CN108200085B - A kind of data distribution, retransmission method and device - Google Patents

A kind of data distribution, retransmission method and device Download PDF

Info

Publication number
CN108200085B
CN108200085B CN201810096484.2A CN201810096484A CN108200085B CN 108200085 B CN108200085 B CN 108200085B CN 201810096484 A CN201810096484 A CN 201810096484A CN 108200085 B CN108200085 B CN 108200085B
Authority
CN
China
Prior art keywords
key
data
recipient
ciphertext
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810096484.2A
Other languages
Chinese (zh)
Other versions
CN108200085A (en
Inventor
孙吉平
张树勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Senseshield Technology Co Ltd
Original Assignee
Beijing Senseshield Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Senseshield Technology Co Ltd filed Critical Beijing Senseshield Technology Co Ltd
Priority to CN201810096484.2A priority Critical patent/CN108200085B/en
Publication of CN108200085A publication Critical patent/CN108200085A/en
Application granted granted Critical
Publication of CN108200085B publication Critical patent/CN108200085B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of data forwarding methods, comprising: obtains data ciphertext and the first record identification, wherein the first record identification is generated by server-side and is used in server-side and first key associated storage required when the data ciphertext is decrypted;The data forwarding request identified including M recipient's mark, the first record identification and N recipient is sent to server-side, to request server-side based on the M forwarding record for including M recipient's mark and the first record identification, it is that N forwards record that first record identification and N recipient, which are identified associated storage, and N and M are positive integer and N is not equal to M;Data ciphertext and the first record identification are sent to N recipient.The invention also discloses corresponding data forwarding method and data distribution/retransmission units.Data distribution through the invention/forwarding scheme can effectively improve safety of the data in transmission process while improving user's convenience operationally when forwarding data.

