CN109361511A - Data transmission method, the network equipment and computer storage medium - Google Patents
Data transmission method, the network equipment and computer storage medium Download PDFInfo
- Publication number
- CN109361511A CN109361511A CN201811324704.9A CN201811324704A CN109361511A CN 109361511 A CN109361511 A CN 109361511A CN 201811324704 A CN201811324704 A CN 201811324704A CN 109361511 A CN109361511 A CN 109361511A
- Authority
- CN
- China
- Prior art keywords
- network node
- key
- data
- encryption
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0877—Generation of secret information including derivation or calculation of cryptographic keys or passwords using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/061—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the invention discloses data transmission methods, applied in the storage system including first network node and the second network node, this method comprises: the second network node generates the key pair including the encryption key of the second network node and decruption key according to TPM, second network node receives the first request that first network node is sent, encryption key for the second network node of request, the encryption key that the second network node is sent to first network node is requested in response first, receive the second ciphertext data that first network node is sent, the second ciphertext data are the encryption key using the second network node to the data obtained after the first clear data to be synchronized encryption, using the decruption key of the second network node to the second ciphertext data deciphering.By implementing the embodiment of the present invention, it can be realized the safe transmission of data, promote the safety and reliability of data transmission.
Description
Technical field
The present invention relates to field of computer technology more particularly to data transmission method, the network equipment and computer storage to be situated between
Matter.
Background technique
With the development of computer technology, information security is particularly important.Currently, being to provide information in computer system
Security mechanism uses the key informations such as a large amount of symmetric key, unsymmetrical key and shared key, these key informations
Sensitive data is belonged to, once leakage will seriously affect the safety of storage information.
For the confidentiality for protecting sensitive data, the prior art proposes the structural representation of Multilayered encryption mechanism as shown in Figure 1
Figure.Such as Fig. 1, which includes root key, master key and working key.Wherein, root key is located at Multilayered encryption mechanism
Bottom end, be mainly used for for upper layer key (such as master key) provide Confidentiality protection, such as root key be used to master key carry out
Encryption storage.Master key is used to provide Confidentiality protection for upper layer working key, while the protection for root key of experiencing certainly.For example,
Master key is used to carry out encrypting storing to working key.Working key is used for directly to sensitive data, business datum and user
The data such as data carry out encrypting storing etc., which includes but is not limited to encryption key and shared key etc..
However demand for security for data, the peace of sensitive data how is realized between each network node of storage system
It is complete shared, it is one and needs to study and solve the problems, such as.
Summary of the invention
The embodiment of the invention discloses data transmission method, relevant device and computer storage mediums, are able to solve existing
The problems such as safety and reliability present in data transmission scheme is not high.
In a first aspect, the embodiment of the present invention, which discloses, provides a kind of data transmission method, applying is including first network section
In storage system including point and the second network node, which comprises the second network node is according to credible platform module TPM
The second key pair is generated, which includes that the decryption of the encryption key and the second network node of the second network node is close
Key.The TPM is for realizing the secure storage of data, and the decruption key of the second network node is for decrypting ciphertext data.First net
Network node sends the first request to the second network node, and the encryption of first request for the second network node of request is close
Key.Correspondingly, the first request of the second network node response, the encryption key of the second network node is sent to first network node,
The encryption key of second network node encrypts the first clear data to be synchronized for first network node.
With reference to first aspect, in the first possible embodiment of first aspect, the second network node calls TPM's
Creatwrapkey function generates the second key pair.
With reference to first aspect or the first possible embodiment of first aspect, second in first aspect are possible
In embodiment, after first network node obtains the encryption key of the second network node, the encryption according to the second network node is close
Key encrypts the first clear data to be synchronized and obtains the first ciphertext data.First network node sends the to the second network node
One ciphertext data.Correspondingly, the second network node receives the first ciphertext data.Second network node is according to the second network node
Decruption key obtains the first clear data to the first ciphertext data deciphering.For the correctness for verifying synchrodata, the second network section
Point can encrypt the first clear data according to the encryption key of first network node and obtain the second ciphertext data, by the second ciphertext number
According to being sent to first network node.Convenient for first network node according to the corresponding second plaintext data of the second ciphertext data and first
Clear data determines the synchronization that the first clear data whether is completed between two network nodes.
With reference to first aspect or the first or second of possible embodiment of first aspect, in the third of first aspect
In the possible embodiment of kind, the encryption key of the encryption key of first network node and the second network node is different.The
The decruption key of two network nodes and the decruption key of first network node are different.
With reference to first aspect or first aspect the first to any possible embodiment in the third, first
In 4th kind of possible embodiment of aspect, the decruption key of the second network node is presented in the form of the second key handles.
The corresponding relationship being stored in second network node between the decruption key of the second network node and the second key handles, the second net
Network node can get the solution of corresponding second network node of the second key handles according to second key handles and the corresponding relationship
Key.
With reference to first aspect or first aspect the first to any possible embodiment in the 4th kind, first
In 5th kind of possible embodiment of aspect, the decruption key of first network node can be in the form of first key handle
It is existing.The corresponding relationship being stored in first network node between the decruption key of first network node and first key handle, the
One network node can get the corresponding first network node of first key handle according to the first key handle and the corresponding relationship
Decruption key.
Second aspect, the embodiment of the present invention provide a kind of data transmission method, are applied to first network node side, this method
It include: first network node according to TPM generation first key pair, the first key is to the encryption key including first network node
With the decruption key of first network node.The TPM for realizing data secure storage.The decruption key of the first network node
For decrypting ciphertext data.Second network node sends the second request to first network node, which obtains for requesting
Take the encryption key of first network node.Correspondingly, the second request of first network node response sends the to the second network node
The encryption key of one network node, the encryption key of the first network node are used for first network node to the second network node
Synchronous the first clear data encryption.
In conjunction with second aspect, in the first possible embodiment of second aspect, first network node calls TPM's
Creatwrapkey function generates first key pair.
In conjunction with the possible embodiment of the first of second aspect or second aspect, second in second aspect is possible
In embodiment, first network node sends the first request to the second network node, which is used for request second
The encryption key of network node.The encryption key of second network node is generated by the TPM of the second network node.First network
Node receives the encryption key for the second network node that the second network node is sent, and first network node is according to the second network node
Encryption key the first clear data to be synchronized is encrypted, obtain the first ciphertext data.And then the first ciphertext data are sent
To the second network node, with synchronous first ciphertext data.
