, and decrypted result is sent to server-side.
Preferably, the N verify data ciphertext includes first key N ciphertext, the first key N ciphertext is logical
It crosses and N check number and first key encryption is generated with N recipient's public key.
Preferably, the N verify data ciphertext further includes the second key N ciphertext, the second key N ciphertext
By carrying out encryption life to N check number and second key required when the data ciphertext is decrypted with N recipient's public key
At.
Preferably, the method also includes: after the decrypted result is verified by server-side, the is obtained from server-side
One subdata replaces the predetermined portions in the data ciphertext with the first subdata and obtains another data ciphertext, and close with first
Key is decrypted to obtain data clear text to another data ciphertext.
Preferably, the method also includes: after the decrypted result is verified by server-side, the is obtained from server-side
Two keys, and the second key is used when the data ciphertext is decrypted.
The embodiment of the invention also provides a kind of data forwarding device, including processor, the processor operation is scheduled
Computer instruction is to execute the data forwarding method applied to recipient's client of any of the above-described embodiment.
Data distribution through the embodiment of the present invention/forwarding scheme can operated improving user when forwarding data
On convenience while, effectively improve safety of the data in transmission process.
Detailed description of the invention
Fig. 1 is the schematic flow chart of one embodiment of data distributing method of the invention;
Fig. 2 is the schematic flow chart of another embodiment of data distributing method of the invention;
Fig. 3 is the schematic flow chart of one embodiment of data forwarding method of the invention;
Fig. 4 is the schematic flow chart of another embodiment of data forwarding method of the invention;
Fig. 5 is the schematic flow chart of one embodiment of data forwarding method of the invention;
Fig. 6 is the schematic flow chart of one embodiment of data forwarding method of the invention;
Fig. 7 is the schematic flow chart of another embodiment of data forwarding method of the invention;
Fig. 8 is the schematic flow chart of one embodiment of data distributing method of the invention;
Fig. 9 is the schematic flow chart of one embodiment of data forwarding method of the invention;
Figure 10 is the schematic flow chart of one embodiment of data forwarding method of the invention.
Specific embodiment
The each embodiment of the present invention is described in detail with reference to the accompanying drawings.
Fig. 1 is the schematic flow chart of one embodiment of data distributing method of the invention, the number of the embodiment of the present invention
It is applied to data sender's client according to distribution method.
As shown in Figure 1, the data distributing method of the embodiment of the present invention includes:
S110, it is encrypted during to data encryption using at least one key, obtains data ciphertext, institute
Stating at least one key includes first key;
In embodiments of the present invention, data sender is when needing to send data to data receiver, first by number to be sent
According to being encrypted, can be handled using at least one data key in encryption process, this at least one it is close
It include first key in key, it is the random number that the first recipient generates that first key, which can be sender, is also possible to sender
It is any character string that the first recipient generates by customized mode.In addition, first key can be whole generation, it is also possible to
By the way that multiple character strings are combined generation.
The embodiment of the present invention to the cipher mode of data without particular requirement, as an example, cipher mode for example may is that use
First key generates data ciphertext to data encryption to be sent;First with close with first again after the data encryption to be sent of other key pairs
Key encryption generates data ciphertext;First with first key to close with other keys encryption generation data again after data encryption to be sent
Text;Encrypt etc. with the different piece of first key and other key pairs data to be sent.Here other keys are for example
The symmetric key that the public key or sender and the first recipient that can be the first recipient are negotiated in advance.
S111, the first key is split as to the first sub-key and the second sub-key, and is generated based on the first sub-key
First the first ciphertext of sub-key;
The mode split in the embodiment of the present invention to first key, can be from any in first key without particular requirement
First key is split as two parts by position.Sender and the first recipient can be used to negotiate for first the first ciphertext of sub-key
Any the first sub-key of key pair carries out encryption generation to comprising the character string including the first sub-key, such as can be used first
Recipient's public key or the symmetric key negotiated in advance encrypt.
S112, data distribution request is sent to server-side, include at least the first recipient in the data distribution request and mark
Knowledge, first recipient's public key, first the first ciphertext of sub-key and the second sub-key;
In the embodiment of the present invention, sender is distributed by way of sending data distribution request to server-side to server-side
First key is transmitted to the first recipient by verifying so as to server-side by first key.Sender is sent to server-side
First key is two parts, i.e. first the first ciphertext of sub-key and the second sub-key by sender's processing.Data distribution is asked
It further include the first recipient mark and first recipient's public key in addition to two parts of first key in asking, wherein first receives
For making server-side identify the first recipient, first recipient's public key will need to be sent to the first reception side's mark for server-side
The data of side are transmitted after being encrypted.
First the first ciphertext of sub-key is for verifying the first recipient.When first the first ciphertext of sub-key is with
When one recipient's public key encryption generates, the first sub-key of key pair encryption that sender also uses sender and server-side to negotiate is generated
First the second ciphertext of sub-key is simultaneously sent to server-side with data distribution request, and server-side uses first the first ciphertext pair of sub-key
When first recipient carries out authentication, arranging key can be used to decrypt to obtain the first sub-key to first the second ciphertext of sub-key
To examine the verify data of the first recipient return whether correct.When first the first ciphertext of sub-key is using sender and first
When the symmetric key encryption that recipient negotiates generates, the key encryption the negotiated above-mentioned with server-side is can be used in sender
One sub-key generates first the second ciphertext of sub-key and is sent to server-side, and the above-mentioned key negotiated with server-side also can be used
To server-side is sent to after the symmetric key encryption used when generating first the first ciphertext of sub-key, so that server-side can obtain
First sub-key or character string including the first sub-key are come the inspection data of examining the first recipient to return.Sender and service
The key that end is negotiated for example can be the public key or symmetric key of server-side.
The second sub-key that sender is sent to server-side directly can request to send with data distribution, can also send
It requests to send with data distribution after the preceding key encryption negotiated with sender and server-side.Server-side is receiving the second sub-key
Or second sub-key ciphertext and after decrypting and obtaining the second sub-key, stored after being encrypted to the second sub-key, or by the
Two sub-keys are split as multiple portions and are stored respectively, or the second sub-key can also be split as to multiple portions and divided
It is stored after not encrypted.
In addition, sender be sent to server-side data distribution request in can also include other than above- mentioned information and data
Other information or data.As an example, sender can also request the Kazakhstan for sending data ciphertext to server-side by data distribution
Uncommon value, transmitting side marking etc..
S113, the first record identification returned is received from server-side, and data ciphertext and the first record identification are sent to
First recipient.
Server-side extracts the first recipient mark, first when receiving data distribution request from data distribution request
These information and data are deposited after the information such as recipient's public key, first the first ciphertext of sub-key and the second sub-key and data
Storage, and the first record identification is accordingly created for these information and data of storage, the first record identification is then returned into hair
The side's of sending client.
Sender's client after receiving the first record identification from server-side, can a time point in office corresponding data are close
Text and the first record identification are transmitted directly to the first recipient or are sent to the first recipient indirectly by another server-side.
First recipient can connect after receiving the first record identification and data ciphertext by the first record identification and first
Debit identifies to server-side and requests first key, and server-side first the first ciphertext of sub-key can be used to test when receiving request
The identity of the first recipient is demonstrate,proved, and in the case where the first recipient is by verifying, by the first sub-key and the second sub-key group
First key is synthesized, the first recipient will be sent to after first recipient's public key encryption of first key.