Description

A kind of data distribution, retransmission method and device
Technical field
The present invention relates to information security field, in particular to a kind of data distribution, retransmission method and device.
Background technique
In internet, high development is current, and more and more data contents need to send by network.If by data Transmission is easy to be intercepted and captured by hacker content in a network in plain text, can when data are sent or are forwarded in order to improve the safety of data To use Digital Envelope Technology.
Digital Envelope Technology uses two layers of encryption system, and digital envelope includes encrypted content and is used for content-encrypt Content key (CEK) ciphertext.Sender is generally close to be encrypted to obtain content to content key using recipient's public key Key ciphertext, but the symmetric key that sender and recipient negotiate in advance can be used also to encrypt to content key.When connecing It when debit receives digital envelope, needs first to decrypt to obtain content key with the ciphertext of key pair content key, then with content key pair Content ciphertext decrypts to obtain content original text.Digital Envelope Technology combines that asymmetric key algorithm is highly-safe and symmetric key is calculated The fireballing advantage of method, it can be ensured that confidentiality of the data in transmission process can simultaneously prevent data to be tampered.
Currently, the data forwarding technology based on digital envelope improve Information Security and forwarding convenience in terms of there is also Room for improvement.
Summary of the invention
In view of this, the embodiment of the present invention proposes a kind of safety and convenience based on improved Digital Envelope Technology Higher data distribution, forwarding scheme.
For this purpose, being applied to sender's client the embodiment of the invention provides a kind of data forwarding method, comprising: obtain Data ciphertext and the first record identification, wherein the first record identification is generated by server-side and is used in server-side and to the number Required first key associated storage when being decrypted according to ciphertext;Send to server-side includes M recipient's mark, the first record The data forwarding request of mark and N recipient's mark includes M recipient's mark and the first record to request server-side to be based on The M of mark forwards record, and it is that N forwarding records that the first record identification and N recipient, which are identified associated storage, and N and M are positive Integer and N are not equal to M;Data ciphertext and the first record identification are sent to N recipient.
Preferably, further including the N verifying number for being verified to N recipient in the data forwarding request According to the N verify data includes at least N recipient's public key.
Preferably, the N verify data further includes N check number and first key N ciphertext, the first key N ciphertext is by generating N check number and first key encryption with N recipient's public key.
Preferably, the N verify data further includes the second key N ciphertext, the second key N ciphertext is by with N recipient's public key carries out encryption generation to N check number and second key required when the data ciphertext is decrypted.
Preferably, the first record identification is also used in server-side and first subdata the first ciphertext associated storage, second Key is used to first the first ciphertext of subdata be decrypted to obtain the first subdata, and the first subdata is for replacing the data Predetermined portions in ciphertext are to obtain another data ciphertext that can be decrypted by first key.
Preferably, the data ciphertext includes be decrypted respectively by the first key and the second key One data ciphertext and the second data ciphertext.
Preferably, the method also includes: sending to server-side includes that the first record identification and N recipient identify Revocation request, so that N is forwarded record deletion by server-side.
The embodiment of the invention also provides a kind of data forwarding device, including processor, the processor operation is scheduled Computer instruction is to execute the data forwarding method applied to sender's client of any of the above-described embodiment.
The embodiment of the invention also provides a kind of data forwarding methods, are applied to server-side, comprising: connect from M recipient When receiving the data forwarding request including M recipient's mark, the first record identification and N recipient's mark, based on including M The M of recipient's mark and the first record identification forwards record, and the first record identification is identified associated storage with N recipient and is N forwarding record, wherein first record identification is generated by server-side and is used to solve in server-side with to data ciphertext Required first key associated storage when close, N and M are positive integer and N is not equal to M;It receives from N recipient and is connect including N When the data receiver request of debit's mark and the first record identification, first key is sent to by N based on N forwarding record Recipient.
Preferably, further including the N verifying number for being verified to N recipient in the data forwarding request According to, the N verify data includes at least N recipient's public key, the method also includes: the N verify data is stored In N forwarding record;When receiving the data receiver from N recipient and requesting, using N verify data to the N recipient verifies, and after N recipient is by verifying, the first key is sent to N recipient.
Preferably, the N verify data further includes N check number and first key N ciphertext, the first key N ciphertext is by generating N check number and first key encryption with N recipient's public key.
Preferably, the N verify data further includes the second key N ciphertext, the second key N ciphertext is by with N recipient's public key carries out encryption generation to N check number and second key required when the data ciphertext is decrypted.
Preferably, the first record identification is also used in server-side and first subdata the first ciphertext associated storage, it is described Method further include: after N recipient is by verifying, decrypted to obtain the first son with second key pair the first ciphertext of the first subdata N recipient is sent to after data, wherein the first subdata is used to replace the predetermined portions in the data ciphertext to obtain energy Enough another data ciphertexts being decrypted by first key.
Preferably, the second key is sent to N recipient after N recipient is by verifying.
Preferably, the method also includes: it receives the data including the first record identification and N recipient's mark and turns When hair revocation request, N is forwarded into record deletion.
The embodiment of the invention also provides a kind of data forwarding device, including processor, the processor operation is scheduled Computer instruction is to execute the data forwarding method applied to server-side of any of the above-described embodiment.
The embodiment of the invention also provides a kind of data forwarding methods, are applied to recipient's client, comprising: connect from M When debit receives data ciphertext and the first record identification, sending to server-side includes that the first record identification and N recipient mark The data receiver of knowledge is requested, wherein first record identification is generated by server-side and is used in server-side and to data ciphertext Required first key associated storage, N are positive integer when being decrypted;Server-side is obtained from server-side to be based on including described first The N forwarding of record identification and N recipient's mark records and the first key of return, is decrypted to data ciphertext When use first key.
Preferably, making when receiving the N verify data ciphertext for being verified to N recipient from server-side Verify data ciphertext is decrypted with N recipient's private key, and decrypted result is sent to server-side.
Preferably, the N verify data ciphertext includes first key N ciphertext, the first key N ciphertext is logical It crosses and N check number and first key encryption is generated with N recipient's public key.
Preferably, the N verify data ciphertext further includes the second key N ciphertext, the second key N ciphertext By carrying out encryption life to N check number and second key required when the data ciphertext is decrypted with N recipient's public key At.
Preferably, the method also includes: after the decrypted result is verified by server-side, the is obtained from server-side One subdata replaces the predetermined portions in the data ciphertext with the first subdata and obtains another data ciphertext, and close with first Key is decrypted to obtain data clear text to another data ciphertext.
Preferably, the method also includes: after the decrypted result is verified by server-side, the is obtained from server-side Two keys, and the second key is used when the data ciphertext is decrypted.
The embodiment of the invention also provides a kind of data forwarding device, including processor, the processor operation is scheduled Computer instruction is to execute the data forwarding method applied to recipient's client of any of the above-described embodiment.
Data distribution through the embodiment of the present invention/forwarding scheme can operated improving user when forwarding data On convenience while, effectively improve safety of the data in transmission process.
Detailed description of the invention
Fig. 1 is the schematic flow chart of one embodiment of data distributing method of the invention;
Fig. 2 is the schematic flow chart of another embodiment of data distributing method of the invention;
Fig. 3 is the schematic flow chart of one embodiment of data forwarding method of the invention;
Fig. 4 is the schematic flow chart of another embodiment of data forwarding method of the invention;
Fig. 5 is the schematic flow chart of one embodiment of data forwarding method of the invention;
Fig. 6 is the schematic flow chart of one embodiment of data forwarding method of the invention;
Fig. 7 is the schematic flow chart of another embodiment of data forwarding method of the invention;
Fig. 8 is the schematic flow chart of one embodiment of data distributing method of the invention;
Fig. 9 is the schematic flow chart of one embodiment of data forwarding method of the invention;
Figure 10 is the schematic flow chart of one embodiment of data forwarding method of the invention.
Specific embodiment
The each embodiment of the present invention is described in detail with reference to the accompanying drawings.
Fig. 1 is the schematic flow chart of one embodiment of data distributing method of the invention, the number of the embodiment of the present invention It is applied to data sender's client according to distribution method.
As shown in Figure 1, the data distributing method of the embodiment of the present invention includes:
S110, it is encrypted during to data encryption using at least one key, obtains data ciphertext, institute Stating at least one key includes first key;
In embodiments of the present invention, data sender is when needing to send data to data receiver, first by number to be sent According to being encrypted, can be handled using at least one data key in encryption process, this at least one it is close It include first key in key, it is the random number that the first recipient generates that first key, which can be sender, is also possible to sender It is any character string that the first recipient generates by customized mode.In addition, first key can be whole generation, it is also possible to By the way that multiple character strings are combined generation.
The embodiment of the present invention to the cipher mode of data without particular requirement, as an example, cipher mode for example may is that use First key generates data ciphertext to data encryption to be sent;First with close with first again after the data encryption to be sent of other key pairs Key encryption generates data ciphertext;First with first key to close with other keys encryption generation data again after data encryption to be sent Text;Encrypt etc. with the different piece of first key and other key pairs data to be sent.Here other keys are for example The symmetric key that the public key or sender and the first recipient that can be the first recipient are negotiated in advance.
S111, the first key is split as to the first sub-key and the second sub-key, and is generated based on the first sub-key First the first ciphertext of sub-key;
The mode split in the embodiment of the present invention to first key, can be from any in first key without particular requirement First key is split as two parts by position.Sender and the first recipient can be used to negotiate for first the first ciphertext of sub-key Any the first sub-key of key pair carries out encryption generation to comprising the character string including the first sub-key, such as can be used first Recipient's public key or the symmetric key negotiated in advance encrypt.
S112, data distribution request is sent to server-side, include at least the first recipient in the data distribution request and mark Knowledge, first recipient's public key, first the first ciphertext of sub-key and the second sub-key;
In the embodiment of the present invention, sender is distributed by way of sending data distribution request to server-side to server-side First key is transmitted to the first recipient by verifying so as to server-side by first key.Sender is sent to server-side First key is two parts, i.e. first the first ciphertext of sub-key and the second sub-key by sender's processing.Data distribution is asked It further include the first recipient mark and first recipient's public key in addition to two parts of first key in asking, wherein first receives For making server-side identify the first recipient, first recipient's public key will need to be sent to the first reception side's mark for server-side The data of side are transmitted after being encrypted.
First the first ciphertext of sub-key is for verifying the first recipient.When first the first ciphertext of sub-key is with When one recipient's public key encryption generates, the first sub-key of key pair encryption that sender also uses sender and server-side to negotiate is generated First the second ciphertext of sub-key is simultaneously sent to server-side with data distribution request, and server-side uses first the first ciphertext pair of sub-key When first recipient carries out authentication, arranging key can be used to decrypt to obtain the first sub-key to first the second ciphertext of sub-key To examine the verify data of the first recipient return whether correct.When first the first ciphertext of sub-key is using sender and first When the symmetric key encryption that recipient negotiates generates, the key encryption the negotiated above-mentioned with server-side is can be used in sender One sub-key generates first the second ciphertext of sub-key and is sent to server-side, and the above-mentioned key negotiated with server-side also can be used To server-side is sent to after the symmetric key encryption used when generating first the first ciphertext of sub-key, so that server-side can obtain First sub-key or character string including the first sub-key are come the inspection data of examining the first recipient to return.Sender and service The key that end is negotiated for example can be the public key or symmetric key of server-side.