In conjunction with the first or second of possible embodiment of second aspect or second aspect, in the third of second aspect
In the possible embodiment of kind, first network node receives the second ciphertext data that the second network node is sent, second ciphertext
Data are that the second network node obtains the encryption of the first clear data according to the encryption key of first network node.First network
Node, to the second ciphertext data deciphering, obtains second plaintext data according to the decruption key of first network node.In turn, the first net
Whether network node determines complete between first network node and the second network node according to the first clear data and second plaintext data
At the synchronization of the first clear data.Specifically, then first network node can when the first clear data is identical with second plaintext data
Determine the synchronization that the first clear data is completed between the two network nodes.If the first clear data and second plaintext data
Not identical, then first network node can determine the synchronization that the first clear data is not completed between the two network nodes.
In conjunction with the first of second aspect or second aspect into the third any possible embodiment, in second party
In the 4th kind of possible embodiment in face, the encryption key of the encryption key of first network node and the second network node is mutually not
It is identical.The decruption key of second network node and the decruption key of first network node are different.About the embodiment of the present invention
In the content that is not shown or does not describe, for details, reference can be made to the correlations in embodiment described in aforementioned first aspect to illustrate, here no longer
It repeats.
The third aspect, the embodiment of the invention provides a kind of first network equipment, the network equipment includes for executing
The functional module or unit of method described in any possible embodiment of second aspect or second aspect as above.
Fourth aspect, the embodiment of the invention provides a kind of second network equipments, and the network equipment includes for executing
The functional module or unit of method described in any possible embodiment of first aspect or first aspect as above.
5th aspect, the embodiment of the invention provides a kind of first network equipment, comprising: processor, memory, communication connect
Mouth and bus;Processor, communication interface, memory are in communication with each other by bus;Communication interface, for sending and receiving data;
Memory, for storing instruction;Processor executes above-mentioned second aspect or second aspect for calling the instruction in memory
Any possible embodiment described in method.
6th aspect, the embodiment of the invention provides a kind of second network equipments, comprising: processor, memory, communication connect
Mouth and bus;Processor, communication interface, memory are in communication with each other by bus;Communication interface, for sending and receiving data;
Memory, for storing instruction;Processor executes above-mentioned first aspect or first aspect for calling the instruction in memory
Any possible embodiment described in method.
7th aspect, the embodiment of the invention provides a kind of storage systems, including first network node and the second network section
Point, wherein first network node is used to execute to be retouched in any possible embodiment of second aspect or second aspect as above
The method stated;Second network node is used to execute to be retouched in any possible embodiment of first aspect or first aspect as above
The method stated.About the content for being not shown in the embodiment of the present invention or not describing, reference can be made to the related elaboration in previous embodiment,
Which is not described herein again.
Eighth aspect, provides a kind of non-transient (non-transitory) storage medium of computer, and the computer is non-
Transient state storage medium stores the program code for data transmission.Said program code includes for executing above-mentioned first aspect
Or the instruction of method described in any possible embodiment of first aspect.
9th aspect, provides a kind of non-transient (non-transitory) storage medium of computer, the computer is non-
Transient state storage medium stores the program code for data transmission.Said program code includes for executing above-mentioned second aspect
Or the instruction of method described in any possible embodiment of second aspect.
Tenth aspect, provides a kind of chip product, to execute any possible of above-mentioned first aspect or first aspect
Method in embodiment.
On the one hand tenth, provides a kind of chip product, to execute any possibility of above-mentioned second aspect or second aspect
Embodiment in method.
The present invention can also be further combined on the basis of the implementation that above-mentioned various aspects provide to provide more
More implementations.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described.
Fig. 1 is a kind of structural schematic diagram of the Multilayered encryption mechanism provided in the prior art.
Fig. 2 is a kind of schematic diagram of the data synchronous transfer provided in the prior art.
Fig. 3 is a kind of network frame schematic diagram of storage system provided in an embodiment of the present invention.
Fig. 4 A is a kind of flow diagram of data transmission method provided in an embodiment of the present invention.
Fig. 4 B is the flow diagram of another data transmission method provided in an embodiment of the present invention.
Fig. 5 is the flow diagram of another data transmission method provided in an embodiment of the present invention.
Fig. 6 is a kind of structural schematic diagram of network equipment provided in an embodiment of the present invention.
Fig. 7 is the structural schematic diagram of another network equipment provided in an embodiment of the present invention.
Specific embodiment
With reference to the accompanying drawing, the embodiment of the present invention is described.
Applicant proposes to find during the application: known to figure 1 above within the storage system, root key is to guarantee entirely
The root of trust of storage system safety, the safety of root key determine the security level of entire storage system.Here with sensitive number
For for root key, it is described below and how realizes that the safety of sensitive data is total between each network node within the storage system
It enjoys.
In existing root key synchronous transfer scheme, using same key pair root key plaintext encrypted transmission to be synchronized,
To guarantee the safety of root key.Specifically, if Fig. 2 is for including node A and node B in storage system.Node A and node
Synchronization module is deployed in B, which is used for synchronisation key, such as the Advanced Encryption Standard by Software Create
(advanced encryption standard, AES) key.It, can be by can after node A obtains root key plaintext to be synchronized
Believe console module (trusted platform module, TPM) encrypting storing into disk.Meanwhile node A can be by root key
It synchronizes in plain text and is sent to node B, specifically, node A obtains AES key from synchronization module, it is bright to root key using AES key
Text encryption, and the root key ciphertext that encryption obtains is sent to node B.Correspondingly, after Node-B receiver root key ciphertext, from section
AES key is obtained in the synchronization module of point B, root key ciphertext is decrypted using the AES key, it is bright to obtain root key
Text, to realize the synchronous transfer of the root key plaintext between node A and node B.
However in practice, it has been found that the encryption and decryption secret keys that sensitive data (such as the root key in this example is in plain text) uses are section
The key of point itself storage, and the encryption and decryption secret keys that each node uses are identical.As it can be seen that in this wise there is peace in data synchronization scheme
The full problem that property is lower, reliability is not high.
To solve the problems such as safety and reliability present in available data transmission plan is not high, the present invention proposes one kind
Data transmission method, the method applicable network frame and relevant device.