Through the embodiment of the present invention, the first key processing used when decrypting to data ciphertext is two by data sender
Part is simultaneously sent to server-side, the verify data that recipient receives from server-side with recipient's public key and recipient's mark together
Only a part of first key only could obtain complete first key after through verifying.As a result, by close by first
A part of key is used as verify data, and verify data is generated by sender, and verify data can be directly sent to by server-side
Recipient verifies, and alleviates management and calculated load of the server-side in verifying, meanwhile, first key is divided into two parts
The processing such as different encryption or storage is carried out, even if hacker's communication interception data or attack server-side, it is also difficult to determine that first is close
The specific composition mode of key and have passed through what kind of processing, it is ensured that first key in the transmission and server-side storage when
Safety.
In an embodiment of the invention, the first sub-key can be encrypted with first recipient's public key to obtain in S111
One the first ciphertext of sub-key can make when the first recipient receives first the first ciphertext of sub-key for verifying from server-side
First the first ciphertext of sub-key is decrypted to obtain the first sub-key with first recipient's private key, then the first sub-key is returned into clothes
It is verified at business end.
It in another embodiment, can be with first recipient's public key to the first check number and the first son in S111
Key encrypts to obtain first the first ciphertext of sub-key.First check number for example can be sender generation fixed length random number or
First check number and the first sub-key can be combined into a character string by the character string of the customized generation of sender, sender, be used
First recipient's public key encrypts this character string and generates first the first ciphertext of sub-key, and the first check number is also carried
It is sent in the data distribution request of server-side.When first recipient receives first the first ciphertext of sub-key from server-side, use
First recipient's private key is decrypted to obtain the word being spliced by the first check number and the first sub-key to first the first ciphertext of sub-key
Symbol goes here and there and simultaneously returns to server-side, server-side will be requested from data distribution in the first check number for obtaining and the first sub-key be combined into
Character string is verified come the character string returned to the first recipient.
Fig. 2 is the schematic flow chart of another embodiment of data distributing method of the invention.
As shown in Fig. 2, the data distributing method of the embodiment of the present invention includes:
S120, it is encrypted to obtain data ciphertext using at least one key during to data encryption, until
A few key includes first key and the second key;
S121, first key is split as to the first sub-key and the second sub-key, and generates first based on the first sub-key
The first ciphertext of sub-key;
S122, the second key is split as to third sub-key and the 4th sub-key, and third is generated based on third sub-key
The first ciphertext of sub-key;
S123, data distribution request is sent to server-side, the first recipient mark, the are included at least in data distribution request
One recipient's public key, first the first ciphertext of sub-key and the second sub-key, the first ciphertext of third sub-key and the 4th sub-key;
S124, the first record identification returned is received from server-side, and data ciphertext and the first record identification are sent to
First recipient.
In the embodiment of the present invention, first key and the second key have been used when encrypting to data.First key and
Second key is sender's generation, and not for known to the first recipient.
Similar with the processing mode of first key, it is third respectively that the second key is also split as two parts by sender
Sub-key and the 4th sub-key, and the first ciphertext of third sub-key is generated based on third sub-key.Then, sender is sub by third
The first ciphertext of key and the 4th sub-key are also carried to be sent together into the data distribution request that server-side is sent.
The first ciphertext of third sub-key is also used for carrying out authentication to the first recipient.When the first ciphertext of third sub-key
It is when being generated with first recipient's public key encryption, sender also needs the key pair third sub-key negotiated with sender and server-side
Encryption generates the second ciphertext of third sub-key and is sent to server-side with data distribution request;When the first ciphertext of third sub-key is
When being generated using the symmetric key encryption that sender and the first recipient negotiate, sender be can be used above-mentioned and server-side
Negotiation key encryption third sub-key generate the second ciphertext of third sub-key be sent to server-side, also can be used it is above-mentioned with
The key pair that server-side is negotiated is sent to server-side after generating the symmetric key encryption used when the first ciphertext of third sub-key, with
Just the inspection data that server-side can obtain third sub-key the first recipient is examined to return.What sender and server-side were negotiated
Key for example can be the public key or symmetric key of server-side.
The 4th sub-key that sender is sent to server-side directly can request to send with data distribution, can also send
It requests to send with data distribution after the preceding key encryption negotiated with sender and server-side.Server-side is receiving the 4th sub-key
Or the 4th sub-key ciphertext and after decrypting and obtaining the 4th sub-key, stored after being encrypted to the 4th sub-key, or by the
Four sub-keys are split as multiple portions and are stored respectively, or the 4th sub-key can also be split as to multiple portions and divided
It is stored after not encrypted.
After first recipient receives data ciphertext and the first record identification from sender, request to server-side using decryption
Required key, server-side respectively test the first recipient with first the first ciphertext of sub-key and the first ciphertext of third sub-key
Card allows the first recipient to use key needed for decrypting after being verified.Server-side is sent needed for decryption to the first recipient
The mode of data depends on first key and usage mode of second key when to data encryption, this will be combined later implements
Example is illustrated.
In the embodiment of the present invention, the first recipient is in ciphertext data ciphertext other than needing first key, it is also necessary to the
Two keys or data relevant to the second key, server-side is directed to first key respectively and the second key is independent to the first reception
Fang Jinhang authentication further improves the safety of data ciphertext and key.
The generating mode of the second key can be same or like with the generating mode of first key in the embodiment of the present invention.Example
Such as, in an embodiment of the invention, third sub-key can be encrypted with first recipient's public key to obtain third in S122
The first ciphertext of key.In another embodiment, in S122 can with first recipient's public key to the first check number and
Third sub-key encrypts to obtain the first ciphertext of third sub-key, the first check number used when generating first the first ciphertext of sub-key
Can be identical or different with the first check number used when generating the first ciphertext of third sub-key, it is different in used check number
In the case of, sender need to carry each check number into the data distribution request that server-side is sent and indicate each check number and test
Corresponding relationship between card sub-key ciphertext.
First key and cipher mode when the second key for encrypting data are used to sender below in conjunction with embodiment
It is schematically illustrated.
In an embodiment of the invention, sender is when to data encryption, first using first key to sent number
According to being encrypted to obtain the first data ciphertext in plain text, the first subnumber then is extracted from the predetermined portions in the first data ciphertext
According to replacing the position of first the first subdata of data ciphertext Central Plains with the second subdata, generate the second data ciphertext, and with second
Key encrypts the first subdata and obtains first the first ciphertext of subdata.Wherein, the side of the first subdata is extracted from the first ciphertext
Formula is unlimited, such as can extract low volume data respectively as the first subdata from the head, middle part and end of the first ciphertext, or
From the first half of the first ciphertext and the latter half of middle low volume data that extracts respectively as the first subdata.For replacing in the first ciphertext
The character string that second subdata of former first subdata position for example can be sky data or sender arbitrarily generates.Hair
The side of sending need to only arrange the position that the first subdata is extracted from the first ciphertext with the first recipient, without with the first recipient agreement the
The generating mode of two subdatas.Meanwhile sender also needs to send first the first ciphertext of subdata to server-side, and second is counted
The first recipient is sent to according to ciphertext and the first record identification.First recipient receives the second data ciphertext and the first record identification
Afterwards, the first record identification and the first recipient mark are sent to request first key and the first subdata first close to server-side
Text, server-side are respectively verified the first recipient with first the first ciphertext of sub-key and the first ciphertext of third sub-key
Afterwards, third sub-key and the 4th sub-key are combined into first the first ciphertext of subdata of the second key decryption and obtain the first subnumber
According to, and the first recipient will be sent to after first recipient's public key encryption of first key and the first subdata.First recipient
After receiving first key and the first subdata, the predetermined portions in the second data ciphertext are replaced with the first subdata and obtain first
Data ciphertext, then the first data ciphertext is decrypted to obtain data clear text with first key.In embodiments of the present invention, by will be right
First data ciphertext carries out the second data ciphertext that above-mentioned processing obtains and is sent to the first recipient, so that the first recipient obtains
Ciphertext data in include noise, can be effectively prevented Brute Force, improve the safety of data ciphertext.