The second sub-key that sender is sent to server-side directly can request to send with data distribution, can also send It requests to send with data distribution after the preceding key encryption negotiated with sender and server-side.Server-side is receiving the second sub-key Or second sub-key ciphertext and after decrypting and obtaining the second sub-key, stored after being encrypted to the second sub-key, or by the Two sub-keys are split as multiple portions and are stored respectively, or the second sub-key can also be split as to multiple portions and divided It is stored after not encrypted.
In addition, sender be sent to server-side data distribution request in can also include other than above- mentioned information and data Other information or data.As an example, sender can also request the Kazakhstan for sending data ciphertext to server-side by data distribution Uncommon value, transmitting side marking etc..
S113, the first record identification returned is received from server-side, and data ciphertext and the first record identification are sent to First recipient.
Server-side extracts the first recipient mark, first when receiving data distribution request from data distribution request These information and data are deposited after the information such as recipient's public key, first the first ciphertext of sub-key and the second sub-key and data Storage, and the first record identification is accordingly created for these information and data of storage, the first record identification is then returned into hair The side's of sending client.
Sender's client after receiving the first record identification from server-side, can a time point in office corresponding data are close Text and the first record identification are transmitted directly to the first recipient or are sent to the first recipient indirectly by another server-side.
First recipient can connect after receiving the first record identification and data ciphertext by the first record identification and first Debit identifies to server-side and requests first key, and server-side first the first ciphertext of sub-key can be used to test when receiving request The identity of the first recipient is demonstrate,proved, and in the case where the first recipient is by verifying, by the first sub-key and the second sub-key group First key is synthesized, the first recipient will be sent to after first recipient's public key encryption of first key.
Through the embodiment of the present invention, the first key processing used when decrypting to data ciphertext is two by data sender Part is simultaneously sent to server-side, the verify data that recipient receives from server-side with recipient's public key and recipient's mark together Only a part of first key only could obtain complete first key after through verifying.As a result, by close by first A part of key is used as verify data, and verify data is generated by sender, and verify data can be directly sent to by server-side Recipient verifies, and alleviates management and calculated load of the server-side in verifying, meanwhile, first key is divided into two parts The processing such as different encryption or storage is carried out, even if hacker's communication interception data or attack server-side, it is also difficult to determine that first is close The specific composition mode of key and have passed through what kind of processing, it is ensured that first key in the transmission and server-side storage when Safety.
In an embodiment of the invention, the first sub-key can be encrypted with first recipient's public key to obtain in S111 One the first ciphertext of sub-key can make when the first recipient receives first the first ciphertext of sub-key for verifying from server-side First the first ciphertext of sub-key is decrypted to obtain the first sub-key with first recipient's private key, then the first sub-key is returned into clothes It is verified at business end.
It in another embodiment, can be with first recipient's public key to the first check number and the first son in S111 Key encrypts to obtain first the first ciphertext of sub-key.First check number for example can be sender generation fixed length random number or First check number and the first sub-key can be combined into a character string by the character string of the customized generation of sender, sender, be used First recipient's public key encrypts this character string and generates first the first ciphertext of sub-key, and the first check number is also carried It is sent in the data distribution request of server-side.When first recipient receives first the first ciphertext of sub-key from server-side, use First recipient's private key is decrypted to obtain the word being spliced by the first check number and the first sub-key to first the first ciphertext of sub-key Symbol goes here and there and simultaneously returns to server-side, server-side will be requested from data distribution in the first check number for obtaining and the first sub-key be combined into Character string is verified come the character string returned to the first recipient.
Fig. 2 is the schematic flow chart of another embodiment of data distributing method of the invention.
As shown in Fig. 2, the data distributing method of the embodiment of the present invention includes:
S120, it is encrypted to obtain data ciphertext using at least one key during to data encryption, until A few key includes first key and the second key;
S121, first key is split as to the first sub-key and the second sub-key, and generates first based on the first sub-key The first ciphertext of sub-key;
S122, the second key is split as to third sub-key and the 4th sub-key, and third is generated based on third sub-key The first ciphertext of sub-key;
S123, data distribution request is sent to server-side, the first recipient mark, the are included at least in data distribution request One recipient's public key, first the first ciphertext of sub-key and the second sub-key, the first ciphertext of third sub-key and the 4th sub-key;
S124, the first record identification returned is received from server-side, and data ciphertext and the first record identification are sent to First recipient.
In the embodiment of the present invention, first key and the second key have been used when encrypting to data.First key and Second key is sender's generation, and not for known to the first recipient.
Similar with the processing mode of first key, it is third respectively that the second key is also split as two parts by sender Sub-key and the 4th sub-key, and the first ciphertext of third sub-key is generated based on third sub-key.Then, sender is sub by third The first ciphertext of key and the 4th sub-key are also carried to be sent together into the data distribution request that server-side is sent.
The first ciphertext of third sub-key is also used for carrying out authentication to the first recipient.When the first ciphertext of third sub-key It is when being generated with first recipient's public key encryption, sender also needs the key pair third sub-key negotiated with sender and server-side Encryption generates the second ciphertext of third sub-key and is sent to server-side with data distribution request;When the first ciphertext of third sub-key is When being generated using the symmetric key encryption that sender and the first recipient negotiate, sender be can be used above-mentioned and server-side Negotiation key encryption third sub-key generate the second ciphertext of third sub-key be sent to server-side, also can be used it is above-mentioned with The key pair that server-side is negotiated is sent to server-side after generating the symmetric key encryption used when the first ciphertext of third sub-key, with Just the inspection data that server-side can obtain third sub-key the first recipient is examined to return.What sender and server-side were negotiated Key for example can be the public key or symmetric key of server-side.
The 4th sub-key that sender is sent to server-side directly can request to send with data distribution, can also send It requests to send with data distribution after the preceding key encryption negotiated with sender and server-side.Server-side is receiving the 4th sub-key Or the 4th sub-key ciphertext and after decrypting and obtaining the 4th sub-key, stored after being encrypted to the 4th sub-key, or by the Four sub-keys are split as multiple portions and are stored respectively, or the 4th sub-key can also be split as to multiple portions and divided It is stored after not encrypted.
After first recipient receives data ciphertext and the first record identification from sender, request to server-side using decryption Required key, server-side respectively test the first recipient with first the first ciphertext of sub-key and the first ciphertext of third sub-key Card allows the first recipient to use key needed for decrypting after being verified.Server-side is sent needed for decryption to the first recipient The mode of data depends on first key and usage mode of second key when to data encryption, this will be combined later implements Example is illustrated.
In the embodiment of the present invention, the first recipient is in ciphertext data ciphertext other than needing first key, it is also necessary to the Two keys or data relevant to the second key, server-side is directed to first key respectively and the second key is independent to the first reception Fang Jinhang authentication further improves the safety of data ciphertext and key.
The generating mode of the second key can be same or like with the generating mode of first key in the embodiment of the present invention.Example Such as, in an embodiment of the invention, third sub-key can be encrypted with first recipient's public key to obtain third in S122 The first ciphertext of key.In another embodiment, in S122 can with first recipient's public key to the first check number and Third sub-key encrypts to obtain the first ciphertext of third sub-key, the first check number used when generating first the first ciphertext of sub-key Can be identical or different with the first check number used when generating the first ciphertext of third sub-key, it is different in used check number In the case of, sender need to carry each check number into the data distribution request that server-side is sent and indicate each check number and test Corresponding relationship between card sub-key ciphertext.
First key and cipher mode when the second key for encrypting data are used to sender below in conjunction with embodiment It is schematically illustrated.
In an embodiment of the invention, sender is when to data encryption, first using first key to sent number According to being encrypted to obtain the first data ciphertext in plain text, the first subnumber then is extracted from the predetermined portions in the first data ciphertext According to replacing the position of first the first subdata of data ciphertext Central Plains with the second subdata, generate the second data ciphertext, and with second Key encrypts the first subdata and obtains first the first ciphertext of subdata.Wherein, the side of the first subdata is extracted from the first ciphertext Formula is unlimited, such as can extract low volume data respectively as the first subdata from the head, middle part and end of the first ciphertext, or From the first half of the first ciphertext and the latter half of middle low volume data that extracts respectively as the first subdata.For replacing in the first ciphertext The character string that second subdata of former first subdata position for example can be sky data or sender arbitrarily generates.Hair The side of sending need to only arrange the position that the first subdata is extracted from the first ciphertext with the first recipient, without with the first recipient agreement the The generating mode of two subdatas.Meanwhile sender also needs to send first the first ciphertext of subdata to server-side, and second is counted The first recipient is sent to according to ciphertext and the first record identification.First recipient receives the second data ciphertext and the first record identification Afterwards, the first record identification and the first recipient mark are sent to request first key and the first subdata first close to server-side Text, server-side are respectively verified the first recipient with first the first ciphertext of sub-key and the first ciphertext of third sub-key Afterwards, third sub-key and the 4th sub-key are combined into first the first ciphertext of subdata of the second key decryption and obtain the first subnumber According to, and the first recipient will be sent to after first recipient's public key encryption of first key and the first subdata.First recipient After receiving first key and the first subdata, the predetermined portions in the second data ciphertext are replaced with the first subdata and obtain first Data ciphertext, then the first data ciphertext is decrypted to obtain data clear text with first key.In embodiments of the present invention, by will be right First data ciphertext carries out the second data ciphertext that above-mentioned processing obtains and is sent to the first recipient, so that the first recipient obtains Ciphertext data in include noise, can be effectively prevented Brute Force, improve the safety of data ciphertext.
In another embodiment, sender is when encrypting data, first by clear data to be sent The first data and the second data are split as, the first data are encrypted using first key to obtain the first data ciphertext, are used Second the second data of key pair are encrypted to obtain the second data ciphertext, and using the first data ciphertext and the second data ciphertext as Above-mentioned data ciphertext is sent to the first recipient together with the first record identification.First recipient receives the first data ciphertext, After two data ciphertexts and the first record identification, to server-side the first record identification of transmission to request first key and the second key, After server-side is respectively verified the first recipient with first the first ciphertext of sub-key and the first ciphertext of third sub-key, The first recipient will be sent to after first recipient's public key encryption of first key and the second key.First recipient receives After one key and the second key, decrypted respectively with first key and second key pair the first data ciphertext and the second data ciphertext It combines to obtain data clear text to the first data and the second data, then by the first data and the second data.In embodiments of the present invention, By the way that data are split as two parts and are sent to recipient after encryption respectively, recipient need to obtain the corresponding key point of two parts Target data can be just obtained in plain text after the other decryption to ciphertext, can be improved the safety of data ciphertext.