Firstly, being a kind of network frame schematic diagram provided in an embodiment of the present invention referring to Fig. 3.Network frame as shown in Figure 3
Frame schematic diagram 100 includes: n network node, and any two network node in n network node can pass through network phase intercommunication
Letter.It is deployed with credible platform module TPM 102 in each network node, specifically includes TPM hardware (also referred to as in the TPM 102
TPM chip) 1021, TPM driving 1022 and TPM application interface 1023.Optionally, it is single that storage is also deployed in each memory node
Member 104.N is the positive integer of the customized setting of system.It wherein, may include processor, RSA key generation list in TPM chip 1021
Member, RSA signature and encryption unit, tandom number generator and internal storage.Wherein, RSA key generation unit is used for according to RSA
Algorithm generates key, which includes but is not limited to asymmetric cryptographic key, signature key and working key etc..RSA signature
It is used for the operation such as signed, encrypted according to data key with encryption unit, concretely system to be customized for the data
Data, such as user data, business datum and private data etc..Tandom number generator is used to generate random number, according to
The random number that system requirements tandom number generator generates can be used as key (such as root key), it can also be used to data cover, data
Verification etc., the present invention and without limitation.
Processing implement body may include but be not limited to central processing unit (central processing unit, CPU), general
Processor, digital signal processor (digital signal processor, DSP), specific integrated circuit (application-
Specific integrated circuit, ASIC), field programmable gate array (field programmable gate
Array, FPGA) either other programmable logic device, transistor logic, hardware component or any combination thereof.It can
To realize or execute various illustrative logic blocks, module and circuit in conjunction with described in the disclosure of invention.The processing
Device is also possible to realize the combination of computing function, such as combines comprising one or more microprocessors, the group of DSP and microprocessor
Close etc., the embodiment of the present invention and without limitation.
Internal storage, for storing data and program code in TPM chip.Processor can call in internal storage
Program code, execute the corresponding instruction of the program code.
TPM driving 1022, for driving TPM chip.Specifically, TPM driving provides the operation interface towards TPM chip,
TPM chip is directly operated by the operation interface completes correspondingly feature operation, such as the operation of data encryption operation, data deciphering
Etc..
TPM application interface 1024 provides the communication interface of TPM chip for application program-oriented method.Specifically, network node
Data to be transmitted can be sent to TPM application interface 1024 by the application program of middle installation.It is to be transmitted that the TPM application interface receives this
After data, application program can be returned to data encryption to be transmitted, and then by encrypted ciphertext data.
In the present invention, TPM application interface 1024 be particularly used in realize data encrypt and decrypt operation, such as using
The encryption key that TPM is generated encrypts clear data to obtain ciphertext data.Optionally, TPM application interface 1024 may be used also
Ciphertext data are decrypted to obtain correspondingly clear data in the decruption key generated using TPM.
In practical applications, TPM application interface 1024 can be the communication interface of integrated encryption function and decryption functions,
The multiple interfaces that can also be split for encryption function and decryption function.For example, the TPM application interface may include encryption interface and decryption
Interface, the encryption interface for realizing data cryptographic operation.Decryption oprerations etc. of the decryption interface for realizing data, this hair
It is bright and without limitation.
Clear data involved in the present invention refers to the data of unencryption.Ciphertext data and clear data be it is opposite, it is close
Literary data specifically refer to the data obtained after clear data is encrypted using certain Encryption Algorithm.It is of the present invention
Encryption Algorithm includes but is not limited to any one of following or multinomial combination: data encryption standard algorithm (data
Encryption standard, DES), 3DES algorithm, be to be carried out to a block number according to three different keys based on DES algorithm
Tertiary infilling, international data encryption algorithm (international data encryption algorithm, IDEA), number
Signature algorithm (digital signature algorithm, DSA) and Advanced Encryption Standard (advanced encryption
Standard, AES) etc..
When network node powers on, in credible platform module TPM initialization procedure, system can call TPM driving to provide
Operation interface, using TPM_createwrapkey function generate correspondingly key pair, the key of the cipher key pair can specifically wrap
It includes but is not limited to symmetric key and unsymmetrical key.By taking unsymmetrical key as an example, which includes public key and private key,
Middle public key is supported to share, and is disclosed key, other network nodes in storage system would know that the public key of the network node.
Private key is that network node itself retains underground key, other nodes in storage system are unknowable.To guarantee private key
Safety, usual network node can call the key loading interface TPM_loadkey2 of TPM module, private key are loaded into TPM mould
In block, corresponding private key handle (wrapkey handle) is obtained, and externally presents or stores in the form of private key handle.I.e.
It is that the corresponding relationship of private key and private key handle is stored in network node.It, need to be according to private key when network node need to use private key
Handle and the corresponding relationship, obtain the corresponding private key of private key handle.
In practical applications, since the confidentiality requirement of private key is higher, usual private key is used as the decruption key of ciphertext data.
Correspondingly, for private key, the confidentiality requirement of public key is lower, therefore the encryption that public key can be used as clear data is close
Key.For example, the more demanding clear data of storage security, such as private data, the business datum of user within network nodes
Etc., network node saves corresponding ciphertext data after encrypting using the public key of the network node itself to clear data, with
Promote the safety of data storage.Correspondingly, when network node need to use the clear data, using network node itself
Private key to obtain correspondingly clear data, and then handles the clear data to the ciphertext data deciphering of storage.
Specifically, network node can first obtain the private key handle of own node storage, then according to private key handle and private key
Between corresponding relationship obtain the corresponding private key of private key handle.Then recycle the private key of acquisition to ciphertext data deciphering to obtain
Obtain correspondingly clear data.
Storage unit 104, it is bright after the data in network node, such as encrypted ciphertext data, decryption for storing
Literary data etc..The storage unit may include but be not limited to memory, hard disk (or disk), caching or other have store function
Functional module or equipment.
Fig. 4 A is referred to, is a kind of flow diagram of data transmission method provided in an embodiment of the present invention.Such as Fig. 4 A institute
The data transmission method shown is applied in storage system, includes n network node in the storage system, each network node portion
There is credible platform module TPM in administration.The present invention hereafter to be including first network node and the second network node in n network node
Example carries out the elaboration of related content.This method specifically may include that step is implemented as follows:
Step S301, first network node is according to the encryption key of the second network node to the first clear data to be synchronized
Encryption, obtains the first ciphertext data, and the encryption key of the second network node is generated by TPM.
In the present invention, the first clear data is data to be synchronized, concretely the customized clear data of system, should
Data include but is not limited to user data, business datum and sensitive data etc..Wherein, sensitive data is also known as private data, is
Refer to it is sensitive to user (or enterprise), need data to be protected, such as the bank card account number of user, bank password, wechat account with
And unlocking pin etc..The encryption key of second network node can also can be the to be pre-stored in first network node
What one network node was obtained from the second network node immediately, specifically it is detailed below in the present invention.