In another embodiment, sender is when encrypting data, first by clear data to be sent
The first data and the second data are split as, the first data are encrypted using first key to obtain the first data ciphertext, are used
Second the second data of key pair are encrypted to obtain the second data ciphertext, and using the first data ciphertext and the second data ciphertext as
Above-mentioned data ciphertext is sent to the first recipient together with the first record identification.First recipient receives the first data ciphertext,
After two data ciphertexts and the first record identification, to server-side the first record identification of transmission to request first key and the second key,
After server-side is respectively verified the first recipient with first the first ciphertext of sub-key and the first ciphertext of third sub-key,
The first recipient will be sent to after first recipient's public key encryption of first key and the second key.First recipient receives
After one key and the second key, decrypted respectively with first key and second key pair the first data ciphertext and the second data ciphertext
It combines to obtain data clear text to the first data and the second data, then by the first data and the second data.In embodiments of the present invention,
By the way that data are split as two parts and are sent to recipient after encryption respectively, recipient need to obtain the corresponding key point of two parts
Target data can be just obtained in plain text after the other decryption to ciphertext, can be improved the safety of data ciphertext.
In further embodiment of the present invention, sender is when encrypting data, first using first key to pending
It send data clear text to be encrypted to obtain the first data ciphertext, reuses second key pair the first data ciphertext and encrypted to obtain
Two data ciphertexts, and the second data ciphertext and the first record identification are sent to the first recipient.First recipient receives second
After data ciphertext and the first record identification, the first record identification is sent to request first key and the second key to server-side, is taken
It, will after business end is respectively verified the first recipient with first the first ciphertext of sub-key and the first ciphertext of third sub-key
The first recipient is sent to after first recipient's public key encryption of first key and the second key.First recipient receives first
After key and the second key, first decrypt to obtain the first data ciphertext with second key pair the second data ciphertext, then use first key
First data ciphertext is decrypted to obtain data clear text.In embodiments of the present invention, by being sent after data are carried out multi-layer security
To recipient, it is successively bright to can just obtain target data after the decryption of data ciphertext that recipient need to obtain two layers of encryption counterpart keys
Text can be improved the safety of data ciphertext.
Fig. 3 is the schematic flow chart of one embodiment of data forwarding method of the invention, the number of the embodiment of the present invention
It is applied to server-side according to retransmission method.
As shown in figure 3, the data forwarding method of the embodiment of the present invention includes:
S130, it receives from sender including at least the first recipient mark, first recipient's public key, the first sub-key
When one ciphertext and the data distribution of the second sub-key are requested, the first record identification is returned to sender;
In the embodiment of the present invention, sender is distributed by way of sending data distribution request to server-side to server-side
First key, so that first key is transmitted to the first recipient by verifying by server-side, first key is wanted to sender
Issue the first recipient data encrypt during use.The first key that sender is sent to server-side is sent out
The side's of sending processing is two parts, i.e. first the first ciphertext of sub-key and the second sub-key (referring to S111).Server-side connects from sender
It further include that the first recipient mark and the first recipient are public in addition to two parts of first key in the data distribution request received
Key, wherein for the first recipient mark for making server-side identify the first recipient, first recipient's public key need to for server-side
Be sent to the first recipient data encrypt after transmit.After server-side receives data distribution request, for the data point
Hair request the first record identification of distribution simultaneously returns to sender.
S131, the second sub-key is encrypted to obtain second the first ciphertext of sub-key, the first record identification and the second son is close
Key the first ciphertext associated storage, and by the first recipient mark at least the first record identification, first the first ciphertext of sub-key and
First recipient's public key associated storage;
Then, server-side is performed corresponding processing and is stored to the information and data extracted in requesting from data distribution.Its
In, server-side, which extracts the second sub-key in requesting from data distribution or extracts the second sub-key ciphertext and decrypt, obtains the
After two sub-keys, second the first ciphertext of sub-key is stored as after the second sub-key being encrypted, or can be close by the second son
Key is split as multiple portions and is stored as second the first ciphertext of sub-key after being encrypted respectively.Then, server-side is remembered first
Record mark and the second sub-key the first ciphertext associated storage relevant to the decryption of data ciphertext are individual data distribution record,
And individually one forwarding of creation records for the first recipient mark, by the first record identification and relevant to the first recipient first
The data such as the first ciphertext of sub-key, first recipient's public key are stored in this forwarding record.
S132, the data receiver request including the first recipient mark and the first record identification is received from the first recipient
When, the first verifying is carried out to the first recipient using first the first ciphertext of sub-key;
First recipient, can be by the first record after receiving the first record identification and data ciphertext from data sender
Mark and the first recipient identify to server-side and request first key, and server-side, can be by the when receiving data receiver request
One the first ciphertext of sub-key is sent to the first recipient to verify the identity of the first recipient.When first the first ciphertext of sub-key is
When being generated with first recipient's public key encryption, the first sub-key of key pair that sender can also be negotiated with sender with server-side adds
Dense to be sent to server-side at first the second ciphertext of sub-key, server-side is using first the first ciphertext of sub-key to the first recipient
When carrying out authentication, arranging key can be used to decrypt to obtain the first sub-key to first the second ciphertext of sub-key to examine first
Whether the verify data that recipient returns is correct.When first the first ciphertext of sub-key is negotiated using sender and the first recipient
Symmetric key encryption when generating, sender also will use the key negotiated above-mentioned with server-side, and to encrypt the first sub-key raw
It is sent to server-side at first the second ciphertext of sub-key, or will use the above-mentioned key pair negotiated with server-side and generate first
It is sent to server-side after the symmetric key encryption used when the first ciphertext of sub-key, so that server-side can obtain the first sub-key
Or the character string comprising the first sub-key come examine the first recipient return inspection data.
S133, when the first recipient is at least through the first verifying, the first sub-key and the second sub-key group are combined into the
One key and with being sent to the first recipient after first recipient's public key encryption.
In the case where the first recipient is by verifying, the first sub-key and the second sub-key are combined into first by server-side
Key, will be sent to the first recipient after first recipient's public key encryption of first key, the first recipient can be used from service
The first key obtained is held to be decrypted to obtain data clear text to the data ciphertext obtained from sender.
Through the embodiment of the present invention, a part of first key is used as verify data, and verify data is by sender
Generate, verify data directly can be sent to recipient and verified by server-side, alleviate management of the server-side in verifying and
Calculated load, at the same ensure first key in the transmission and server-side storage when safety.
In an embodiment of the invention, first the first ciphertext of sub-key passes through close to the first son with first recipient's public key
Key encrypts to obtain, can be by sub by first after first the first ciphertext of sub-key is sent to the first recipient by server-side in S132
Whether it is correct that key and the verify data returned from the first recipient are compared to determine that the first recipient returns
One sub-key.
It in another embodiment, further include the first check number in data distribution request, and the first sub-key
First ciphertext to the first check number and the first sub-key with first recipient's public key by being encrypted to obtain, server-side in S132
After first the first ciphertext of sub-key is sent to the first recipient, can by by the first sub-key and the first check number with from first
Recipient return verify data be compared to determine the first recipient whether return correctly include the first check number and
The data of first sub-key.
Fig. 4 is the schematic flow chart of another embodiment of data forwarding method of the invention.