In further embodiment of the present invention, sender is when encrypting data, first using first key to pending It send data clear text to be encrypted to obtain the first data ciphertext, reuses second key pair the first data ciphertext and encrypted to obtain Two data ciphertexts, and the second data ciphertext and the first record identification are sent to the first recipient.First recipient receives second After data ciphertext and the first record identification, the first record identification is sent to request first key and the second key to server-side, is taken It, will after business end is respectively verified the first recipient with first the first ciphertext of sub-key and the first ciphertext of third sub-key The first recipient is sent to after first recipient's public key encryption of first key and the second key.First recipient receives first After key and the second key, first decrypt to obtain the first data ciphertext with second key pair the second data ciphertext, then use first key First data ciphertext is decrypted to obtain data clear text.In embodiments of the present invention, by being sent after data are carried out multi-layer security To recipient, it is successively bright to can just obtain target data after the decryption of data ciphertext that recipient need to obtain two layers of encryption counterpart keys Text can be improved the safety of data ciphertext.
Fig. 3 is the schematic flow chart of one embodiment of data forwarding method of the invention, the number of the embodiment of the present invention It is applied to server-side according to retransmission method.
As shown in figure 3, the data forwarding method of the embodiment of the present invention includes:
S130, it receives from sender including at least the first recipient mark, first recipient's public key, the first sub-key When one ciphertext and the data distribution of the second sub-key are requested, the first record identification is returned to sender;
In the embodiment of the present invention, sender is distributed by way of sending data distribution request to server-side to server-side First key, so that first key is transmitted to the first recipient by verifying by server-side, first key is wanted to sender Issue the first recipient data encrypt during use.The first key that sender is sent to server-side is sent out The side's of sending processing is two parts, i.e. first the first ciphertext of sub-key and the second sub-key (referring to S111).Server-side connects from sender It further include that the first recipient mark and the first recipient are public in addition to two parts of first key in the data distribution request received Key, wherein for the first recipient mark for making server-side identify the first recipient, first recipient's public key need to for server-side Be sent to the first recipient data encrypt after transmit.After server-side receives data distribution request, for the data point Hair request the first record identification of distribution simultaneously returns to sender.
S131, the second sub-key is encrypted to obtain second the first ciphertext of sub-key, the first record identification and the second son is close Key the first ciphertext associated storage, and by the first recipient mark at least the first record identification, first the first ciphertext of sub-key and First recipient's public key associated storage;
Then, server-side is performed corresponding processing and is stored to the information and data extracted in requesting from data distribution.Its In, server-side, which extracts the second sub-key in requesting from data distribution or extracts the second sub-key ciphertext and decrypt, obtains the After two sub-keys, second the first ciphertext of sub-key is stored as after the second sub-key being encrypted, or can be close by the second son Key is split as multiple portions and is stored as second the first ciphertext of sub-key after being encrypted respectively.Then, server-side is remembered first Record mark and the second sub-key the first ciphertext associated storage relevant to the decryption of data ciphertext are individual data distribution record, And individually one forwarding of creation records for the first recipient mark, by the first record identification and relevant to the first recipient first The data such as the first ciphertext of sub-key, first recipient's public key are stored in this forwarding record.
S132, the data receiver request including the first recipient mark and the first record identification is received from the first recipient When, the first verifying is carried out to the first recipient using first the first ciphertext of sub-key;
First recipient, can be by the first record after receiving the first record identification and data ciphertext from data sender Mark and the first recipient identify to server-side and request first key, and server-side, can be by the when receiving data receiver request One the first ciphertext of sub-key is sent to the first recipient to verify the identity of the first recipient.When first the first ciphertext of sub-key is When being generated with first recipient's public key encryption, the first sub-key of key pair that sender can also be negotiated with sender with server-side adds Dense to be sent to server-side at first the second ciphertext of sub-key, server-side is using first the first ciphertext of sub-key to the first recipient When carrying out authentication, arranging key can be used to decrypt to obtain the first sub-key to first the second ciphertext of sub-key to examine first Whether the verify data that recipient returns is correct.When first the first ciphertext of sub-key is negotiated using sender and the first recipient Symmetric key encryption when generating, sender also will use the key negotiated above-mentioned with server-side, and to encrypt the first sub-key raw It is sent to server-side at first the second ciphertext of sub-key, or will use the above-mentioned key pair negotiated with server-side and generate first It is sent to server-side after the symmetric key encryption used when the first ciphertext of sub-key, so that server-side can obtain the first sub-key Or the character string comprising the first sub-key come examine the first recipient return inspection data.
S133, when the first recipient is at least through the first verifying, the first sub-key and the second sub-key group are combined into the One key and with being sent to the first recipient after first recipient's public key encryption.
In the case where the first recipient is by verifying, the first sub-key and the second sub-key are combined into first by server-side Key, will be sent to the first recipient after first recipient's public key encryption of first key, the first recipient can be used from service The first key obtained is held to be decrypted to obtain data clear text to the data ciphertext obtained from sender.
Through the embodiment of the present invention, a part of first key is used as verify data, and verify data is by sender Generate, verify data directly can be sent to recipient and verified by server-side, alleviate management of the server-side in verifying and Calculated load, at the same ensure first key in the transmission and server-side storage when safety.
In an embodiment of the invention, first the first ciphertext of sub-key passes through close to the first son with first recipient's public key Key encrypts to obtain, can be by sub by first after first the first ciphertext of sub-key is sent to the first recipient by server-side in S132 Whether it is correct that key and the verify data returned from the first recipient are compared to determine that the first recipient returns One sub-key.
It in another embodiment, further include the first check number in data distribution request, and the first sub-key First ciphertext to the first check number and the first sub-key with first recipient's public key by being encrypted to obtain, server-side in S132 After first the first ciphertext of sub-key is sent to the first recipient, can by by the first sub-key and the first check number with from first Recipient return verify data be compared to determine the first recipient whether return correctly include the first check number and The data of first sub-key.
Fig. 4 is the schematic flow chart of another embodiment of data forwarding method of the invention.
As shown in figure 4, the data forwarding method of the embodiment of the present invention includes:
S140, it receives from sender including at least the first recipient mark, first recipient's public key, the first sub-key When one ciphertext and the second sub-key and the first ciphertext of third sub-key and the data distribution of the 4th sub-key are requested, to sender Return to the first record identification;
S141, the second sub-key is encrypted to obtain second the first ciphertext of sub-key, the 4th sub-key is encrypted to obtain the 4th The first ciphertext of sub-key;
S142, by the first record identification and second the first ciphertext of sub-key and the 4th sub-key the first ciphertext associated storage, And by the first recipient mark at least the first record identification, first the first ciphertext of sub-key, the first ciphertext of third sub-key and First recipient's public key associated storage;
S143, the data receiver request including the first recipient mark and the first record identification is received from the first recipient When, the first verifying is carried out to the first recipient using first the first ciphertext of sub-key, using the first ciphertext of third sub-key to the One recipient carries out the second verifying;
S144, when the first recipient is at least through the first verifying, the first sub-key and the second sub-key group are combined into the One key and with being sent to the first recipient after first recipient's public key encryption, will when the first recipient is by the second verifying Data corresponding to the second verifying are sent to the first recipient.
In embodiments of the present invention, sender has used first key and the second key when encrypting to data.The One key and the second key are sender's generation, and not for known to the first recipient.With the processing mode class of first key Seemingly, the second key is also split as two parts by sender, is third sub-key and the 4th sub-key respectively, and based on third Key generates the first ciphertext of third sub-key.Server-side includes that third is close from the data distribution request that sender receives The first ciphertext of key and the 4th sub-key.
Server-side carries out the first recipient using both first the first ciphertext of sub-key and first ciphertext of third sub-key Authentication.When the first ciphertext of third sub-key is generated with first recipient's public key encryption, sender can also use sender The key pair third sub-key encryption negotiated with server-side generates the second ciphertext of third sub-key and requests to send with data distribution To server-side;When the first ciphertext of third sub-key is that the symmetric key encryption negotiated using sender and the first recipient is generated When, sender can also generate the second ciphertext of third sub-key hair with the above-mentioned key encryption third sub-key negotiated with server-side Pair used when giving server-side, or the first ciphertext of third sub-key can be generated with the above-mentioned key pair negotiated with server-side Server-side is sent to after claiming key encryption.Server-side is it is possible thereby to obtain third sub-key to examine the first recipient to third The inspection data returned after the decryption of the first ciphertext of key.
Server-side extracts the ciphertext of the 4th sub-key or the 4th sub-key in requesting from data distribution and decryption obtains After 4th sub-key, the 4th the first ciphertext of sub-key is stored as after can encrypting to the 4th sub-key, or by the 4th sub-key It is split as multiple portions and is stored as the 4th the first ciphertext of sub-key after being encrypted respectively, and the second sub-key first is close Text, the 4th the first ciphertext of sub-key and the first record identification associated storage are individual data distribution record.
After first recipient receives data ciphertext and the first record identification from sender, request to server-side using decryption When required key, server-side respectively carries out the first recipient with first the first ciphertext of sub-key and the first ciphertext of third sub-key Verifying, after being verified, is combined into first key for the first sub-key and the second sub-key group and is added with first recipient's public key It is sent to the first recipient after close, and the data for corresponding to the second verifying are sent to the first recipient, so that the first recipient The data ciphertext that obtained from sender can be decrypted to obtain data clear text.The correspondence that server-side is sent to the first recipient First key and usage mode of second key when to data encryption are depended in the mode of the data of the second verifying, this will be It is explained later.
In the embodiment of the present invention, the first recipient is in ciphertext data ciphertext other than needing first key, it is also necessary to the Two keys or data relevant to the second key, server-side is directed to first key respectively and the second key is independent to the first reception Fang Jinhang authentication further improves the safety of data ciphertext and key.
In the embodiment of the present invention, the first ciphertext of third sub-key can by with first recipient's public key to third sub-key Encryption obtains, can be by close by third after the first ciphertext of third sub-key is sent to the first recipient by server-side in S143 Whether key and be compared to determining first recipient return from the verify data of the first recipient return are correct third Sub-key.
It in another embodiment, further include the first check number in data distribution request, and third sub-key First ciphertext to the first check number and third sub-key with first recipient's public key by being encrypted to obtain, server-side in S142 After the first ciphertext of third sub-key is sent to the first recipient, can by by third sub-key and the first check number with from first Recipient return verify data be compared to determine the first recipient whether return correctly include the first check number and The data of third sub-key.
Fig. 5 is the schematic flow chart of one embodiment of data forwarding method of the invention.
As shown in figure 5, the data forwarding method of the embodiment of the present invention includes:
S150, it receives from sender including at least the first recipient mark, first recipient's public key, the first sub-key The data of one ciphertext and the second sub-key, the first ciphertext of third sub-key and the 4th sub-key and first the first ciphertext of subdata When distribution request, the first record identification is returned to sender;