Step S302, first network node sends the first ciphertext data to the second network node.Correspondingly, the second network section
Point receives the first ciphertext data.
Step S303, the second network node is obtained according to the decruption key of the second network node to the first ciphertext data deciphering
Obtain the first clear data.
In each network node of storage system during synchronous first clear data, current network node need to be utilized down
The encryption key of one network node encrypts clear data, obtains corresponding ciphertext data.Correspondingly, next network node can be straight
It connects and ciphertext data is decrypted using the decruption key of own node, to realize the synchronous transfer of clear data.Compared to existing
There is technology to realize the encryption and decryption of data to be synchronized using same key, the safety and reliability of data transmission can be promoted.For example,
Shown in above-mentioned steps of embodiment of the present invention S301-S303, first network node using the second network node encryption key pair
First clear data encryption to be synchronized, to obtain the first ciphertext data.Further, first network node is to the second network section
Point sends the first ciphertext data.Correspondingly, after the second network node receives the first ciphertext data, using the second network node
Decruption key is to the first ciphertext data deciphering, to obtain correspondingly the first clear data.
In an alternative embodiment, the second network node need to obtain the decruption key of the second network node before step S303.
Specifically, being stored with decruption key in the second network node for the safety for guaranteeing decruption key and decrypting pair of key handles
It should be related to, and externally be presented in the form of decruption key handle.It is that the second network node need to obtain the second network node
When decruption key, decruption key handle can be first directly obtained from the second network node, it is then close according to decruption key and decryption
The corresponding relationship of key handle obtains the corresponding decruption key of decruption key handle, the i.e. decruption key of the second network node.Into
One step, the second network node recycles the decruption key of the second network node to the first ciphertext data deciphering, bright to obtain first
Literary data.
In an alternative embodiment, during data encrypting and deciphering, network node is specifically (specific using TPM application interface
Interface or TPM decryption interface can be encrypted for TPM) realize the encryption and decryption of data.For example, first network node is adjustable in step S301
Interface is encrypted with TPM, the first clear data to be synchronized is encrypted using the encryption key of the second network node, to obtain first
Ciphertext data, and then it is sent to the second network node.Correspondingly, the second network node can call TPM solution contiguity in step S303
Mouthful, using the decruption key of the second network node to the first ciphertext data deciphering, to obtain the first ciphertext data.
Step S304, the second network node encrypts the first clear data according to the encryption key of first network node, obtains
The second ciphertext data are obtained, the encryption key of first network node is generated by TPM.The encryption key of the first network node can be the
It is pre-stored in two network nodes, it can also be obtained from first network node immediately for the second network node, specifically at this
Invention is detailed below.
Step S305, the second network node sends the second ciphertext data to first network node.Correspondingly, first network section
Point receives the second ciphertext data.
Step S306, first network node is obtained according to the decruption key of first network node to the second ciphertext data deciphering
Obtain second plaintext data.
Step S307, first network node determines first network node according to the first clear data and second plaintext data
And second whether complete the first clear data between network node synchronization.
It is intelligible, for verifying first network node to the second network node encryption send the first clear data whether and
First clear data to be synchronized is identical, and the second network node, can after decrypting the first ciphertext data and obtaining the first clear data
Verify the first clear data of the decryption again to first network node.Specifically, the second network node is decrypting the first ciphertext
After data obtain the first clear data, the first clear data can be encrypted using the encryption key of first network node again, obtained
Obtain the second ciphertext data.Second network node sends the second ciphertext data to first network node.Correspondingly, first network node
After receiving the second ciphertext data, using the decruption key of first network node to the second ciphertext data deciphering, it is bright to obtain second
Literary data.The decruption key that first network node how is obtained about first network node specifically refers to above mentioned step S3 03
It is related illustrate, which is not described herein again.Similarly, about network node (concretely first network node or the second network section
Point) encryption and decryption how to realize data, it can correspond to and illustrate with reference to above mentioned step S3 01 are related in S303, it is no longer superfluous here
It states.
Further, whether first network node can identical according to the first clear data and second plaintext data, determines this
Whether the synchronization of to be synchronized first clear data is completed between two network nodes.Specifically, when the first clear data and the
When two clear datas are identical, first network node, which can determine, to be currently completed between first network node and the second network node
The synchronization of first clear data.When the first clear data and not identical second plaintext data, first network node be can determine not
Complete the synchronization that the first clear data is directed between first network node and the second network node.Is not completed about network node
The synchronous reason of one clear data has very much, the present invention and without limitation, such as key used in encryption or decryption process is not
Correctly, mistake etc. occurs when ciphertext data deciphering.
In an alternative embodiment, before step S301, it may also include the correlation step of method flow as shown in Figure 4 B.It please join
See Fig. 4 B, is the flow diagram of another data transmission method provided in an embodiment of the present invention.This method includes being implemented as follows
Step:
Step S401, first network node generates first key pair according to TPM, and the first key is to including first network
The encryption key of node and the decruption key of first network node.
In the present invention, first key generates concretely first network node using the TPM disposed in it, specifically
, first network node can call the creatwrapkey function of the operation interface provided in TPM by TPM driving to generate first
Key pair, the first key is to encryption key and decruption key including first network node.Optionally, the first key to
It can be generated for first network node by software mode.For example, first network node can call preset key function to generate
First key pair, the preset key function are system customized setting, such as AES function etc., the present invention and without limitation.
In practical applications, the first key is to concretely symmetric key pair or asymmetric key pair.In general, should
First key specifically may include encrypted public key and decrypted private key, i.e., described in the embodiment of the present invention to for asymmetric key pair
Encryption key and decruption key.
Step S402, the second network node generates the second key pair according to TPM, and second key pair includes the second network
The decruption key of the encryption key of node and the second network node.
In the present invention, the second key pair is what the second network node was generated by software mode, or according to the second network section
What the TPM disposed in point was generated, for details, reference can be made to the correlations in step S401 to illustrate which is not described herein again.The first key pair
Can be identical with the second key pair, can not also be identical, the present invention does not limit.In practical applications, the safety to guarantee data
Property, the usually corresponding key pair generated of each network node is different, such as first key here to and the second key pair not
It is identical.It is that the encryption key of the encryption key of first network node and the second network node is different.And/or first net
The decruption key of the decruption key of network node and the second network node is different.