As shown in figure 4, the data forwarding method of the embodiment of the present invention includes:
S140, it receives from sender including at least the first recipient mark, first recipient's public key, the first sub-key
When one ciphertext and the second sub-key and the first ciphertext of third sub-key and the data distribution of the 4th sub-key are requested, to sender
Return to the first record identification;
S141, the second sub-key is encrypted to obtain second the first ciphertext of sub-key, the 4th sub-key is encrypted to obtain the 4th
The first ciphertext of sub-key;
S142, by the first record identification and second the first ciphertext of sub-key and the 4th sub-key the first ciphertext associated storage,
And by the first recipient mark at least the first record identification, first the first ciphertext of sub-key, the first ciphertext of third sub-key and
First recipient's public key associated storage;
S143, the data receiver request including the first recipient mark and the first record identification is received from the first recipient
When, the first verifying is carried out to the first recipient using first the first ciphertext of sub-key, using the first ciphertext of third sub-key to the
One recipient carries out the second verifying;
S144, when the first recipient is at least through the first verifying, the first sub-key and the second sub-key group are combined into the
One key and with being sent to the first recipient after first recipient's public key encryption, will when the first recipient is by the second verifying
Data corresponding to the second verifying are sent to the first recipient.
In embodiments of the present invention, sender has used first key and the second key when encrypting to data.The
One key and the second key are sender's generation, and not for known to the first recipient.With the processing mode class of first key
Seemingly, the second key is also split as two parts by sender, is third sub-key and the 4th sub-key respectively, and based on third
Key generates the first ciphertext of third sub-key.Server-side includes that third is close from the data distribution request that sender receives
The first ciphertext of key and the 4th sub-key.
Server-side carries out the first recipient using both first the first ciphertext of sub-key and first ciphertext of third sub-key
Authentication.When the first ciphertext of third sub-key is generated with first recipient's public key encryption, sender can also use sender
The key pair third sub-key encryption negotiated with server-side generates the second ciphertext of third sub-key and requests to send with data distribution
To server-side;When the first ciphertext of third sub-key is that the symmetric key encryption negotiated using sender and the first recipient is generated
When, sender can also generate the second ciphertext of third sub-key hair with the above-mentioned key encryption third sub-key negotiated with server-side
Pair used when giving server-side, or the first ciphertext of third sub-key can be generated with the above-mentioned key pair negotiated with server-side
Server-side is sent to after claiming key encryption.Server-side is it is possible thereby to obtain third sub-key to examine the first recipient to third
The inspection data returned after the decryption of the first ciphertext of key.
Server-side extracts the ciphertext of the 4th sub-key or the 4th sub-key in requesting from data distribution and decryption obtains
After 4th sub-key, the 4th the first ciphertext of sub-key is stored as after can encrypting to the 4th sub-key, or by the 4th sub-key
It is split as multiple portions and is stored as the 4th the first ciphertext of sub-key after being encrypted respectively, and the second sub-key first is close
Text, the 4th the first ciphertext of sub-key and the first record identification associated storage are individual data distribution record.
After first recipient receives data ciphertext and the first record identification from sender, request to server-side using decryption
When required key, server-side respectively carries out the first recipient with first the first ciphertext of sub-key and the first ciphertext of third sub-key
Verifying, after being verified, is combined into first key for the first sub-key and the second sub-key group and is added with first recipient's public key
It is sent to the first recipient after close, and the data for corresponding to the second verifying are sent to the first recipient, so that the first recipient
The data ciphertext that obtained from sender can be decrypted to obtain data clear text.The correspondence that server-side is sent to the first recipient
First key and usage mode of second key when to data encryption are depended in the mode of the data of the second verifying, this will be
It is explained later.
In the embodiment of the present invention, the first recipient is in ciphertext data ciphertext other than needing first key, it is also necessary to the
Two keys or data relevant to the second key, server-side is directed to first key respectively and the second key is independent to the first reception
Fang Jinhang authentication further improves the safety of data ciphertext and key.
In the embodiment of the present invention, the first ciphertext of third sub-key can by with first recipient's public key to third sub-key
Encryption obtains, can be by close by third after the first ciphertext of third sub-key is sent to the first recipient by server-side in S143
Whether key and be compared to determining first recipient return from the verify data of the first recipient return are correct third
Sub-key.
It in another embodiment, further include the first check number in data distribution request, and third sub-key
First ciphertext to the first check number and third sub-key with first recipient's public key by being encrypted to obtain, server-side in S142
After the first ciphertext of third sub-key is sent to the first recipient, can by by third sub-key and the first check number with from first
Recipient return verify data be compared to determine the first recipient whether return correctly include the first check number and
The data of third sub-key.
Fig. 5 is the schematic flow chart of one embodiment of data forwarding method of the invention.
As shown in figure 5, the data forwarding method of the embodiment of the present invention includes:
S150, it receives from sender including at least the first recipient mark, first recipient's public key, the first sub-key
The data of one ciphertext and the second sub-key, the first ciphertext of third sub-key and the 4th sub-key and first the first ciphertext of subdata
When distribution request, the first record identification is returned to sender;
S151, the second sub-key is encrypted to obtain second the first ciphertext of sub-key, the 4th sub-key is encrypted to obtain the 4th
The first ciphertext of sub-key;
S152, by the first record identification and second the first ciphertext of sub-key and the 4th the first ciphertext of sub-key and the first son
Data the first ciphertext associated storage, and by the first recipient mark at least the first record identification, first the first ciphertext of sub-key,
The first ciphertext of third sub-key and first recipient's public key associated storage;
S153, the data receiver request including the first recipient mark and the first record identification is received from the first recipient
When, the first verifying is carried out to the first recipient using first the first ciphertext of sub-key, using the first ciphertext of third sub-key to the
One recipient carries out the second verifying;
S154, when the first recipient is at least through the first verifying, the first sub-key and the second sub-key group are combined into the
One key and with being sent to the first recipient after first recipient's public key encryption;
S155, when the first recipient by second verifying when, it is close that third sub-key and the 4th sub-key group are combined into second
Key decrypts first the first ciphertext of subdata using the second key and obtains the first subdata, and uses first recipient's public key encryption
First subdata is sent to the first recipient after obtaining first the second ciphertext of subdata.
In embodiments of the present invention, sender is first bright to sent data using first key when to data encryption
Text is encrypted to obtain the first data ciphertext, then extracts the first subdata from the predetermined portions in the first data ciphertext,
The position of first the first subdata of data ciphertext Central Plains is replaced with the second subdata, generates the second data ciphertext, and close with second
Key encrypts the first subdata and obtains first the first ciphertext of subdata.Server-side can also be mentioned from the request of the data distribution of sender
Get first the first ciphertext of subdata, and by first the first ciphertext of subdata, second the first ciphertext of sub-key, the 4th sub-key
One ciphertext and the first record identification associated storage are individual data distribution record.
What the first recipient received from sender is the second data ciphertext and the first record identification, and is sent to server-side
First record identification is to request first key and first the first ciphertext of subdata, first the first ciphertext of sub-key of server-side and
After three the first ciphertexts of sub-key are respectively verified the first recipient, third sub-key and the 4th sub-key are combined into
Second key decrypts first the first ciphertext of subdata and obtains the first subdata, and first key and the first subdata are connect with first
The first recipient is sent to after debit's public key encryption.After first recipient receives first key and the first subdata, with first
The predetermined portions that subdata is replaced in the second data ciphertext obtain the first data ciphertext, then with first key to the first data ciphertext
Decryption obtains data clear text.
In embodiments of the present invention, by the way that the second data ciphertext handled the first data ciphertext to be sent to
First recipient, and the ciphertext for decrypting the first subdata necessary to the second data ciphertext is stored in server-side, so that first
It include noise in the ciphertext data that recipient obtains, it is necessary to obtain the first subdata ability ciphertext data ciphertext, energy from server-side
It is enough effectively prevented Brute Force, improves the safety of data ciphertext.