S151, the second sub-key is encrypted to obtain second the first ciphertext of sub-key, the 4th sub-key is encrypted to obtain the 4th The first ciphertext of sub-key;
S152, by the first record identification and second the first ciphertext of sub-key and the 4th the first ciphertext of sub-key and the first son Data the first ciphertext associated storage, and by the first recipient mark at least the first record identification, first the first ciphertext of sub-key, The first ciphertext of third sub-key and first recipient's public key associated storage;
S153, the data receiver request including the first recipient mark and the first record identification is received from the first recipient When, the first verifying is carried out to the first recipient using first the first ciphertext of sub-key, using the first ciphertext of third sub-key to the One recipient carries out the second verifying;
S154, when the first recipient is at least through the first verifying, the first sub-key and the second sub-key group are combined into the One key and with being sent to the first recipient after first recipient's public key encryption;
S155, when the first recipient by second verifying when, it is close that third sub-key and the 4th sub-key group are combined into second Key decrypts first the first ciphertext of subdata using the second key and obtains the first subdata, and uses first recipient's public key encryption First subdata is sent to the first recipient after obtaining first the second ciphertext of subdata.
In embodiments of the present invention, sender is first bright to sent data using first key when to data encryption Text is encrypted to obtain the first data ciphertext, then extracts the first subdata from the predetermined portions in the first data ciphertext, The position of first the first subdata of data ciphertext Central Plains is replaced with the second subdata, generates the second data ciphertext, and close with second Key encrypts the first subdata and obtains first the first ciphertext of subdata.Server-side can also be mentioned from the request of the data distribution of sender Get first the first ciphertext of subdata, and by first the first ciphertext of subdata, second the first ciphertext of sub-key, the 4th sub-key One ciphertext and the first record identification associated storage are individual data distribution record.
What the first recipient received from sender is the second data ciphertext and the first record identification, and is sent to server-side First record identification is to request first key and first the first ciphertext of subdata, first the first ciphertext of sub-key of server-side and After three the first ciphertexts of sub-key are respectively verified the first recipient, third sub-key and the 4th sub-key are combined into Second key decrypts first the first ciphertext of subdata and obtains the first subdata, and first key and the first subdata are connect with first The first recipient is sent to after debit's public key encryption.After first recipient receives first key and the first subdata, with first The predetermined portions that subdata is replaced in the second data ciphertext obtain the first data ciphertext, then with first key to the first data ciphertext Decryption obtains data clear text.
In embodiments of the present invention, by the way that the second data ciphertext handled the first data ciphertext to be sent to First recipient, and the ciphertext for decrypting the first subdata necessary to the second data ciphertext is stored in server-side, so that first It include noise in the ciphertext data that recipient obtains, it is necessary to obtain the first subdata ability ciphertext data ciphertext, energy from server-side It is enough effectively prevented Brute Force, improves the safety of data ciphertext.
In some embodiment of the invention, the first recipient needs when decrypting to the data ciphertext obtained from sender Holding first key and the second key simultaneously could complete to decrypt, and at this moment, the first recipient is in the second verifying by server-side When, server-side, can also be by third other than first key is sent to the first recipient with first recipient's public key encryption Key and the 4th sub-key group are combined into the second key and with being sent to the first recipient after first recipient's public key encryption.The present invention Embodiment can be improved data ciphertext by can just obtain data clear text after making recipient that need to obtain two key pair ciphertext decryption Safety.
Fig. 6 is the schematic flow chart of one embodiment of data forwarding method of the invention, application of the embodiment of the present invention In recipient's client.
As shown in fig. 6, the data forwarding method of the embodiment of the present invention includes:
S160, when receiving data ciphertext and the first record identification from data sender, sending to server-side includes first The data receiver of recipient's mark and the first record identification is requested;
The data ciphertext that first recipient receives from data sender is by sender in the process encrypted to data clear text It is middle to be generated using the encryption of at least one key, and data sender will receive data needed for the decryption of data ciphertext and first Side's mark has been sent to server-side, these data and information are carried out storage and are accordingly assigned with the first record by server-side Mark.First recipient can identify with the first recipient and the first record identification is requested to server-side to needed for the decryption of data ciphertext Data.
S161, first the first ciphertext of sub-key for carrying out the first verifying to the first recipient is received from server-side When, first the first ciphertext of sub-key is decrypted using first recipient's private key, and the first decrypted result is sent to Server-side;
First the first ciphertext of sub-key can be sent to by server-side when receiving data receiver request from the first recipient First recipient verifies the identity of the first recipient.When first the first ciphertext of sub-key is raw with first recipient's public key encryption First recipient's private key can be used to decrypt to obtain the first decrypted result to first the first ciphertext of sub-key and return for Cheng Shi, the first recipient Back to server-side.When first the first ciphertext of sub-key is that the symmetric key encryption negotiated using sender and the first recipient is generated When, the symmetric key negotiated can be used to decrypt to obtain the return of the first decrypted result to first the first ciphertext of sub-key for the first recipient To server-side.First sub-key of the usable data distribution request from sender of server-side includes the first sub-key Whether character string is correct come the first decrypted result for examining the first recipient to return.
S162, such as first are verified, and obtain from server-side and are passed through by server-side to the first sub-key and the second sub-key It is combined the first key of generation, and uses first key during data ciphertext is decrypted.
It, will be from the data distribution request of sender in the case where server-side confirms the first recipient by verifying First sub-key and the second sub-key are combined into first key, and will be sent to after first recipient's public key encryption of first key One recipient.The first key obtained from server-side can be used to carry out to the data ciphertext obtained from sender in first recipient Decryption obtains data clear text.
Through the embodiment of the present invention, a part of first key is used as verify data, and verify data is by sender Generate, verify data directly can be sent to recipient and verified by server-side, alleviate management of the server-side in verifying and Calculated load, at the same ensure first key in the transmission and server-side storage when safety.
In an embodiment of the invention, first the first ciphertext of sub-key passes through close to the first son with first recipient's public key Key encryption generates, and the first recipient is the first sub-key to the first decrypted result that first the first ciphertext of sub-key is decrypted. In another embodiment, first the first ciphertext of sub-key by with first recipient's public key to the first check number and One sub-key carries out encryption generation, and the first decrypted result that the first recipient decrypts first the first ciphertext of sub-key is packet Character string containing the first check number and the first sub-key.
Fig. 7 is the schematic flow chart of another embodiment of data forwarding method of the invention.
As shown in fig. 7, the data forwarding method of the embodiment of the present invention includes:
S170, when receiving data ciphertext and the first record identification from data sender, sending to server-side includes first The data receiver of recipient's mark and the first record identification is requested;
S171, first the first ciphertext of sub-key for carrying out the first verifying to the first recipient is received from server-side When, first the first ciphertext of sub-key is decrypted using first recipient's private key, and the first decrypted result is sent to Server-side;
S172, such as first are verified, and obtain from server-side and are passed through by server-side to the first sub-key and the second sub-key It is combined the first key of generation, and uses first key during data ciphertext is decrypted;
S173, the first ciphertext of third sub-key for carrying out the second verifying to the first recipient is received from server-side When, the first ciphertext of third sub-key is decrypted using first recipient's private key, and the second decrypted result is sent to Server-side;
S174, such as second are verified, from server-side obtain corresponding to second verifying data with to data ciphertext into It is used during row decryption.
It should be noted that S171 and S173 are not limited to successively execute, but can also execute parallel.
In embodiments of the present invention, sender has used first key and the second key when encrypting to data.The One key and the second key are sender's generation, and not for known to the first recipient.It is similar with first key, the second key Also two parts are split as, are third sub-key and the 4th sub-key respectively, sender is based on the first sub-key and third is close Key generates first the first ciphertext of sub-key and the first ciphertext of third sub-key with first recipient's public key encryption.
After first recipient receives data ciphertext and the first record identification from sender, request to server-side using decryption When required key, server-side is using both first the first ciphertext of sub-key and first ciphertext of third sub-key to the first recipient point It carry out not the first verifying and the second verifying.Server-side verifies the mode of the first decrypted result of mode and verifying of the second decrypted result It is similar, reference can be made to previous embodiment, omits illustrate herein.After the first verifying and second are verified, server-side is by the One sub-key and the second sub-key group are combined into first key and with being sent to the first recipient after first recipient's public key encryption, and The data for corresponding to the second verifying are sent to the first recipient, enable the first recipient to the data obtained from sender Ciphertext is decrypted to obtain data clear text.The mode for corresponding to the data that second verifies that server-side is sent to the first recipient takes Certainly in first key and usage mode of second key when to data encryption.
In the embodiment of the present invention, the first recipient is in ciphertext data ciphertext other than needing first key, it is also necessary to the Two keys or data relevant to the second key, server-side is directed to first key respectively and the second key is independent to the first reception Fang Jinhang authentication further improves the safety of data ciphertext and key.
In an embodiment of the invention, the first ciphertext of third sub-key passes through close to third with first recipient's public key Key encryption generates, and the first recipient is third sub-key to the second decrypted result that the first ciphertext of third sub-key is decrypted. In another embodiment, the first ciphertext of third sub-key by with first recipient's public key to the first check number and Three sub-keys carry out encryption generation, and the second decrypted result that the first recipient decrypts the first ciphertext of third sub-key is packet Character string containing the first check number and the first sub-key.
In an embodiment of the invention, sender is when to data encryption, first using first key to sent number According to being encrypted to obtain the first data ciphertext in plain text, the first subnumber then is extracted from the predetermined portions in the first data ciphertext According to replacing the position of first the first subdata of data ciphertext Central Plains with the second subdata, generate the second data ciphertext, and with second Key encrypts the first subdata and obtains first the first ciphertext of subdata.What the first recipient received from sender is the second data Ciphertext and the first record identification, and the first record identification is sent to server-side to request first key and the first subdata first close Text, server-side are respectively verified the first recipient with first the first ciphertext of sub-key and the first ciphertext of third sub-key Afterwards, third sub-key and the 4th sub-key are combined into first the first ciphertext of subdata of the second key decryption and obtain the first subnumber According to, and the first recipient will be sent to after first recipient's public key encryption of first key and the first subdata.First recipient After receiving first key and the first subdata, the predetermined portions in the second data ciphertext are replaced with the first subdata and obtain first Data ciphertext, then the first data ciphertext is decrypted to obtain data clear text with first key.In embodiments of the present invention, by will be right First data ciphertext carries out the second data ciphertext that above-mentioned processing obtains and is sent to the first recipient, and it is close to decrypt the second data The ciphertext of first subdata necessary to text is stored in server-side, so that comprising making an uproar in the ciphertext data that the first recipient obtains Sound, it is necessary to obtain the first subdata ability ciphertext data ciphertext from server-side, Brute Force can be effectively prevented, improve data The safety of ciphertext.