Step S403, first network node sends the first request to the second network node, which obtains for requesting
Take the encryption key of the second network node.Correspondingly, the second network node receives first request.
Step S404, the second network node response first request, sends the second network node to first network node
Encryption key.Correspondingly, first network node receives the encryption key of the second network node.
Step S405, the second network node sends the second request to first network node, which obtains for requesting
Take the encryption key of first network node.Correspondingly, first network node receives the second request.
Step S406, the second request of first network node response sends adding for first network node to the second network node
Key.Correspondingly, the second network node receives the encryption key of first network node.
In practical applications, can be disappeared by shifting to an earlier date interaction request response between first network node and the second network node
Breath, to know the encryption key of correspondent network node.For example, first network node can send the first request to the second network node
Message, the encryption key for request first network node.Correspondingly, the second network node receives first request and disappears
Breath, and correspondingly the first response message is sent to first network node, the second network node is carried in first response message
Encryption key.It optionally, can be by the second network node after first network node obtains the encryption key of second network node
Encryption key be stored in own node, directly used from local obtain convenient for subsequent first network node.
Similarly, the second network node can send the second request message to first network node, be used for request second
The encryption key of network node.Correspondingly, first network node receives and responds the second request message, sends out to the second network node
The second response message is sent, the encryption key of first network node is carried in second response message.Optionally, the second network section
After point obtains the encryption key of the first network node, the encryption key of first network node can be stored in own node,
It is directly used from local obtain convenient for subsequent second network node.
Optionally, above-mentioned steps S403-S404 of the present invention is that the encryption of first network node the second network node of acquisition is close
The step of key, concretely first network node implements acquisition in advance, can also be the present invention above in first network node
It need to use and implement to obtain before the encryption key (step S301) of the second network node, the embodiment of the present invention is without limitation.Equally
The step of ground, above-mentioned steps S405-S406 step of the present invention is the encryption key that the second network node obtains first network node,
It can implement in advance acquisition for the second network node, can also need to use first network in the second network node above for the present invention
Implement before the encryption key (step S304) of node to obtain, the embodiment of the present invention and without limitation.Wherein, the embodiment of the present invention
Without limitation, such as step S403-S404 can be placed on the implementation sequence of middle above-mentioned steps S403-S404 and step S405-S406
It is executed behind step S405-S406, the present invention and without limitation.
It should be noted that in the embodiment of the present invention, the quantity for the network node for including in storage system and without limitation.
The present invention only by taking two network nodes as an example, realizes the first clear data between exemplary elaboration any two network node above
Synchronous embodiment.Correspondingly, it is real between n network node when the quantity n for the network node for including within the storage system is greater than 2
When the synchronization of existing first clear data, current network node equally need to be using the encryption key of next network node to clear data
Encryption obtains ciphertext data.Directly ciphertext data are solved using the decruption key of own node convenient for next network node
It is close, to complete the synchronous transfer of clear data.And so on, in the last one network node, (network node n) decryption obtains bright
After literary data, for the synchronous correctness of verifying clear data, network node n is also using the encryption key pair of first network node
The clear data of decryption encrypts, and the ciphertext data obtained after encryption are sent to first network node.First network node utilizes
The decruption key of own node obtains correspondingly clear data to received ciphertext data deciphering, further determines that decryption obtains
Clear data and clear data to be synchronized it is whether identical, if identical, it is determined that complete plaintext number between n network node
According to synchronization.
Illustratively, the synchronous related embodiment of data is illustrated by taking n=3 as an example below.Fig. 5 is referred to, is of the invention real
The flow diagram of another data transmission method of example offer is provided.Data transmission method as shown in Figure 5 is applied to storage system
In system, which includes 3 network nodes, respectively first network node, the second network node and third network section
Point.Each network node is deployed with the TPM for generating key pair.This method may include that step is implemented as follows:
Step S501, each network node in storage system generates corresponding key pair, the cipher key pair packet according to TPM
Include the encryption key of the network node and the decruption key of the network node.
In the embodiment of the present invention, each network node in storage system can be according to the TPM of network node itself deployment
Generate corresponding key pair.Specifically, first network node can generate first key pair, the first key centering packet according to TPM
Include the encryption key of first network node and the decruption key of first network node.Similarly, the second network node can be according to TPM
The second key pair is generated, the second key pair includes the encryption key of the second network node and the decruption key of the second network node.
Third network node generates third key pair according to TPM, which includes the encryption key and the of third network node
The decruption key of three network nodes.
Optionally, any two key pair of three cipher key pairs can be identical involved in the embodiment of the present invention, can also
It is not identical.In practical applications, usual first key is different to, the second key pair and third key pair, can specifically join
The related elaboration in embodiment described in Fig. 4 B is stated before examination, and which is not described herein again.
Step S502, first network node sends the first request to the second network node, which obtains for requesting
Take the encryption key of the second network node.Correspondingly, the second network node receives the first request.
Step S503, the first request of the second network node response sends adding for the second network node to first network node
Key.
Step S504, the second network node sends the second request to third network node, which obtains for requesting
Take the encryption key of third network node.Correspondingly, third network node receives the second request.
Step S505, the second request of third network node response sends adding for third network node to the second network node
Key.
Step S506, third network node sends third request to first network node, and third request is obtained for requesting
Take the encryption key of first network node.Correspondingly, first network node receives third request.
Step S507, first network node response third request sends adding for first network node to third network node
Key.
Specifically, above-mentioned steps S502-S503 is the reality for the encryption key that first network node obtains the second network node
Apply step.Step S504-S505 is the implementation steps for the encryption key that the second network node obtains third network node.Step
S506-S507 is the implementation steps for the encryption key that third network node obtains first network node.About above-mentioned steps S502-
For details, reference can be made to the correlations of abovementioned steps S403-S406 to illustrate which is not described herein again by S507.
Step S508, first network node is according to the encryption key of the second network node to the first clear data to be synchronized
Encryption obtains the first ciphertext data.
Specifically, first network node can be treated together using TPM encryption interface according to the encryption key of the second network node
The first clear data encryption of step, to obtain the first ciphertext data.
Step S509, first network node sends the first ciphertext data to the second network node.Correspondingly, the second network section
Point receives the first ciphertext data.
Step S510, the second network node is obtained according to the decruption key of the second network node to the first ciphertext data deciphering
Obtain the first clear data.Second network node encrypts the first clear data according to the encryption key of third network node, obtains
Second ciphertext data.