In some embodiment of the invention, the first recipient needs when decrypting to the data ciphertext obtained from sender
Holding first key and the second key simultaneously could complete to decrypt, and at this moment, the first recipient is in the second verifying by server-side
When, server-side, can also be by third other than first key is sent to the first recipient with first recipient's public key encryption
Key and the 4th sub-key group are combined into the second key and with being sent to the first recipient after first recipient's public key encryption.The present invention
Embodiment can be improved data ciphertext by can just obtain data clear text after making recipient that need to obtain two key pair ciphertext decryption
Safety.
Fig. 6 is the schematic flow chart of one embodiment of data forwarding method of the invention, application of the embodiment of the present invention
In recipient's client.
As shown in fig. 6, the data forwarding method of the embodiment of the present invention includes:
S160, when receiving data ciphertext and the first record identification from data sender, sending to server-side includes first
The data receiver of recipient's mark and the first record identification is requested;
The data ciphertext that first recipient receives from data sender is by sender in the process encrypted to data clear text
It is middle to be generated using the encryption of at least one key, and data sender will receive data needed for the decryption of data ciphertext and first
Side's mark has been sent to server-side, these data and information are carried out storage and are accordingly assigned with the first record by server-side
Mark.First recipient can identify with the first recipient and the first record identification is requested to server-side to needed for the decryption of data ciphertext
Data.
S161, first the first ciphertext of sub-key for carrying out the first verifying to the first recipient is received from server-side
When, first the first ciphertext of sub-key is decrypted using first recipient's private key, and the first decrypted result is sent to
Server-side;
First the first ciphertext of sub-key can be sent to by server-side when receiving data receiver request from the first recipient
First recipient verifies the identity of the first recipient.When first the first ciphertext of sub-key is raw with first recipient's public key encryption
First recipient's private key can be used to decrypt to obtain the first decrypted result to first the first ciphertext of sub-key and return for Cheng Shi, the first recipient
Back to server-side.When first the first ciphertext of sub-key is that the symmetric key encryption negotiated using sender and the first recipient is generated
When, the symmetric key negotiated can be used to decrypt to obtain the return of the first decrypted result to first the first ciphertext of sub-key for the first recipient
To server-side.First sub-key of the usable data distribution request from sender of server-side includes the first sub-key
Whether character string is correct come the first decrypted result for examining the first recipient to return.
S162, such as first are verified, and obtain from server-side and are passed through by server-side to the first sub-key and the second sub-key
It is combined the first key of generation, and uses first key during data ciphertext is decrypted.
It, will be from the data distribution request of sender in the case where server-side confirms the first recipient by verifying
First sub-key and the second sub-key are combined into first key, and will be sent to after first recipient's public key encryption of first key
One recipient.The first key obtained from server-side can be used to carry out to the data ciphertext obtained from sender in first recipient
Decryption obtains data clear text.
Through the embodiment of the present invention, a part of first key is used as verify data, and verify data is by sender
Generate, verify data directly can be sent to recipient and verified by server-side, alleviate management of the server-side in verifying and
Calculated load, at the same ensure first key in the transmission and server-side storage when safety.
In an embodiment of the invention, first the first ciphertext of sub-key passes through close to the first son with first recipient's public key
Key encryption generates, and the first recipient is the first sub-key to the first decrypted result that first the first ciphertext of sub-key is decrypted.
In another embodiment, first the first ciphertext of sub-key by with first recipient's public key to the first check number and
One sub-key carries out encryption generation, and the first decrypted result that the first recipient decrypts first the first ciphertext of sub-key is packet
Character string containing the first check number and the first sub-key.
Fig. 7 is the schematic flow chart of another embodiment of data forwarding method of the invention.
As shown in fig. 7, the data forwarding method of the embodiment of the present invention includes:
S170, when receiving data ciphertext and the first record identification from data sender, sending to server-side includes first
The data receiver of recipient's mark and the first record identification is requested;
S171, first the first ciphertext of sub-key for carrying out the first verifying to the first recipient is received from server-side
When, first the first ciphertext of sub-key is decrypted using first recipient's private key, and the first decrypted result is sent to
Server-side;
S172, such as first are verified, and obtain from server-side and are passed through by server-side to the first sub-key and the second sub-key
It is combined the first key of generation, and uses first key during data ciphertext is decrypted;
S173, the first ciphertext of third sub-key for carrying out the second verifying to the first recipient is received from server-side
When, the first ciphertext of third sub-key is decrypted using first recipient's private key, and the second decrypted result is sent to
Server-side;
S174, such as second are verified, from server-side obtain corresponding to second verifying data with to data ciphertext into
It is used during row decryption.
It should be noted that S171 and S173 are not limited to successively execute, but can also execute parallel.
In embodiments of the present invention, sender has used first key and the second key when encrypting to data.The
One key and the second key are sender's generation, and not for known to the first recipient.It is similar with first key, the second key
Also two parts are split as, are third sub-key and the 4th sub-key respectively, sender is based on the first sub-key and third is close
Key generates first the first ciphertext of sub-key and the first ciphertext of third sub-key with first recipient's public key encryption.
After first recipient receives data ciphertext and the first record identification from sender, request to server-side using decryption
When required key, server-side is using both first the first ciphertext of sub-key and first ciphertext of third sub-key to the first recipient point
It carry out not the first verifying and the second verifying.Server-side verifies the mode of the first decrypted result of mode and verifying of the second decrypted result
It is similar, reference can be made to previous embodiment, omits illustrate herein.After the first verifying and second are verified, server-side is by the
One sub-key and the second sub-key group are combined into first key and with being sent to the first recipient after first recipient's public key encryption, and
The data for corresponding to the second verifying are sent to the first recipient, enable the first recipient to the data obtained from sender
Ciphertext is decrypted to obtain data clear text.The mode for corresponding to the data that second verifies that server-side is sent to the first recipient takes
Certainly in first key and usage mode of second key when to data encryption.
In the embodiment of the present invention, the first recipient is in ciphertext data ciphertext other than needing first key, it is also necessary to the
Two keys or data relevant to the second key, server-side is directed to first key respectively and the second key is independent to the first reception
Fang Jinhang authentication further improves the safety of data ciphertext and key.
In an embodiment of the invention, the first ciphertext of third sub-key passes through close to third with first recipient's public key
Key encryption generates, and the first recipient is third sub-key to the second decrypted result that the first ciphertext of third sub-key is decrypted.
In another embodiment, the first ciphertext of third sub-key by with first recipient's public key to the first check number and
Three sub-keys carry out encryption generation, and the second decrypted result that the first recipient decrypts the first ciphertext of third sub-key is packet
Character string containing the first check number and the first sub-key.
In an embodiment of the invention, sender is when to data encryption, first using first key to sent number
According to being encrypted to obtain the first data ciphertext in plain text, the first subnumber then is extracted from the predetermined portions in the first data ciphertext
According to replacing the position of first the first subdata of data ciphertext Central Plains with the second subdata, generate the second data ciphertext, and with second
Key encrypts the first subdata and obtains first the first ciphertext of subdata.What the first recipient received from sender is the second data
Ciphertext and the first record identification, and the first record identification is sent to server-side to request first key and the first subdata first close
Text, server-side are respectively verified the first recipient with first the first ciphertext of sub-key and the first ciphertext of third sub-key
Afterwards, third sub-key and the 4th sub-key are combined into first the first ciphertext of subdata of the second key decryption and obtain the first subnumber
According to, and the first recipient will be sent to after first recipient's public key encryption of first key and the first subdata.First recipient
After receiving first key and the first subdata, the predetermined portions in the second data ciphertext are replaced with the first subdata and obtain first
Data ciphertext, then the first data ciphertext is decrypted to obtain data clear text with first key.In embodiments of the present invention, by will be right
First data ciphertext carries out the second data ciphertext that above-mentioned processing obtains and is sent to the first recipient, and it is close to decrypt the second data
The ciphertext of first subdata necessary to text is stored in server-side, so that comprising making an uproar in the ciphertext data that the first recipient obtains
Sound, it is necessary to obtain the first subdata ability ciphertext data ciphertext from server-side, Brute Force can be effectively prevented, improve data
The safety of ciphertext.