In some embodiment of the invention, the first recipient needs when decrypting to the data ciphertext obtained from sender Holding first key and the second key simultaneously could complete to decrypt, and at this moment, the first recipient is in the second verifying by server-side When, server-side is also close by third other than first key is sent to the first recipient with first recipient's public key encryption Key and the 4th sub-key group are combined into the second key and with being sent to the first recipient after first recipient's public key encryption.The present invention is real Example is applied by can just obtain data clear text after making recipient that need to obtain individual two key pair ciphertexts decryption, can be improved data The safety of ciphertext.
Fig. 8 is the schematic flow chart of one embodiment of data forwarding method of the invention, the number of the embodiment of the present invention It is applied to sender's client according to retransmission method.
As shown in figure 8, the data forwarding method of the embodiment of the present invention includes:
S510, data ciphertext and the first record identification are obtained, wherein the first record identification is generated and is used for by server-side Server-side and first key associated storage required when data ciphertext is decrypted;
S511, the data identified including M recipient's mark, the first record identification and N recipient are sent to server-side Forwarding request, to request server-side based on the M forwarding record for including M recipient's mark and the first record identification, by first It is that N forwards record that record identification and N recipient, which identify associated storage, and N and M are positive integer and N is not equal to M;
S512, data ciphertext and the first record identification are sent to N recipient.
In embodiments of the present invention, M recipient is that data ciphertext and the first record are obtained from data sender above-mentioned Any recipient of mark, M recipient is when needing to forward data to N recipient as N recipient Sender.First record identification is that server-side is to be somebody's turn to do when the data sender sends initial data distribution request to server-side The record identification of data distribution request distribution, and the data ciphertext solution that server-side will carry in initial data distribution request Close required first key and the first record identification associated storage are individual data distribution record, while server-side has also been answered The request of data sender, it is that M forwarding is remembered that the first record identification and M recipient, which are identified associated storage, for M recipient Record.
M recipient can send after obtaining data ciphertext and the first record identification from data sender to server-side Data forwarding request including M recipient's mark, the first record identification and N recipient's mark.Server-side is receiving this After data forwarding request, first search whether that there are M to forward record according to M recipient's mark and the first record identification, if so, It is that N forwarding records that the first record identification and N recipient, which are then identified associated storage, for N recipient.
Since M recipient is that server-side forwards the recipient of the key data for the first time, N recipient is server-side the The recipient of key data is forwarded after secondary, also asks the data forwarding that M receiving direction server-side is sent in the present embodiment Referred to as data are asked to forward request again.
It can will include the first record mark after N recipient receives data ciphertext and the first record identification from M recipient Know and the data acquisition request of N recipient's mark is sent to server-side, server-side is in response to the data acquisition request, by key Data or related data are transmitted to N recipient.
Through the embodiment of the present invention, certain data ciphertext and the first record identification are sent to M recipient by data sender Afterwards, it if M recipient needs same data forwarding to other any recipients, can be forwarded again by sending data to server-side The mode of request, request server-side have stored in the key data or dependency number of server-side to other any recipient's forwardings According to realizing and not needing re-encrypted data to be forwarded and can be carried out quickly forwarding again.
In an embodiment of the invention, the data that M recipient is sent to server-side forward again can also wrap in request The N verify data for being verified to N recipient is included, may include the number such as N recipient's public key in N verify data According to.Key data or related data can be transmitted to N and connect by server-side in the data acquisition request in response to N recipient Before debit, N recipient is verified using N verify data.For example, server-side produces a random number, with N Recipient's public key is sent to N recipient after encrypting to the random number, by check N recipient return data whether It is the random number the identity of verifying N recipient.Through the embodiment of the present invention, M recipient is for other different data When receiving direction server-side transmission data forward request again, corresponding verification data, verification mode can be provided to server-side With specific aim, Information Security is improved.
In an embodiment of the invention, M recipient is verified by the N that data forward request to be sent to server-side again It may include N recipient's public key, N check number and first key N ciphertext in data, first key N ciphertext passes through use N recipient's public key generates N check number and first key encryption.In another embodiment, M recipient is logical Cross may include in the N verify data that data forward request to be sent to server-side again N recipient's public key, N check number and Second key N ciphertext, the second key N ciphertext with N recipient's public key to N check number and in data ciphertext by decrypting The second key of Shi Suoxu carries out encryption generation.In some embodiment of the invention, M recipient forwards request by data again Being sent in the N verify data of server-side may include N recipient's public key, N check number, above-mentioned first key N Ciphertext and the second above-mentioned key N ciphertext.
Server-side has prestored first key and/or the second key when receiving initial data distribution request, can The verify data of N recipient's return is verified using N check number and first key and/or the second key.
In addition, first key or the second key can also be split as two sub-keys in the embodiment of the present invention, it will wherein One sub-key is stored together in server-side and the first record identification, is generated with another one sub-key for connecing to N Sub-key ciphertext that debit is verified simultaneously is stored in N forwarding record in server-side.
In the embodiment of the present invention, M recipient in first key N ciphertext/second key N ciphertext to be generated, or Person can be stored when generating fractionation from first key or the N ciphertext of the sub-key of the second key with M recipient's client First key and/or the second key or each sub-key, can also be by sending the side of cipher key acquisition request to server-side Formula obtains the first key that server-side returns and/or the second key or each sub-key.
In some embodiment of the invention, server-side prestored the first record identification, first key and the second key and First the first ciphertext of subdata, the second key are used to be decrypted to obtain the first subdata to first the first ciphertext of subdata, the One subdata is for the predetermined portions in replacement data ciphertext to obtain another number that can be decrypted by first key According to ciphertext.For N recipient after having passed through the verifying of server-side, first key and the first subdata are returned to N by server-side Recipient.
In other embodiments of the invention, data ciphertext includes being decrypted respectively by first key and the second key First data ciphertext and the second data ciphertext.N recipient after having passed through the verifying of server-side, server-side by first key and Second key returns to N recipient.
Fig. 9 is the schematic flow chart of one embodiment of data forwarding method of the invention, the number of the embodiment of the present invention It is applied to server-side according to retransmission method.
As shown in figure 9, the data forwarding method of the embodiment of the present invention includes:
S520, it receives from M recipient including M recipient's mark, the first record identification and N recipient's mark When data forwarding request, record is forwarded based on the M for including M recipient's mark and the first record identification, the first record is marked Knowing with N recipient's mark associated storage is that N forwarding records, and the first record identification is generated by server-side and is used in server-side With first key associated storage required when data ciphertext is decrypted, N and M are positive integer and N is not equal to M;
S521, the data receiver request including N recipient's mark and the first record identification is received from N recipient When, first key is sent to by N recipient based on N forwarding record.
The data forwarding method applied to server-side of the embodiment of the present invention is applied to hair corresponding to embodiment illustrated in fig. 8 The data distributing method of the side's of sending client, implementation procedure can be found in embodiment illustrated in fig. 8 and more than other each implementations The explanation of example, in this detailed description will be omitted.
Figure 10 is the schematic flow chart of one embodiment of data forwarding method of the invention, the number of the embodiment of the present invention It is applied to recipient's client according to retransmission method.
As shown in Figure 10, the data forwarding method of the embodiment of the present invention includes:
S530, when receiving data ciphertext and the first record identification from M recipient, sending to server-side includes the first note The data receiver request of record mark and N recipient's mark, wherein first record identification is generated and is used for by server-side Server-side and first key associated storage required when data ciphertext is decrypted, N is positive integer;
S530, server-side is obtained from server-side based on N turns identified including first record identification and N recipient Hair records and the first key of return, and first key is used when data ciphertext is decrypted.
The data forwarding method applied to recipient's client of the embodiment of the present invention corresponds to answering for embodiment illustrated in fig. 8 For the data distributing method of sender's client, implementation procedure can be found in embodiment illustrated in fig. 8 and more than other are each The explanation of a embodiment, in this detailed description will be omitted.
In any of the above-described embodiment of the invention, server-side is receiving sender with the letter of data distribution request transmission These information and data can be identified as index with the first recipient therein and stored by breath and when data, and with distributed The first record identification associated storage.When sender wishes the dependency number that revocation requests server-side to forward for the first recipient According to when, sender can pass through that send to server-side include data distribution revocation that the first record identification and the first recipient identify It requests to request server-side that the first recipient is identified to and identified with the first recipient the information deletion of associated storage.Server-side Divide receiving the data identified including the first record identification and the first recipient that sender sends for the first recipient It can will include that the first recipient identifies and identifies the individual of the information of associated storage with the first recipient when hair revocation request Forward record deletion.After the information that server-side deletes the first recipient mark and associated storage, the first receiving direction server-side When sending the data receiver request including the first recipient mark, server-side will can not find the first recipient and identify relevant forwarding Record realizes transmission so that the decryption data such as first key will not be returned to the first recipient in response to receiving request Timely revocation of the side to data have been distributed.Meanwhile server-side will include that the first recipient identifies and identifies with the first recipient The individual forwarding record deletion of the information of associated storage does not influence to include the first record identification and the second sub-key ciphertext etc. Individual data distribution record can send to server-side and wrap such as the data distribution that sender needs to restore to be directed to the first recipient The data redistribution for including the information such as the first recipient mark, first the first ciphertext of sub-key, first recipient's public key and data is asked It asks, these information and data can be stored as individually forwarding record by server-side again, so that the first recipient can be from service End, which obtains, decrypts required data.
The embodiment of the invention also provides a kind of data distribution/retransmission units, can be by the end including processor and memory End equipment realizes that processor is configurable to the scheduled computer instruction stored in run memory to execute above-mentioned Data distribution/retransmission method applied to sender's client in one embodiment.
The embodiment of the invention also provides a kind of data forwarding devices, can be by including processor and memory and being used as service The terminal device of device realizes that processor is configurable to the scheduled computer instruction stored in run memory to execute The data forwarding method applied to server-side in any of the above-described embodiment.
The embodiment of the invention also provides a kind of data forwarding devices, can be by the terminal device including processor and memory It realizes, processor is configurable to the scheduled computer instruction stored in run memory to execute any of the above-described implementation The data forwarding method applied to recipient's client in example.
Due to all embodiments of exhaustion impossible in the application, it is also not possible to all combinations between exhaustive technical characteristic Mode, therefore the present invention is not limited to these provided specific embodiments, those skilled in the art are in reality disclosed herein On the basis of applying example, it is fully able to carry out a variety of modifications to these embodiments in the case where not departing from spirit of that invention and design And modification, the embodiment of these variants and modifications should all fall into the application it is claimed within the scope of.