Specifically, the second network node can utilize TPM decryption interface according to the decruption key of the second network node to first
Ciphertext data deciphering, to obtain the first clear data.Further, the adding according to third network node using TPM encryption interface
Close the first clear data of key pair encryption, to obtain the second ciphertext data.In practical applications, TPM encrypts interface and TPM decryption
Interface can be the interface for being integrated with encryption and decryption function, can also be two interfaces etc. that function is split, for details, reference can be made to aforementioned
The related of Fig. 3 embodiment illustrates which is not described herein again.
Step S511, the second network node sends the second ciphertext data to third network node.Correspondingly, third network section
Point receives the second ciphertext data.
Step S512, third network node is obtained according to the decruption key of third network node to the second ciphertext data deciphering
Obtain second plaintext data.
In the present invention, step S508-S512 is three network nodes (specially first network nodes, the second network node
And third network node) between synchronous first clear data process.The encryption and decryption of data how is realized about network node
For details, reference can be made to the correlations in embodiment described in earlier figures 4B to illustrate which is not described herein again.
Step S513, third network node is obtained according to the encryption key of first network node to second plaintext data encryption
Obtain third ciphertext data.
Step S514, third network node sends third ciphertext data to first network node.Correspondingly, first network section
Point receives third ciphertext data.
Step S515, first network node is obtained according to the decruption key of first network node to third ciphertext data deciphering
Obtain third clear data.First network node according to the first clear data and third clear data, determine three network nodes it
Between whether complete the synchronization of the first clear data.
The synchronous safety and reliability of data between guarantee network node, also needs the plaintext synchronized between verifying network node
Whether data are consistent.Specifically, it is bright that the parsing of third network node obtains second as described in the implementation steps of the invention S513-S515
After literary data, using the encryption key of first network node to second plaintext data encryption, third ciphertext data are obtained, concurrently
Give first network node.Correspondingly, first network node is close to received third according to the decruption key of first network node
Literary data deciphering obtains third clear data.Then, first network node judges the first clear data and third clear data is
It is no identical, if identical, it can determine these three network sections of first network node, the second network node and third network node
The synchronization for the first clear data is completed between point., whereas if it is not identical, then it can determine these three network nodes not
Complete the synchronization of the first clear data.About the content not described in the embodiment of the present invention, can correspond to referring to described in earlier figures 4B
Related elaboration in embodiment, which is not described herein again.
By implement the embodiment of the present invention, be able to solve safety and reliability present in available data synchronization scheme compared with
The problems such as low, so as to promote the safety and reliability of data transmission.
The applicable network equipment of the present invention is described below in associated description in the embodiment in conjunction with described in figure 1 above-Fig. 5.Please
It is a kind of structural schematic diagram of network equipment provided in an embodiment of the present invention referring to Fig. 6.The network equipment 600 includes communication module
602 and processing module 604.
In a kind of possible embodiment, which is first network equipment.Wherein, processing module 604 can be used
It is controlled and is managed in the movement to first network equipment 600.For example, processing module 604 is used to execute the step in Fig. 4 A
S302, S306 and S307, the step S508 and S515 in step S401, Fig. 5 in Fig. 4 B, and/or for executing text institute
The other content of the technology of description.Communication module 602 with other modules or equipment for being communicated, for example, communication module 602
For executing step S403 and S406 in step S302, Fig. 4 B in Fig. 4 A, step S502 and S509 in Fig. 5, and/or it is used for
Execute the other content of technology described in text.
In alternatively possible embodiment, which is second network equipment.Wherein, processing module 604 can
It is controlled and is managed for the movement to first network equipment 600.For example, processing module 604 is for executing above method reality
It applies using any network node in addition to first network node as the correlation step of executing subject in example, such as with the second network node
It is specific executable such as step in step S402, Fig. 5 in step S303 and step S304, Fig. 4 B in Fig. 4 A for executing subject
S510, and/or the other content for executing technology described in text.Communication module 602 is used for and other modules or equipment
It is communicated, for example, communication module 602 is for executing in above method embodiment with any network in addition to first network node
Step S404 in node and the mutual correlation step of other network nodes, such as executable Fig. 4 A in step S305, Fig. 4 B, figure
Step S503, S504 and S511 in 5, and/or the other content for executing technology described in text.
Optionally, which may also include memory module 606.The memory module 606 is used for storage networking device
600 program code and data, such as program code of the storage for data transmission.Processing module 604 is for calling the storage
Program code in module 606 is to realize in embodiment of the method as above with any network node (such as first network node or second
Network node) be executing subject implementation steps, and/or the other content step for executing technology described in text.
Wherein, processing module 604 can be processor or controller, such as can be central processing unit (central
Processing unit, CPU), general processor, digital signal processor (digital signal processor, DSP),
Specific integrated circuit (application-specific integrated circuit, ASIC), field programmable gate array
It is (field programmable gate array, FPGA) or other programmable logic device, transistor logic, hard
Part component or any combination thereof.It may be implemented or execute to combine and various illustratively patrol described in the disclosure of invention
Collect box, module and circuit.The processor is also possible to realize the combination of computing function, such as includes one or more micro- places
Manage device combination, DSP and the combination of microprocessor etc..Communication module 602 can be communication interface, transceiver, transmission circuit etc.,
Wherein, communication interface is to be referred to as, and may include one or more interfaces, such as interface between communication module and processing module,
Interface etc. between load balancing apparatus and user equipment.Memory module 606 can be memory or other are deposited for providing
Store up the service or module of function.
When processing module 604 is processor, communication module 602 is communication interface, when memory module 606 is memory, this
The network equipment involved by inventive embodiments can be the network equipment shown in Fig. 7.
Shown in Figure 7, the network equipment 700 includes one or more processors 701, communication interface 702 and memory
703, processor 701, communication interface 702 and memory 703 can be connected by bus or other way, the embodiment of the present invention with
For being connected by bus 704.Wherein:
Processor 701 can be made of one or more general processor, such as central processing unit (Central
Processing Unit, CPU).Processor 701 can be used for running any one of following or multiple function in relevant program code
The program of module: communication module, processing module and memory module etc..That is, processor 701 execute program code can be with
Realize any one of functional modules such as communication module and processing module or multinomial function.Wherein, about the communication mould
For details, reference can be made to the correlations in previous embodiment to illustrate for block and processing module.