In some embodiment of the invention, the first recipient needs when decrypting to the data ciphertext obtained from sender
Holding first key and the second key simultaneously could complete to decrypt, and at this moment, the first recipient is in the second verifying by server-side
When, server-side is also close by third other than first key is sent to the first recipient with first recipient's public key encryption
Key and the 4th sub-key group are combined into the second key and with being sent to the first recipient after first recipient's public key encryption.The present invention is real
Example is applied by can just obtain data clear text after making recipient that need to obtain individual two key pair ciphertexts decryption, can be improved data
The safety of ciphertext.
Fig. 8 is the schematic flow chart of one embodiment of data forwarding method of the invention, the number of the embodiment of the present invention
It is applied to sender's client according to retransmission method.
As shown in figure 8, the data forwarding method of the embodiment of the present invention includes:
S510, data ciphertext and the first record identification are obtained, wherein the first record identification is generated and is used for by server-side
Server-side and first key associated storage required when data ciphertext is decrypted;
S511, the data identified including M recipient's mark, the first record identification and N recipient are sent to server-side
Forwarding request, to request server-side based on the M forwarding record for including M recipient's mark and the first record identification, by first
It is that N forwards record that record identification and N recipient, which identify associated storage, and N and M are positive integer and N is not equal to M;
S512, data ciphertext and the first record identification are sent to N recipient.
In embodiments of the present invention, M recipient is that data ciphertext and the first record are obtained from data sender above-mentioned
Any recipient of mark, M recipient is when needing to forward data to N recipient as N recipient
Sender.First record identification is that server-side is to be somebody's turn to do when the data sender sends initial data distribution request to server-side
The record identification of data distribution request distribution, and the data ciphertext solution that server-side will carry in initial data distribution request
Close required first key and the first record identification associated storage are individual data distribution record, while server-side has also been answered
The request of data sender, it is that M forwarding is remembered that the first record identification and M recipient, which are identified associated storage, for M recipient
Record.
M recipient can send after obtaining data ciphertext and the first record identification from data sender to server-side
Data forwarding request including M recipient's mark, the first record identification and N recipient's mark.Server-side is receiving this
After data forwarding request, first search whether that there are M to forward record according to M recipient's mark and the first record identification, if so,
It is that N forwarding records that the first record identification and N recipient, which are then identified associated storage, for N recipient.
Since M recipient is that server-side forwards the recipient of the key data for the first time, N recipient is server-side the
The recipient of key data is forwarded after secondary, also asks the data forwarding that M receiving direction server-side is sent in the present embodiment
Referred to as data are asked to forward request again.
It can will include the first record mark after N recipient receives data ciphertext and the first record identification from M recipient
Know and the data acquisition request of N recipient's mark is sent to server-side, server-side is in response to the data acquisition request, by key
Data or related data are transmitted to N recipient.
Through the embodiment of the present invention, certain data ciphertext and the first record identification are sent to M recipient by data sender
Afterwards, it if M recipient needs same data forwarding to other any recipients, can be forwarded again by sending data to server-side
The mode of request, request server-side have stored in the key data or dependency number of server-side to other any recipient's forwardings
According to realizing and not needing re-encrypted data to be forwarded and can be carried out quickly forwarding again.
In an embodiment of the invention, the data that M recipient is sent to server-side forward again can also wrap in request
The N verify data for being verified to N recipient is included, may include the number such as N recipient's public key in N verify data
According to.Key data or related data can be transmitted to N and connect by server-side in the data acquisition request in response to N recipient
Before debit, N recipient is verified using N verify data.For example, server-side produces a random number, with N
Recipient's public key is sent to N recipient after encrypting to the random number, by check N recipient return data whether
It is the random number the identity of verifying N recipient.Through the embodiment of the present invention, M recipient is for other different data
When receiving direction server-side transmission data forward request again, corresponding verification data, verification mode can be provided to server-side
With specific aim, Information Security is improved.
In an embodiment of the invention, M recipient is verified by the N that data forward request to be sent to server-side again
It may include N recipient's public key, N check number and first key N ciphertext in data, first key N ciphertext passes through use
N recipient's public key generates N check number and first key encryption.In another embodiment, M recipient is logical
Cross may include in the N verify data that data forward request to be sent to server-side again N recipient's public key, N check number and
Second key N ciphertext, the second key N ciphertext with N recipient's public key to N check number and in data ciphertext by decrypting
The second key of Shi Suoxu carries out encryption generation.In some embodiment of the invention, M recipient forwards request by data again
Being sent in the N verify data of server-side may include N recipient's public key, N check number, above-mentioned first key N
Ciphertext and the second above-mentioned key N ciphertext.
Server-side has prestored first key and/or the second key when receiving initial data distribution request, can
The verify data of N recipient's return is verified using N check number and first key and/or the second key.
In addition, first key or the second key can also be split as two sub-keys in the embodiment of the present invention, it will wherein
One sub-key is stored together in server-side and the first record identification, is generated with another one sub-key for connecing to N
Sub-key ciphertext that debit is verified simultaneously is stored in N forwarding record in server-side.
In the embodiment of the present invention, M recipient in first key N ciphertext/second key N ciphertext to be generated, or
Person can be stored when generating fractionation from first key or the N ciphertext of the sub-key of the second key with M recipient's client
First key and/or the second key or each sub-key, can also be by sending the side of cipher key acquisition request to server-side
Formula obtains the first key that server-side returns and/or the second key or each sub-key.
In some embodiment of the invention, server-side prestored the first record identification, first key and the second key and
First the first ciphertext of subdata, the second key are used to be decrypted to obtain the first subdata to first the first ciphertext of subdata, the
One subdata is for the predetermined portions in replacement data ciphertext to obtain another number that can be decrypted by first key
According to ciphertext.For N recipient after having passed through the verifying of server-side, first key and the first subdata are returned to N by server-side
Recipient.
In other embodiments of the invention, data ciphertext includes being decrypted respectively by first key and the second key
First data ciphertext and the second data ciphertext.N recipient after having passed through the verifying of server-side, server-side by first key and
Second key returns to N recipient.
Fig. 9 is the schematic flow chart of one embodiment of data forwarding method of the invention, the number of the embodiment of the present invention
It is applied to server-side according to retransmission method.
As shown in figure 9, the data forwarding method of the embodiment of the present invention includes:
S520, it receives from M recipient including M recipient's mark, the first record identification and N recipient's mark
When data forwarding request, record is forwarded based on the M for including M recipient's mark and the first record identification, the first record is marked
Knowing with N recipient's mark associated storage is that N forwarding records, and the first record identification is generated by server-side and is used in server-side
With first key associated storage required when data ciphertext is decrypted, N and M are positive integer and N is not equal to M;
S521, the data receiver request including N recipient's mark and the first record identification is received from N recipient
When, first key is sent to by N recipient based on N forwarding record.
The data forwarding method applied to server-side of the embodiment of the present invention is applied to hair corresponding to embodiment illustrated in fig. 8
The data distributing method of the side's of sending client, implementation procedure can be found in embodiment illustrated in fig. 8 and more than other each implementations
The explanation of example, in this detailed description will be omitted.
Figure 10 is the schematic flow chart of one embodiment of data forwarding method of the invention, the number of the embodiment of the present invention
It is applied to recipient's client according to retransmission method.