Claims (23)

1. a kind of data forwarding method is applied to sender's client, comprising:
Obtain data ciphertext and the first record identification, wherein the first record identification is storage from received from sender by server-side The information extracted and data in the data distribution request of client and create, extracted information and data include to the data Required first key when ciphertext is decrypted, first record identification is in server-side and the first key associated storage;
The data forwarding request identified including M recipient's mark, the first record identification and N recipient is sent to server-side, With request server-side based on include M recipient mark and the first record identification M forwarding record, by the first record identification with It is that N forwards record that N recipient, which identifies associated storage, and N and M are positive integer and N is not equal to M;
Data ciphertext and the first record identification are sent to N recipient.
2. the method for claim 1, wherein further including for being carried out to N recipient in the data forwarding request The N verify data of verifying, the N verify data include at least N recipient's public key.
3. method according to claim 2, wherein
The N verify data further includes N check number and first key N ciphertext, and the first key N ciphertext passes through use N recipient's public key generates N check number and first key encryption.
4. method as claimed in claim 3, wherein
The N verify data further includes the second key N ciphertext, and the second key N ciphertext is by with N recipient's public key pair N check number and second key required in data ciphertext decryption carry out encryption generation.
5. method as claimed in claim 4, wherein the first record identification is also used to close in server-side and the first subdata first Literary associated storage, the second key to first the first ciphertext of subdata for being decrypted to obtain the first subdata, the first subdata It is close to obtain another data that can be decrypted by first key for replacing the predetermined portions in the data ciphertext Text.
6. method as claimed in claim 4, wherein the data ciphertext includes respectively by the first key and the second key The the first data ciphertext and the second data ciphertext being decrypted.
7. such as method of any of claims 1-6, further includes:
Sending to server-side includes the first record identification and the revocation request that N recipient identifies, so that server-side forwards N Record deletion.
8. a kind of data forwarding device, including processor, which is characterized in that the processor run scheduled computer instruction with Execute such as data forwarding method of any of claims 1-7.
9. a kind of data forwarding method is applied to server-side, comprising:
The data forwarding identified including M recipient's mark, the first record identification and N recipient is received from M recipient When request, record is forwarded based on the M for including M recipient's mark and the first record identification, the first record identification is connect with N It is N forwarding record that debit, which identifies associated storage, wherein first record identification is storage from received from transmission by server-side The information extracted and data in the data distribution request of square client and create, extracted information and data include to the number Required first key when being decrypted according to ciphertext, first record identification, which is associated in server-side with the first key, deposits Storage, N and M are positive integer and N is not equal to M;
When receiving the data receiver request including N recipient's mark and the first record identification from N recipient, based on described First key is sent to N recipient by N forwarding record.
10. method as claimed in claim 9, wherein further include for being carried out to N recipient in the data forwarding request The N verify data of verifying, the N verify data include at least N recipient's public key,
The method also includes: the N verify data is stored in the N forwarding record;
When receiving data receiver request from N recipient, N recipient is verified using N verify data, And after N recipient is by verifying, the first key is sent to N recipient.
11. method as claimed in claim 10, wherein
The N verify data further includes N check number and first key N ciphertext, and the first key N ciphertext passes through use N recipient's public key generates N check number and first key encryption.
12. method as claimed in claim 11, wherein
The N verify data further includes the second key N ciphertext, and the second key N ciphertext is by with N recipient's public key pair N check number and second key required in data ciphertext decryption carry out encryption generation.
13. method as claimed in claim 12, wherein the first record identification is also used in server-side and the first subdata first Ciphertext associated storage,
The method also includes:
After N recipient is by verifying, decrypted after obtaining the first subdata with second key pair the first ciphertext of the first subdata It is sent to N recipient,
Wherein, the first subdata is used to replace the predetermined portions in the data ciphertext to obtain to be solved by first key Another data ciphertext of close processing.
14. method as claimed in claim 12, further includes:
After N recipient is by verifying, the second key is sent to N recipient.
15. the method as described in any one of claim 9-14, further includes:
When receiving the data forwarding revocation request including the first record identification and N recipient's mark, N forwarding record is deleted It removes.
16. a kind of data forwarding device, including processor, which is characterized in that the processor runs scheduled computer instruction To execute the data forwarding method as described in any one of claim 9-15.
17. a kind of data forwarding method is applied to recipient's client, comprising:
When receiving data ciphertext and the first record identification from M recipient, to server-side send include the first record identification and The data receiver request of N recipient's mark, wherein first record identification is storage from received from sender by server-side The information extracted and data in the data distribution request of client and create, extracted information and data include to the data Required first key when ciphertext is decrypted, first record identification is in server-side and the first key associated storage, N For positive integer;
Server-side is obtained based on including N forwarding record that first record identification and N recipient identify from server-side and The first key returned uses first key when data ciphertext is decrypted.
18. method as claimed in claim 17, further includes:
When receiving the N verify data ciphertext for being verified to N recipient from server-side, N recipient's private is used Verify data ciphertext is decrypted in key, and decrypted result is sent to server-side.
19. method as claimed in claim 18, wherein the N verify data ciphertext includes first key N ciphertext, institute First key N ciphertext is stated by being generated with N recipient's public key to N check number and first key encryption.
20. method as claimed in claim 19, wherein the N verify data ciphertext further includes the second key N ciphertext, The second key N ciphertext by with N recipient's public key to N check number and the data ciphertext decrypt when it is required Second key carries out encryption generation.
21. method as claimed in claim 20, further includes:
After the decrypted result is verified by server-side, the first subdata is obtained from server-side, replaces institute with the first subdata It states the predetermined portions in data ciphertext and obtains another data ciphertext, and another data ciphertext is decrypted to obtain with first key Data clear text.
22. method as claimed in claim 20, further includes:
After the decrypted result is verified by server-side, obtain the second key from server-side, and to the data ciphertext into The second key is used when row decryption.
23. a kind of data forwarding device, including processor, which is characterized in that the processor runs scheduled computer instruction To execute the data forwarding method as described in any one of claim 17-22.
CN201810096484.2A 2018-01-31 2018-01-31 A kind of data distribution, retransmission method and device Active CN108200085B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810096484.2A CN108200085B (en) 2018-01-31 2018-01-31 A kind of data distribution, retransmission method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810096484.2A CN108200085B (en) 2018-01-31 2018-01-31 A kind of data distribution, retransmission method and device