Communication interface 702 can be wireline interface (such as Ethernet interface) or wireless interface (such as cellular network interface
Or use wireless lan interfaces), for being communicated with other module/equipment.For example, communication interface in the embodiment of the present invention
702 are particularly used in the ciphertext data for receiving the transmission of other network nodes, or send ciphertext data etc. to other network nodes.
Memory 703 may include volatile memory (volatile memory), such as random access memory
(random access memory, RAM);Memory also may include nonvolatile memory (non-volatile
), such as read-only memory (read-only memory, ROM), flash memory (flash memory), hard disk memory
(hard disk drive, HDD) or solid state hard disk (solid-state drive, SSD);Memory 703 can also include upper
State the combination of the memory of type.Memory 703 can be used for storing batch processing code, store in order to which processor 701 calls
The program code stored in device 703 is to realize the function of communication module involved in the embodiment of the present invention and/or processing module.
It should be noted that Fig. 6 or Fig. 7 are only a kind of possible implementation of the embodiment of the present application, in practical application,
The network equipment can also include more or fewer components, here with no restriction.About being not shown in the embodiment of the present invention or not
The content of description, reference can be made to the related elaboration in aforementioned either method embodiment, which is not described herein again.
The embodiment of the present invention also provides a kind of computer non-transitory storage media, in the computer non-transitory storage media
It is stored with instruction, when it runs on a processor, side described in any one of Fig. 4 A, Fig. 4 B and Fig. 5 embodiment
Method process is achieved.
The embodiment of the present invention also provides a kind of computer program product, when the computer program product is transported on a processor
When row, method flow described in any one of Fig. 4 A, Fig. 4 B and Fig. 5 embodiment is achieved.
The step of method in conjunction with described in disclosure of the embodiment of the present invention or algorithm, can be come real in a manner of hardware
It is existing, it is also possible to execute the mode of software instruction by processor to realize.Software instruction can be made of corresponding software module,
Software module can be stored on random access memory (random access memory, RAM), flash memory, read-only memory
(read only memory, ROM), Erasable Programmable Read Only Memory EPROM (erasable programmable ROM,
EPROM), Electrically Erasable Programmable Read-Only Memory (electrically EPROM, EEPROM), register, hard disk, movement are hard
In the storage medium of disk, CD-ROM (CD-ROM) or any other form well known in the art.A kind of illustrative storage
Medium couples to enable a processor to from the read information, and can be written to the storage medium and believe to processor
Breath.Certainly, storage medium is also possible to the component part of processor.Pocessor and storage media can be located in ASIC.In addition,
The ASIC can be located in the network equipment.Certainly, pocessor and storage media, which can also be used as discrete assembly and be present in network, sets
In standby.
Those of ordinary skill in the art will appreciate that realizing all or part of the process in above-described embodiment method, being can be with
Relevant hardware is instructed to complete by computer program, the program can be stored in computer-readable storage medium
In, the program is when being executed, it may include such as the process of the embodiment of above-mentioned each method.And storage medium above-mentioned include: ROM,
The various media that can store program code such as RAM, magnetic or disk.
Claims (10)
1. a kind of data transmission method, which is characterized in that be applied to the second network node, which comprises
The second key pair is generated according to credible platform module TPM, second key pair includes adding for second network node
The decruption key of key and second network node;
The first request that first network node is sent is received, first request is for the second network node described in request
Encryption key;
The encryption key of second network node is sent to the first network node;
The first ciphertext data that the first network node is sent are received, the first ciphertext data are to use second network
The encryption key of node is to the encrypted data of the first clear data to be synchronized;
Using the decruption key of second network node by the first ciphertext data deciphering.
2. the method according to claim 1, wherein the decruption key using second network node will
Before the first ciphertext data deciphering, the method also includes:
The corresponding pass between the decruption key and key handles of second network node is stored in second network node
System, the key handles are used to identify the decruption key of second network node;
Second network node obtains the decryption of second network node according to the key handles and the corresponding relationship
Key.
3. method according to claim 1 or 2, which is characterized in that the method also includes:
The second request is sent to the first network node, second request is for first network node described in request
Encryption key;
The encryption key for receiving the first network node that the first network node is sent, according to the first network node
Encryption key to after the decryption the first clear data encrypt, obtain the second ciphertext data;
The second ciphertext data are sent to the first network node, it is close according to described second convenient for the first network node
The literary corresponding second plaintext data of data and first clear data, determine the first network node and second network
Whether the synchronization of first clear data is completed between node.
4. method according to any one of claim 1-3, which is characterized in that the encryption key of the first network node
It is different with the encryption key of second network node, the decruption key of the first network node and second network
The decruption key of node is different.
5. a kind of storage system, which is characterized in that the storage system includes first network node and the second network node,
In,
The first network node, for sending the first request to second network node, first request is for requesting
Obtain the encryption key of second network node;
Second network node, for generating the second key pair, second key pair according to credible platform module TPM module
The decruption key of encryption key and the second network node including the second network node;
Second network node is also used to receive first request, sends second net to the first network node
The encryption key of network node;
The first network node is also used to receive the encryption key of second network node, uses the second network section
The the first clear data encryption to be synchronized of the encryption key of point obtains the first ciphertext data, sends institute to second network node
State the first ciphertext data;
Second network node is also used to receive the first ciphertext data, and the decryption using second network node is close
Key is to the first ciphertext data deciphering.
6. system according to claim 5, which is characterized in that
The first network node is also used to generate first key pair, the first key according to credible platform module TPM module
To include first network node encryption key and first network node decruption key, the TPM for realizing data peace
Full storage, the decruption key of the first network node is for decrypting ciphertext data;
Second network node is also used to send the second request to the first network node, and second request is for asking
Seek the encryption key for obtaining the first network node;
The first network node is also used to receive second request, sends first net to second network node
The encryption key of network node;
Second network node, the encryption for being also same as receiving the first network node that the first network node is sent are close
Key obtains the second ciphertext number to the first clear data encryption after the decryption using the encryption key of the first network node
According to first network node transmission the second ciphertext data;
The first network node is also used to receive the second ciphertext data, and the decryption using the first network node is close
Key obtains second plaintext data to the second ciphertext data deciphering;
The first network node is also used under first clear data and the identical situation of the second plaintext data,
Determine the synchronization that first clear data is completed between the first network node and second network node.