As shown in Figure 10, the data forwarding method of the embodiment of the present invention includes:
S530, when receiving data ciphertext and the first record identification from M recipient, sending to server-side includes the first note
The data receiver request of record mark and N recipient's mark, wherein first record identification is generated and is used for by server-side
Server-side and first key associated storage required when data ciphertext is decrypted, N is positive integer;
S530, server-side is obtained from server-side based on N turns identified including first record identification and N recipient
Hair records and the first key of return, and first key is used when data ciphertext is decrypted.
The data forwarding method applied to recipient's client of the embodiment of the present invention corresponds to answering for embodiment illustrated in fig. 8
For the data distributing method of sender's client, implementation procedure can be found in embodiment illustrated in fig. 8 and more than other are each
The explanation of a embodiment, in this detailed description will be omitted.
In any of the above-described embodiment of the invention, server-side is receiving sender with the letter of data distribution request transmission
These information and data can be identified as index with the first recipient therein and stored by breath and when data, and with distributed
The first record identification associated storage.When sender wishes the dependency number that revocation requests server-side to forward for the first recipient
According to when, sender can pass through that send to server-side include data distribution revocation that the first record identification and the first recipient identify
It requests to request server-side that the first recipient is identified to and identified with the first recipient the information deletion of associated storage.Server-side
Divide receiving the data identified including the first record identification and the first recipient that sender sends for the first recipient
It can will include that the first recipient identifies and identifies the individual of the information of associated storage with the first recipient when hair revocation request
Forward record deletion.After the information that server-side deletes the first recipient mark and associated storage, the first receiving direction server-side
When sending the data receiver request including the first recipient mark, server-side will can not find the first recipient and identify relevant forwarding
Record realizes transmission so that the decryption data such as first key will not be returned to the first recipient in response to receiving request
Timely revocation of the side to data have been distributed.Meanwhile server-side will include that the first recipient identifies and identifies with the first recipient
The individual forwarding record deletion of the information of associated storage does not influence to include the first record identification and the second sub-key ciphertext etc.
Individual data distribution record can send to server-side and wrap such as the data distribution that sender needs to restore to be directed to the first recipient
The data redistribution for including the information such as the first recipient mark, first the first ciphertext of sub-key, first recipient's public key and data is asked
It asks, these information and data can be stored as individually forwarding record by server-side again, so that the first recipient can be from service
End, which obtains, decrypts required data.
The embodiment of the invention also provides a kind of data distribution/retransmission units, can be by the end including processor and memory
End equipment realizes that processor is configurable to the scheduled computer instruction stored in run memory to execute above-mentioned
Data distribution/retransmission method applied to sender's client in one embodiment.
The embodiment of the invention also provides a kind of data forwarding devices, can be by including processor and memory and being used as service
The terminal device of device realizes that processor is configurable to the scheduled computer instruction stored in run memory to execute
The data forwarding method applied to server-side in any of the above-described embodiment.
The embodiment of the invention also provides a kind of data forwarding devices, can be by the terminal device including processor and memory
It realizes, processor is configurable to the scheduled computer instruction stored in run memory to execute any of the above-described implementation
The data forwarding method applied to recipient's client in example.
Due to all embodiments of exhaustion impossible in the application, it is also not possible to all combinations between exhaustive technical characteristic
Mode, therefore the present invention is not limited to these provided specific embodiments, those skilled in the art are in reality disclosed herein
On the basis of applying example, it is fully able to carry out a variety of modifications to these embodiments in the case where not departing from spirit of that invention and design
And modification, the embodiment of these variants and modifications should all fall into the application it is claimed within the scope of.
Claims (23)
1. a kind of data forwarding method is applied to sender's client, comprising:
Obtain data ciphertext and the first record identification, wherein the first record identification is storage from received from sender by server-side
The information extracted and data in the data distribution request of client and create, extracted information and data include to the data
Required first key when ciphertext is decrypted, first record identification is in server-side and the first key associated storage;
The data forwarding request identified including M recipient's mark, the first record identification and N recipient is sent to server-side,
With request server-side based on include M recipient mark and the first record identification M forwarding record, by the first record identification with
It is that N forwards record that N recipient, which identifies associated storage, and N and M are positive integer and N is not equal to M;
Data ciphertext and the first record identification are sent to N recipient.
2. the method for claim 1, wherein further including for being carried out to N recipient in the data forwarding request
The N verify data of verifying, the N verify data include at least N recipient's public key.
3. method according to claim 2, wherein
The N verify data further includes N check number and first key N ciphertext, and the first key N ciphertext passes through use
N recipient's public key generates N check number and first key encryption.
4. method as claimed in claim 3, wherein
The N verify data further includes the second key N ciphertext, and the second key N ciphertext is by with N recipient's public key pair
N check number and second key required in data ciphertext decryption carry out encryption generation.
5. method as claimed in claim 4, wherein the first record identification is also used to close in server-side and the first subdata first
Literary associated storage, the second key to first the first ciphertext of subdata for being decrypted to obtain the first subdata, the first subdata
It is close to obtain another data that can be decrypted by first key for replacing the predetermined portions in the data ciphertext
Text.
6. method as claimed in claim 4, wherein the data ciphertext includes respectively by the first key and the second key
The the first data ciphertext and the second data ciphertext being decrypted.
7. such as method of any of claims 1-6, further includes:
Sending to server-side includes the first record identification and the revocation request that N recipient identifies, so that server-side forwards N
Record deletion.
8. a kind of data forwarding device, including processor, which is characterized in that the processor run scheduled computer instruction with
Execute such as data forwarding method of any of claims 1-7.
9. a kind of data forwarding method is applied to server-side, comprising:
The data forwarding identified including M recipient's mark, the first record identification and N recipient is received from M recipient
When request, record is forwarded based on the M for including M recipient's mark and the first record identification, the first record identification is connect with N
It is N forwarding record that debit, which identifies associated storage, wherein first record identification is storage from received from transmission by server-side
The information extracted and data in the data distribution request of square client and create, extracted information and data include to the number
Required first key when being decrypted according to ciphertext, first record identification, which is associated in server-side with the first key, deposits
Storage, N and M are positive integer and N is not equal to M;
When receiving the data receiver request including N recipient's mark and the first record identification from N recipient, based on described
First key is sent to N recipient by N forwarding record.
10. method as claimed in claim 9, wherein further include for being carried out to N recipient in the data forwarding request
The N verify data of verifying, the N verify data include at least N recipient's public key,
The method also includes: the N verify data is stored in the N forwarding record;
When receiving data receiver request from N recipient, N recipient is verified using N verify data,
And after N recipient is by verifying, the first key is sent to N recipient.
11. method as claimed in claim 10, wherein
The N verify data further includes N check number and first key N ciphertext, and the first key N ciphertext passes through use
N recipient's public key generates N check number and first key encryption.
12. method as claimed in claim 11, wherein
The N verify data further includes the second key N ciphertext, and the second key N ciphertext is by with N recipient's public key pair
N check number and second key required in data ciphertext decryption carry out encryption generation.
13. method as claimed in claim 12, wherein the first record identification is also used in server-side and the first subdata first
Ciphertext associated storage,
The method also includes:
After N recipient is by verifying, decrypted after obtaining the first subdata with second key pair the first ciphertext of the first subdata
It is sent to N recipient,
Wherein, the first subdata is used to replace the predetermined portions in the data ciphertext to obtain to be solved by first key
Another data ciphertext of close processing.
14. method as claimed in claim 12, further includes:
After N recipient is by verifying, the second key is sent to N recipient.
15. the method as described in any one of claim 9-14, further includes:
When receiving the data forwarding revocation request including the first record identification and N recipient's mark, N forwarding record is deleted
It removes.