Publications (2)

Publication Number Publication Date
CN108200085A CN108200085A (en) 2018-06-22
CN108200085B true CN108200085B (en) 2019-03-08

Family

ID=62591661

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810096484.2A Active CN108200085B (en) 2018-01-31 2018-01-31 A kind of data distribution, retransmission method and device

Country Status (1)

Country Link
CN (1) CN108200085B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109448192A (en) * 2018-11-13 2019-03-08 公安部第三研究所 Safe and intelligent lock system based on encryption chip
CN109981591B (en) * 2019-02-28 2021-09-21 矩阵元技术(深圳)有限公司 Key management method for generating private key by single client and electronic equipment
CN110166425B (en) * 2019-04-09 2021-08-20 北京奇艺世纪科技有限公司 Data processing method, device, system and computer readable storage medium
CN110177073B (en) * 2019-04-09 2021-11-09 北京奇艺世纪科技有限公司 Data processing method, device, system and computer readable storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101197674A (en) * 2007-12-10 2008-06-11 华为技术有限公司 Encrypted communication method, server and encrypted communication system
EP2437469A1 (en) * 2005-10-13 2012-04-04 TELEFONAKTIEBOLAGET LM ERICSSON (publ) Method and apparatus for establishing a security association
CN104901937A (en) * 2014-10-17 2015-09-09 腾讯科技(深圳)有限公司 Data processing method and system thereof, terminal, server
CN104967604A (en) * 2015-04-21 2015-10-07 深圳市腾讯计算机系统有限公司 Login method and login system
CN106453319A (en) * 2016-10-14 2017-02-22 北京握奇智能科技有限公司 Data transmission system and method based on security module

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102312336B1 (en) * 2014-07-29 2021-10-14 삼성전자주식회사 Method for sharing data and apparatus thereof
CN106411884A (en) * 2016-09-29 2017-02-15 郑州云海信息技术有限公司 Method and device for data storage and encryption

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2437469A1 (en) * 2005-10-13 2012-04-04 TELEFONAKTIEBOLAGET LM ERICSSON (publ) Method and apparatus for establishing a security association
CN101197674A (en) * 2007-12-10 2008-06-11 华为技术有限公司 Encrypted communication method, server and encrypted communication system
CN104901937A (en) * 2014-10-17 2015-09-09 腾讯科技(深圳)有限公司 Data processing method and system thereof, terminal, server
CN104967604A (en) * 2015-04-21 2015-10-07 深圳市腾讯计算机系统有限公司 Login method and login system
CN106453319A (en) * 2016-10-14 2017-02-22 北京握奇智能科技有限公司 Data transmission system and method based on security module

Also Published As

Publication number Publication date
CN108200085A (en) 2018-06-22

Similar Documents

Publication Publication Date Title
CN108243197B (en) A kind of data distribution, retransmission method and device
RU2718689C2 (en) Confidential communication control
CN108200085B (en) A kind of data distribution, retransmission method and device
EP3476078B1 (en) Systems and methods for authenticating communications using a single message exchange and symmetric key
JP5432999B2 (en) Encryption key distribution system
US7961882B2 (en) Methods and apparatus for initialization vector pressing
US20080031458A1 (en) System, methods, and apparatus for simplified encryption
US8396218B2 (en) Cryptographic module distribution system, apparatus, and program
US20110145576A1 (en) Secure method of data transmission and encryption and decryption system allowing such transmission
CN105162599B (en) A kind of data transmission system and its transmission method
CN109951381B (en) Mail secure transmission method based on quantum key public cloud service platform
CN108476133A (en) The key carried out by the believable third party in part exchanges
US20150229621A1 (en) One-time-pad data encryption in communication channels
CN107086915A (en) A kind of data transmission method, data sending terminal and data receiver
CN112738051B (en) Data information encryption method, system and computer readable storage medium
JP2007028014A (en) Digital signature program, digital signature system, digital signature method and signature verification method
US8117450B2 (en) System and method for secure data transmission
CN106911663A (en) One kind sells bank's full message encryption system and method for mixed mode directly to households
US20060095770A1 (en) Method of establishing a secure e-mail transmission link
US20230027422A1 (en) Systems, apparatus, and methods for generation, packaging, and secure distribution of symmetric quantum cypher keys
CN105871858A (en) Method and system for ensuring high data safety
CN104735094A (en) Information separation based data security transmission system and method
US10938553B2 (en) Distribution and verification of transaction integrity keys
CN108306880B (en) A kind of data distribution, retransmission method and device
CN114945170B (en) Mobile terminal file transmission method based on commercial cryptographic algorithm

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder

Address after: 100193 5th floor 510, No. 5 Building, East Yard, No. 10 Wangdong Road, Northwest Haidian District, Beijing

Patentee after: Beijing Shendun Technology Co.,Ltd.

Address before: 100193 5th floor 510, No. 5 Building, East Yard, No. 10 Wangdong Road, Northwest Haidian District, Beijing

Patentee before: BEIJING SENSESHIELD TECHNOLOGY Co.,Ltd.

CP01 Change in the name or title of a patent holder