7. system according to claim 6, which is characterized in that the first network node is also used for first net
Before the decruption key of network node is to the second ciphertext data deciphering,
The first network node is also used to store between the decruption key and first key handle of the first network node
Corresponding relationship, the first key handle are used to identify the decruption key of the first network node;
The first network node is also used to obtain first net according to the first key handle and the corresponding relationship
The decruption key of network node.
8. the system according to any one of claim 5-7, which is characterized in that second network node is also used for
Before the decruption key of second network node is to the first ciphertext data deciphering,
Second network node is also used to store between the decruption key and the second key handles of second network node
Corresponding relationship, second key handles are used to identify the decruption key of second network node;
Second network node is also used to obtain second net according to second key handles and the corresponding relationship
The decruption key of network node.
9. the system according to any one of claim 5-8, which is characterized in that the encryption key of the first network node
It is different with the encryption key of second network node, the decruption key of the first network node and second network
The decruption key of node is different.
10. a kind of network equipment, which is characterized in that including processor, memory, communication interface and bus;The processor, institute
It states communication interface and the memory is in communication with each other by bus;The communication interface, for sending and receiving data;It is described to deposit
Reservoir, for storing instruction;The processor executes in claim 1-4 as above for calling the instruction in the memory
Any one the method.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811324704.9A CN109361511A (en) | 2018-11-08 | 2018-11-08 | Data transmission method, the network equipment and computer storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811324704.9A CN109361511A (en) | 2018-11-08 | 2018-11-08 | Data transmission method, the network equipment and computer storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109361511A true CN109361511A (en) | 2019-02-19 |
Family
ID=65344666
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811324704.9A Pending CN109361511A (en) | 2018-11-08 | 2018-11-08 | Data transmission method, the network equipment and computer storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109361511A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113378195A (en) * | 2021-06-21 | 2021-09-10 | 上海盛付通电子支付服务有限公司 | Method, apparatus, medium, and program product for encrypted communication |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120198235A1 (en) * | 2011-02-01 | 2012-08-02 | Microsoft Corporation | Secure messaging with read-undeniability and deletion-verifiability |
| US20140089658A1 (en) * | 2012-09-27 | 2014-03-27 | Yeluri Raghuram | Method and system to securely migrate and provision virtual machine images and content |
| CN104320248A (en) * | 2014-11-14 | 2015-01-28 | 中国建设银行股份有限公司 | Method and system for inter-system secret key synchronization |
| CN106790242A (en) * | 2017-01-22 | 2017-05-31 | 济南浪潮高新科技投资发展有限公司 | A kind of communication means, communication equipment, computer-readable recording medium and storage control |
| CN107959567A (en) * | 2016-10-14 | 2018-04-24 | 阿里巴巴集团控股有限公司 | Date storage method, data capture method, apparatus and system |
| CN108075890A (en) * | 2016-11-16 | 2018-05-25 | 中兴通讯股份有限公司 | Data sending terminal, data receiver, data transmission method and system |
| CN108667608A (en) * | 2017-03-28 | 2018-10-16 | 阿里巴巴集团控股有限公司 | The guard method of data key, device and system |
-
2018
- 2018-11-08 CN CN201811324704.9A patent/CN109361511A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120198235A1 (en) * | 2011-02-01 | 2012-08-02 | Microsoft Corporation | Secure messaging with read-undeniability and deletion-verifiability |
| US20140089658A1 (en) * | 2012-09-27 | 2014-03-27 | Yeluri Raghuram | Method and system to securely migrate and provision virtual machine images and content |
| CN104320248A (en) * | 2014-11-14 | 2015-01-28 | 中国建设银行股份有限公司 | Method and system for inter-system secret key synchronization |
| CN107959567A (en) * | 2016-10-14 | 2018-04-24 | 阿里巴巴集团控股有限公司 | Date storage method, data capture method, apparatus and system |
| CN108075890A (en) * | 2016-11-16 | 2018-05-25 | 中兴通讯股份有限公司 | Data sending terminal, data receiver, data transmission method and system |
| CN106790242A (en) * | 2017-01-22 | 2017-05-31 | 济南浪潮高新科技投资发展有限公司 | A kind of communication means, communication equipment, computer-readable recording medium and storage control |
| CN108667608A (en) * | 2017-03-28 | 2018-10-16 | 阿里巴巴集团控股有限公司 | The guard method of data key, device and system |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113378195A (en) * | 2021-06-21 | 2021-09-10 | 上海盛付通电子支付服务有限公司 | Method, apparatus, medium, and program product for encrypted communication |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10785019B2 (en) | Data transmission method and apparatus | |
| EP3286867B1 (en) | Method, apparatus, and system for cloud-based encryption machine key injection | |
| CN111448779B (en) | System, device and method for hybrid secret sharing | |
| EP3123657B1 (en) | Method and apparatus for cloud-assisted cryptography | |
| US9703965B1 (en) | Secure containers for flexible credential protection in devices | |
| US8059818B2 (en) | Accessing protected data on network storage from multiple devices | |
| US20170244687A1 (en) | Techniques for confidential delivery of random data over a network | |
| US9992017B2 (en) | Encrypting and storing data | |
| CN110635901B (en) | Local Bluetooth dynamic authentication method and system for Internet of things equipment | |
| WO2016210347A1 (en) | System, method, and apparatus for electronic prescription | |
| CN104902138B (en) | Encryption/deciphering system and its control method | |
| CN110505055B (en) | External network access identity authentication method and system based on asymmetric key pool pair and key fob | |
| CN109309566B (en) | Authentication method, device, system, equipment and storage medium | |
| CN111191217B (en) | Password management method and related device | |
| US20220038283A1 (en) | Hub-based token generation and endpoint selection for secure channel establishment | |
| CN110519222B (en) | External network access identity authentication method and system based on disposable asymmetric key pair and key fob | |
| US11463251B2 (en) | Method for secure management of secrets in a hierarchical multi-tenant environment | |
| CN106257859A (en) | A kind of password using method | |
| CN110417722B (en) | Business data communication method, communication equipment and storage medium | |
| CN109361511A (en) | Data transmission method, the network equipment and computer storage medium | |
| CN115941185A (en) | Method and device for offline downloading and electronic equipment | |
| JP5745493B2 (en) | Key sharing system, key sharing method, program | |
| CN109936448A (en) | A kind of data transmission method and device | |
| JP5841954B2 (en) | Secure authentication method | |
| CN118214559A (en) | Federal learning security aggregation method, device, equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190219 |
|
| RJ01 | Rejection of invention patent application after publication |