16. a kind of data forwarding device, including processor, which is characterized in that the processor runs scheduled computer instruction
To execute the data forwarding method as described in any one of claim 9-15.
17. a kind of data forwarding method is applied to recipient's client, comprising:
When receiving data ciphertext and the first record identification from M recipient, to server-side send include the first record identification and
The data receiver request of N recipient's mark, wherein first record identification is storage from received from sender by server-side
The information extracted and data in the data distribution request of client and create, extracted information and data include to the data
Required first key when ciphertext is decrypted, first record identification is in server-side and the first key associated storage, N
For positive integer;
Server-side is obtained based on including N forwarding record that first record identification and N recipient identify from server-side and
The first key returned uses first key when data ciphertext is decrypted.
18. method as claimed in claim 17, further includes:
When receiving the N verify data ciphertext for being verified to N recipient from server-side, N recipient's private is used
Verify data ciphertext is decrypted in key, and decrypted result is sent to server-side.
19. method as claimed in claim 18, wherein the N verify data ciphertext includes first key N ciphertext, institute
First key N ciphertext is stated by being generated with N recipient's public key to N check number and first key encryption.
20. method as claimed in claim 19, wherein the N verify data ciphertext further includes the second key N ciphertext,
The second key N ciphertext by with N recipient's public key to N check number and the data ciphertext decrypt when it is required
Second key carries out encryption generation.
21. method as claimed in claim 20, further includes:
After the decrypted result is verified by server-side, the first subdata is obtained from server-side, replaces institute with the first subdata
It states the predetermined portions in data ciphertext and obtains another data ciphertext, and another data ciphertext is decrypted to obtain with first key
Data clear text.
22. method as claimed in claim 20, further includes:
After the decrypted result is verified by server-side, obtain the second key from server-side, and to the data ciphertext into
The second key is used when row decryption.
23. a kind of data forwarding device, including processor, which is characterized in that the processor runs scheduled computer instruction
To execute the data forwarding method as described in any one of claim 17-22.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810096484.2A CN108200085B (en) | 2018-01-31 | 2018-01-31 | A kind of data distribution, retransmission method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810096484.2A CN108200085B (en) | 2018-01-31 | 2018-01-31 | A kind of data distribution, retransmission method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108200085A CN108200085A (en) | 2018-06-22 |
CN108200085B true CN108200085B (en) | 2019-03-08 |
Family
ID=62591661
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810096484.2A Active CN108200085B (en) | 2018-01-31 | 2018-01-31 | A kind of data distribution, retransmission method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108200085B (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109448192A (en) * | 2018-11-13 | 2019-03-08 | 公安部第三研究所 | Safe and intelligent lock system based on encryption chip |
CN109981591B (en) * | 2019-02-28 | 2021-09-21 | 矩阵元技术(深圳)有限公司 | Key management method for generating private key by single client and electronic equipment |
CN110166425B (en) * | 2019-04-09 | 2021-08-20 | 北京奇艺世纪科技有限公司 | Data processing method, device, system and computer readable storage medium |
CN110177073B (en) * | 2019-04-09 | 2021-11-09 | 北京奇艺世纪科技有限公司 | Data processing method, device, system and computer readable storage medium |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101197674A (en) * | 2007-12-10 | 2008-06-11 | 华为技术有限公司 | Encrypted communication method, server and encrypted communication system |
EP2437469A1 (en) * | 2005-10-13 | 2012-04-04 | TELEFONAKTIEBOLAGET LM ERICSSON (publ) | Method and apparatus for establishing a security association |
CN104901937A (en) * | 2014-10-17 | 2015-09-09 | 腾讯科技(深圳)有限公司 | Data processing method and system thereof, terminal, server |
CN104967604A (en) * | 2015-04-21 | 2015-10-07 | 深圳市腾讯计算机系统有限公司 | Login method and login system |
CN106453319A (en) * | 2016-10-14 | 2017-02-22 | 北京握奇智能科技有限公司 | Data transmission system and method based on security module |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR102312336B1 (en) * | 2014-07-29 | 2021-10-14 | 삼성전자주식회사 | Method for sharing data and apparatus thereof |
CN106411884A (en) * | 2016-09-29 | 2017-02-15 | 郑州云海信息技术有限公司 | Method and device for data storage and encryption |
-
2018
- 2018-01-31 CN CN201810096484.2A patent/CN108200085B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP2437469A1 (en) * | 2005-10-13 | 2012-04-04 | TELEFONAKTIEBOLAGET LM ERICSSON (publ) | Method and apparatus for establishing a security association |
CN101197674A (en) * | 2007-12-10 | 2008-06-11 | 华为技术有限公司 | Encrypted communication method, server and encrypted communication system |
CN104901937A (en) * | 2014-10-17 | 2015-09-09 | 腾讯科技(深圳)有限公司 | Data processing method and system thereof, terminal, server |
CN104967604A (en) * | 2015-04-21 | 2015-10-07 | 深圳市腾讯计算机系统有限公司 | Login method and login system |
CN106453319A (en) * | 2016-10-14 | 2017-02-22 | 北京握奇智能科技有限公司 | Data transmission system and method based on security module |
Also Published As
Publication number | Publication date |
---|---|
CN108200085A (en) | 2018-06-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108243197B (en) | A kind of data distribution, retransmission method and device | |
RU2718689C2 (en) | Confidential communication control | |
CN108200085B (en) | A kind of data distribution, retransmission method and device | |
EP3476078B1 (en) | Systems and methods for authenticating communications using a single message exchange and symmetric key | |
JP5432999B2 (en) | Encryption key distribution system | |
US7961882B2 (en) | Methods and apparatus for initialization vector pressing | |
US20080031458A1 (en) | System, methods, and apparatus for simplified encryption | |
US8396218B2 (en) | Cryptographic module distribution system, apparatus, and program | |
US20110145576A1 (en) | Secure method of data transmission and encryption and decryption system allowing such transmission | |
CN105162599B (en) | A kind of data transmission system and its transmission method | |
CN109951381B (en) | Mail secure transmission method based on quantum key public cloud service platform | |
CN108476133A (en) | The key carried out by the believable third party in part exchanges | |
US20150229621A1 (en) | One-time-pad data encryption in communication channels | |
CN107086915A (en) | A kind of data transmission method, data sending terminal and data receiver | |
CN112738051B (en) | Data information encryption method, system and computer readable storage medium | |
JP2007028014A (en) | Digital signature program, digital signature system, digital signature method and signature verification method | |
US8117450B2 (en) | System and method for secure data transmission | |
CN106911663A (en) | One kind sells bank's full message encryption system and method for mixed mode directly to households | |
US20060095770A1 (en) | Method of establishing a secure e-mail transmission link | |
US20230027422A1 (en) | Systems, apparatus, and methods for generation, packaging, and secure distribution of symmetric quantum cypher keys | |
CN105871858A (en) | Method and system for ensuring high data safety | |
CN104735094A (en) | Information separation based data security transmission system and method | |
US10938553B2 (en) | Distribution and verification of transaction integrity keys | |
CN108306880B (en) | A kind of data distribution, retransmission method and device | |
CN114945170B (en) | Mobile terminal file transmission method based on commercial cryptographic algorithm |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CP01 | Change in the name or title of a patent holder |
Address after: 100193 5th floor 510, No. 5 Building, East Yard, No. 10 Wangdong Road, Northwest Haidian District, Beijing Patentee after: Beijing Shendun Technology Co.,Ltd. Address before: 100193 5th floor 510, No. 5 Building, East Yard, No. 10 Wangdong Road, Northwest Haidian District, Beijing Patentee before: BEIJING SENSESHIELD TECHNOLOGY Co.,Ltd. |
|
CP01 | Change in the name or title of a patent holder |